 |
|
nSecure nPatrol IDS
|
IDS Test 1 � Attack Recognition |
Attacks |
Detected |
|
Port scans |
5 |
5 |
|
Denial of Service� |
20 |
14 |
|
DDOS/Trojan |
6 |
02 |
|
Web |
12 |
11 |
|
FTP |
7 |
4 |
|
SMTP |
4 |
4 |
|
POP3 |
2 |
0 |
|
ICMP |
2 |
0 |
|
Finger |
8 |
5 |
|
Total |
66 |
43 |
�
|
IDS Test 2 - Performance Under Load |
0% |
25% |
50% |
75% |
100% |
|
Small (64 byte) packet test (max 148,000pps) |
100% |
100% |
100% |
100% |
79% |
|
�Real world� packet test (max 57,000pps) |
100% |
100% |
100% |
100% |
99% |
|
Large (1514 byte) packet test (max 8176pps) |
100% |
100% |
100% |
100% |
100% |
�
|
IDS Test 3 - IDS Evasion Techniques |
Attacks |
Detected |
|
Fragrouter |
8 |
8 |
|
Whisker� |
7 |
7 |
|
Total |
15 |
15 |
�
|
IDS Test 4 - Stateful Operation |
Attacks |
Vulnerable? |
|
Stick |
1 |
Yes1 |
|
Snot� |
1 |
Yes1 |
�
|
Notes: 1.�� Although nPatrol is stateful and thus does not react directly to most of the stick/snot false positives, it does report a high number of TCP Null Scan, UDP Scan and ICMP Scan events, and so is still susceptible to log overflow. One workaround is to remove the Protocol Misuse module from the Alert Window, but this could cause other attacks to pass undetected. 2.���It may be possible to improve DDOS/Trojan detection by further optimising the policy violation settings � nSecure is fairly unique amongst the products here in that as well as a stateful NIDS engine, it also provides a combination of signature recognition, protocol analysis, policy violation detection, and anomaly detection in an attempt to cover both known and unknown attacks. This means it can be quite an effort to configure correctly, but once it has been set-up, it is very effective. Signature recognition is good, and could be improved even further in our tests via some additional work on the policy violations. Detection rates, too, are very good, returning an almost perfect score in our real world tests, and showing a very creditable set of results in the small packet tests. Monitoring and alerting are both excellent at the central console, although the reports would benefit from a little more detail in places. The console also provides the means to manage multiple agents and distribute policy and signature updates (which can be acquired automatically from the nSecure Web site) throughout the network in one operation. Changes can be made to Policies and Services in an off-line mode and then distributed to all Agents in one hit, or it is possible to work on-line, where every change is reflected at the Agents as soon as it is confirmed. Click here to
return to the nPatrol Review |
Send mail to webmaster
with questions or�
|