 |
|
Intrusion Inc SecureNet Pro 4.0
|
IDS Test 1 � Attack Recognition |
Attacks |
Detected |
|
Port scans |
5 |
5 |
|
Denial of Service� |
20 |
10 |
|
DDOS/Trojan |
6 |
6 |
|
Web |
12 |
12 |
|
FTP |
7 |
6 |
|
SMTP |
4 |
4 |
|
POP3 |
2 |
2 |
|
ICMP |
2 |
2 |
|
Finger |
8 |
7 |
|
Total |
66 |
54 |
�
|
IDS Test 2 - Performance Under Load |
0% |
25% |
50% |
75% |
100% |
|
Small (64 byte) packet test (max 148,000pps) |
100% |
100% |
100% |
97% |
0%3 |
|
�Real world� packet test (max 57,000pps) |
100% |
100% |
100% |
100% |
99% |
|
Large (1514 byte) packet test (max 8176pps) |
100% |
100% |
100% |
100% |
100% |
�
|
IDS Test 3 - IDS Evasion Techniques |
Attacks |
Detected |
|
Fragrouter |
8 |
8 |
|
Whisker� |
7 |
7 |
|
Total |
15 |
15 |
�
|
IDS Test 4 - Stateful Operation |
Attacks |
Vulnerable? |
|
Stick |
1 |
No1 |
|
Snot� |
1 |
Yes2 |
�
|
Notes: 1.���Some alerts were raised from Stick - ICMP related (redirect, source quench, invalid code, etc.) - no adverse flooding effect 2.���High level of alerts raised from Snot attack - GUI constantly archiving to make room for on-screen alerts. IDS does not crash, but does miss genuine attacks mixed in with Snot traffic 3.���Sensor loses contact with console at 100% load with 64 byte packets. CPU pegged at 100% - no detection occurs � SecureNet Pro provided something of a �mixed bag� in terms of performance. Attack recognition was good, and the product performed best in the areas which really count (i.e. the more recent Web-based attacks which are more likely to be discovered �in the wild�). It also provides packet reassembly capabilities and resistance to IDS evasion techniques, and thus defeated all our attempts to evade detection with ease. The product is based on a stateful architecture, and ignored all our �fake� scripted attacks as a result. It also proved to be relatively resistant to Stick attacks, generating a few ICMP-related alerts, but not enough to be of concern. For some reason, however, Snot proved more troublesome, generating a high level of alerts to the point where both the sensor and the console were overwhelmed. �Genuine� attacks inserted on the wire during a Snot flood went undetected by SecureNet Pro. This is of some concern, but Intrusion Inc. expects to have this fixed by the time you read this. Also of some concern was the problem of broken communications between sensor and console during the small packet attack at 100 per cent load. At this point, sensor CPU utilisation was pegged at 100 per cent and detection ceased completely. The sensor did not crash, however, and returned to normal once traffic levels were reduced (although any attacks launched during the �down time� went undetected). Given that it performed well up to (and beyond) 75 per cent load, and that it returned an excellent performance in the �real world � tests, this may or may not be of concern to potential customers. Bear in mind that the small packet test is a demonstration of raw sniffing speed more than anything else, and that the real world packet mix is a more realistic indication of performance on a live network. The central console is clear and easy to read, and provides accurate indications of attacks detected, together with multiple methods of viewing these on-screen without the necessity to generate full reports. Control of a single sensor from the console is straightforward, but our biggest criticism would be of the complete lack of any form of central distribution system for policy or signature updates in the software-only version of the sensor (automatic signature update is possible on the appliance products). Although this is planned for a future release, it means that the current version of SecureNet Pro does not scale well in large distributed implementations. Click here
to return to the Intrusion Inc Review |
Send mail to [email protected] with
|