Tools
Information Assurance Tools Report
Sixth Edition September 25, 2009
Intrusion Detection Systems
Distribution Statement AS E R VICE
I NF
O R MA T
IO
N
EXC E L L E NC E
Approved for public release; distribution is unlimited.
N
I
REPORT DOCUMENTATION PAGE
Form Approved OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.
1. REPORT DATE
2. REPORT TYPE
3. DATES COVERED (From - To)
25-09-2009
4. TITLE AND SUBTITLE
Report
25-09-2009
5a. CONTRACT NUMBER
Information Assurance Technology Analysis Center (IATAC) Information Assurance Tools Report Intrusion Detection Systems. Sixth Edition.
SPO700-98-D-40025b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER
Revision by Tzeyoung Max Wu
N/A5f. WORK UNIT NUMBER 8. PERFORMING ORGANIZATION REPORT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) AND ADDRESS(ES) IATAC
13200 Woodland Park Road Herndon, VA 20171
9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES)
10. SPONSOR/MONITORS ACRONYM(S)
Defense Technical Information Center 8725 John J. Kingman Road, Suite 0944 Fort Belvoir, VA 22060-621812. DISTRIBUTION / AVAILABILITY STATEMENT
11. SPONSOR/MONITORS REPORT NUMBER(S)
Distribution Statement A. Approved for public release; distribution is unlimited.13. SUPPLEMENTARY NOTES
IATAC is operated by Booz Allen Hamilton, 8283 Greensboro Drive, McLean, VA 22102.14. ABSTRACT
This Information Assurance Technology Analysis Center (IATAC) report provides an index of Intrusion Detection System (IDS) tools. It summarizes pertinent information, providing users a brief description of available IDS tools and contact information for each. IATAC does not endorse, recommend, or evaluate the effectiveness of any specific tool. The written descriptions are based solely on vendors claims and are intended only to highlight the capabilities and features of each firewall product. The report does identify sources of product evaluations when available.15. SUBJECT TERMS
IATAC Collection, Intrusion Detection Systems (IDS)16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT c. THIS PAGE 18. NUMBER OF PAGES 19a. NAME OF RESPONSIBLE PERSON
Tyler, Gene19b. TELEPHONE NUMBER(include area code)
a. REPORT
b. ABSTRACT
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
None
93
703-984-0775Standard Form 298 (Rev. 8-98)Prescribed by ANSI Std. Z39.18
Table of ContentsSECTION 1 SECTION 2u
Introduction . . . . . . . . . . . 1 I ntrusionDetection/ PreventionOverview . . . . 3
1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2u
2.1 Definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2 Technologies....................................3 2.2.1 Network-Based . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2.2 Wireless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2.3 NetworkBehaviorAnomalyDetection . . . . . . .3 2.2.4 Host-Based. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.3 DetectionTypes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.3.1 Signature-BasedDetection. . . . . . . . . . . . . . . . .3 2.3.2 Anomaly-BasedDetection. . . . . . . . . . . . . . . . . .4 2.3.3 StatefulProtocolInspection . . . . . . . . . . . . . . . .4 2.4 FalsePositivesandNegatives . . . . . . . . . . . . . . . . . . . .4 2.5 SystemComponents. . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
5.1.2 SocialEngineering. . . . . . . . . . . . . . . . . . . . . . . .13 5.2 ChallengesinIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 5.2.1 IDSScalabilityinLargeNetworks . . . . . . . . . .14 5.2.2 VulnerabilitiesinOperatingSystems. . . . . . . .14 5.2.3 LimitsinNetworkIntrusion DetectionSystems. . . . . . . . . . . . . . . . . . . . . . . .14 5.2.4 Signature-BasedDetection. . . . . . . . . . . . . . . .14 5.2.5 ChallengeswithWirelessTechnologies. . . . .14 5.2.6 Over-RelianceonIDS. . . . . . . . . . . . . . . . . . . . .15
SECTION 6 SECTION 7
u u
Conclusion . . . . . . . . . . . 17 . IDSTools . . . . . . . . . . . . 19
SECTION 3
u
Technologies . . . . . . . . . . 5
3.1 NetworkIntrusionDetectionSystem. . . . . . . . . . . . . . .5 3.1.1 AnOverviewoftheOpenSystems InterconnectionModel. . . . . . . . . . . . . . . . . . . . .5 3.1.2 ComponentTypes. . . . . . . . . . . . . . . . . . . . . . . . . .5 3.1.3 NIDSSensorPlacement. . . . . . . . . . . . . . . . . . . .6 3.1.4 TypesofEvents . . . . . . . . . . . . . . . . . . . . . . . . . . .6 . 3.1.5 Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2 Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2.2 TypesofEvents . . . . . . . . . . . . . . . . . . . . . . . . . . .8 . 3.3 NetworkBehaviorAnomalyDetection . . . . . . . . . . . . .8 3.4 Host-BasedIntrusionDetectionSystem. . . . . . . . . . . .8 3.4.1 TypesofEvents . . . . . . . . . . . . . . . . . . . . . . . . . . .9 . 3.4.2 Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
SECTION 4
u
IDSManagement . . . . . 11 .
4.1 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 4.2 Tuning.........................................11 4.3 DetectionAccuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
SECTION 5
u
IDSChallenges . . . . . . . . 13
5.1 Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 5.1.1 ToolsUsedinAttacks. . . . . . . . . . . . . . . . . . . . .13
Host-Based Intrusion Detection Systems AIDEAdvancedIntrusionDetectionEnvironment. . . . .21 CSPAlert-Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 eEyeRetina. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 eEyeSecureIISWebServerProtection . . . . . . . . . . . . . . .24 GFIEventsManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 HewlettPackard-Unix(HP-UX)11iHostIntrusion DetectionSystem(HIDS). . . . . . . . . . . . . . . . . . . . . . . . . . . .26 IBMRealSecureServerSensor. . . . . . . . . . . . . . . . . .27 integrit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 LumensionApplicationControl. . . . . . . . . . . . . . . . . . . . .29 McAfeeHostIntrusionPrevention. . . . . . . . . . . . . . . . . .30 NetIQSecurityManageriSeries. . . . . . . . . . . . . . . . . .31 Osiris. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 OSSECHIDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 PivXpreEmpt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Samhain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 TripwireEnterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 TripwireforServers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Network Intrusion Detection Systems ArborNetworksPeakflowX . . . . . . . . . . . . . . . . . . . . . . .39 . ArcSight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Bro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 CheckPointIPSSoftwareBlade . . . . . . . . . . . . . . . . . . . . .42 CheckPointVPN-1Power. . . . . . . . . . . . . . . . . . . . . . . . . . .43 CheckPointVPN-1PowerVSX. . . . . . . . . . . . . . . . . . . . . . .44 CiscoASA5500SeriesIPSEdition . . . . . . . . . . . . . . . . .45 CiscoCatalyst6500SeriesIntrusionDetection SystemServicesModule(IDSM-2) . . . . . . . . . . . . . . . . . . .46
IA Tools Report
i
Cisco Guard XT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Cisco Intrusion Detection System Appliance IDS-4200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Cisco IOS IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Cisco Security Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Enterasys Dragon Network Defense . . . . . . . . . . . . . . . . . .51 ForeScout CounterAct Edge . . . . . . . . . . . . . . . . . . . . . . . .52 IBM Proventia SiteProtector . . . . . . .
