 |
|
ISS RealSecure�
|
Network load |
0% |
25% |
50% |
75% |
100% |
|
Background traffic load – 64 byte packets (packets per second) |
0 |
37000 |
74000 |
110000 |
148000 |
|
IP port scan |
Y |
Y |
Y |
Y |
Y |
|
SYN stealth port scan |
Y |
Y |
Y |
Y |
Y |
|
FIN stealth port scan |
Y |
Y |
Y |
Y |
Y |
|
UDP port scan |
Y |
Y |
Y |
Y |
Y |
|
Nmap remote OS ID attempt |
Y |
Y |
Y |
Y |
Y |
|
CyberCop scan |
N |
N |
N |
N |
N |
|
Chargen attack |
Y |
Y |
Y |
Y |
Y |
|
SYN flood DoS |
Y |
Y |
Y |
Y |
Y |
|
WinNuke OOB |
Y |
Y |
Y |
Y |
Y |
|
BackOrifice probe |
Y |
Y |
Y |
Y |
Y |
|
FTP Bounce attack |
Y |
Y |
Y |
Y |
Y |
|
Web PHF attack |
Y |
Y |
Y |
Y |
Y |
|
Bonk 1 |
Y |
Y |
Y |
Y |
Y |
|
Land� |
Y |
Y |
Y |
Y |
Y |
|
Nestea 1 |
Y |
Y |
Y |
Y |
Y |
|
NewTear 1 |
Y |
Y |
Y |
Y |
Y |
|
SYNdrop 1 |
Y |
Y |
Y |
Y |
Y |
|
Teardrop |
Y |
Y |
Y |
Y |
Y |
|
Jolt2 |
N |
N |
N |
N |
N |
|
High volume boping (10,000 pings) |
100% |
100% |
91% |
48% |
33% |
�Notes:
1.Reported as Teardrop
|
IDS Evasion - fragrouter |
Detected? |
|
Ordered 8-byte IP fragments |
Y |
|
Ordered 24-byte IP fragments |
Y |
|
Ordered 8-byte IP fragments, one fragment sent out of order |
Y |
|
Ordered 8-byte IP fragments, duplicating the penultimate fragment in each packet |
Y |
|
Out of order 8-byte IP fragments, duplicating the penultimate fragment in each packet |
Y |
|
Ordered 8-byte IP fragments, sending the marked last fragment first |
Y |
|
Ordered 16-byte IP fragments, preceding each fragment with an 8-byte null data fragment that overlaps the latter half of it |
Y |
|
IDS Evasion – Whisker |
Detected? |
|
Mode 1: URL encoding |
Y |
|
Mode 2: /./ directory insertion |
Y |
|
Mode 3: Premature URL ending |
Y |
|
Mode 5: Fake parameter |
Y |
|
Mode 7: Case sensitivity |
Y |
|
Mode 8: Windows \ delimiter |
Y |
Attack recognition was generally very good with RealSecure (though it missed the Jolt2 attack) and the descriptions were clear and accurate. Real-time monitoring was excellent, with very exact detection counts. RealSecure also includes full packet reassembly capabilities and resistance to common IDS evasion techniques, and thus handled both the fragrouter and Whisker attacks flawlessly. However, detection capabilities fell off steadily at high loads. It did continue to detect some signatures, so at least it did not fail completely under pressure. However, its rate of detection fell off quite rapidly above 50 per cent network load.� We could only recommend RealSecure for installation in lightly loaded networks unless multiple engines are installed on a single subnet, each monitoring a subset of the attack signature database. Click here
to return to the ISS RealSecure Review |
Send mail to [email protected] with
|