Additional Information

Interactive report Card

Network-Based IDS

Side Bars

Executive Summary: Intrusion Detection Systems How We Tested IDSes

PDF Features Chart

Network-Based IDS Features

Related Links

Network Computing, March 8, 1999 "With Friends Like These..." Network Computing, Oct. 1, 1998 "RFP: Managed Firewall Services" Information Week, March 16, 1999 "It's Time To Beef Up External Security, Study Says" Data Communications, Aug. 1, 1998 "Intrusion Detection Systems: Suspicious Finds"

Company Directory

Browse our directory to get data, starting with a particular company.

Reader Service

Allows you to request additional product information from our advertisers.

Print The Full Article

ClickHere

E-mail this URL

ClickHere

Buy the Book

		our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

And while we saturated links, created thousands of sessions and blasted segments until the hubs red-lined, our IDSes kept on chugging. They endured almost everything we threw their way, carefully watching, inspecting and discarding every packet. Unfortunately, they also blithely inspected, discarded and overlooked the attack that remotely ripped the NT SAM database, containing all of the domain's user names and passwords, right out from under their noses.

Real Time, Real Threats The threat of intrusion is real. Hacker penetrations have moved out of folklore status and into the mainstream. Sorting through the glossy marketing literature, it's easy to believe that without intrusion detection, your network is being lead to the slaughterhouse. After our testing, we're convinced you may be heading there anyway.

Current IDS implementations are not the final answer to the threat of intrusion. They do not stop hackers dead in their tracks, and they certainly don't offer an all-encompassing security solution. IDSes aren't perfect--in fact, they're a long way from being polished. However, IDS technology can put an administrator in touch with what's going down on the network from a security perspective in real time. Giving administrators the tools to see in areas where they were previously blind is invaluable. IDSes can be a significant asset in the administrator's repertoire, and their place in the enterprise is quickly becoming apparent.

As in many of our security product tests, in the end we determined we had an assortment of useful products that would have made for a remarkable solution if we somehow could have combined pieces of each into one package. Cisco Systems' NetRanger is quite the robust workhorse, and it has a strong set of attack signatures. AXENT Technologies' ID-Trak is by far the easiest to customize, and offers a simple solution to specific problems. Network Flight Recorders' NFR Intrusion Detection Appliance has a wonderful back end with a mighty scripting language. But when all is said and done, ISS' RealSecure gets our Editors' Choice award; it's the most useful and mature IDS out of the box.

Packet Sniffer on Steroids? At the root of IDSes is the concept of identifying a particular attack method. While there is an endless number of possible sequences, the raw building blocks of most assaults are based on smaller components or "exploits." Building on internal databases of such exploits and patterns, IDS vendors create what are referred to as attack signatures. Using these defined signatures while inspecting real-time network traffic, IDSes try to analyze sets of packets for a signature match.

IDSes typically employ two basic components: sensors and back-end management stations. The sensor or "watcher" module is responsible for grabbing (essentially sniffing) the network traffic and inspecting it, while the back end handles the logging of attacks and the issuance of any alarms or countermeasures.