 |
|
|
IDS Test 1 � Attack Recognition |
Attacks |
Detected |
|
Port scans |
5 |
5 |
|
Denial of Service� |
11 |
10 |
|
DDOS/Trojan |
n/a |
n/a |
|
Web |
1 |
1 |
|
FTP |
1 |
1 |
|
SMTP |
n/a |
n/a |
|
POP3 |
n/a |
n/a |
|
ICMP |
n/a |
n/a |
|
Finger |
n/a |
n/a |
|
Total |
18 |
17 |
�
|
IDS Test 2 - Performance Under Load |
0% |
25% |
50% |
75% |
100% |
|
Small (64 byte) packet test (max 148,000pps) |
100% |
100% |
100% |
100% |
100% |
|
�Real world� packet test (max 57,000pps) |
n/a |
n/a |
n/a |
n/a |
n/a |
|
Large (1514 byte) packet test (max 8176pps) |
n/a |
n/a |
n/a |
n/a |
n/a |
�
|
IDS Test 3 - IDS Evasion Techniques |
Attacks |
Detected |
|
Fragrouter |
8 |
0 |
|
Whisker� |
7 |
6 |
|
Total |
15 |
6 |
�
|
IDS Test 4 - Stateful Operation |
Attacks |
Vulnerable? |
|
Stick |
n/a |
n/a |
|
Snot� |
n/a |
n/a |
�
|
Notes: 1.���NetProwler was not re-tested for Edition 2, therefore a complete set of test results are not available. Tests that were not included in Edition 1 are marked as �n/a� Symantec NetProwler performed exceptionally well in the network load tests, detecting 100 per cent of all attacks at 100 per cent network load. However, although it did spot all of the attacks (except for Nestea) it misrepresented far too many of them, and some of the descriptions were entirely inaccurate (though always consistent). For example, Chargen attacks were reported as Stacheldraht, SYN floods were reported as ICMP Redirect, and SYNdrop was reported as Tribal Flood Network 2K, amongst others. NetProwler does not provide packet reassembly and so failed to spot any fragmentation attacks launched through fragrouter. Performance against other IDS evasion techniques was mixed, handling most of the Whisker attacks quite well (though missing the URL encoding mode for some reason). Whilst this was barely tolerable 12 months ago, it is not acceptable today, and Symantec inform us that the product has not been updated significantly since we last evaluated it. On the plus side, the monitoring screen on the Agent GUI shows packets processed and packets dropped, which is an extremely useful indication of when an Agent is being overloaded (though we did not see this happen in our tests).� The attack counts are also very accurate, making it very easy to determine exactly how many attacks have been detected. Click here
to return to the Symantec NetProwler Review |
Send mail to webmaster
with questions or�
|