On 08:46 AM 6/28/02, Brandon Knicely wrote:
Thanks to those that responded, content listed below with a few comments of my own. Also welcome additional discussion.
It appears that this recent report was overlooked: <http://www.nwfusion.com/techinsider/2002/0624security1.html> Crying wolf: False alarms hide attacks Eight IDSs fail to impress during the monthlong test on a production network. By David Newman, Joel Snyder and Rodney Thayer Network World, 06/24/02 One thing that can be said with certainty about network-based intrusion-detection systems is that they're guaranteed to detect and consume all your available bandwidth. Whether they also detect network intrusions is less of a sure thing. Those are the major conclusions of our first-ever IDS product comparison conducted "in the wild." Unlike previous tests run in lab settings, we put seven commercial IDS products and one open-source offering on a live ISP segment to see what they'd catch. What we found wasn't encouraging: Several IDSs crashed repeatedly under the burden of the false alarms they churned out. When real attacks came along, some products didn't catch them and others buried the reports so deep in false alarms that they were easy to miss. Overly complex interfaces made tuning out false alarms a challenge. Because no product distinguished itself, we are not naming a winner (See "No cigar"). The eight products we tested - from Cisco, Intrusion, Lancope, Network Flight Recorder (NFR), Nokia (running on OEM version of Internet Security Systems RealSecure 6.5), OneSecure, Recourse Technologies and the open-source Snort package - all ask too much of their users in terms of time and expertise to be described as security must-haves. (follow the URL above for the whole story) jc