> Money, scalability, speed: very nice. Uh, what about security? The > Symantec product is a "hybrid" firewall (i.e. uses proxies) while the > others are packet filters. IMHO, that adds security value. When it comes to security, I firmly believe that 75% to 90% of security is in the configuration, management, and use of a product, not the product itself. All of these firewalls can offer an exceptional amount of security - provided they are implemented, used, and managed in a secure manner. You could hand somebody a mega-hyper secure computer, but if they promptly change passwords, removed security systems, and loaded Kazaa on it - well all that security tuning was wasted. >That is also a role for secure operating systems (our products). IDS >just tell you that you've just been had, and you're about to have a bad >weekend :) Yes, I agree. There is a place for secure operating systems. But IDS can start to deliver information about what's going on, on your network. Firewalls and secure OS components may keep hackers out. But and IDS has the unique job of telling you if anybody is even trying. Moreover, good IDSs have the capabilty to archive intrusion data, hence giving you evidence of an intrusion. Furthermore, not all IDS's are passive - "ruin your weekend" - type of systems. Some IDSs can also kill intrusions at the host, on the network, or at the gateway. I have a nifty little unit (called RealSecure Guard) sifting through every frame in and out of my company. If it sees a hack, it blocks it automatically and sends an alert to me. No user intervention required. There are also network sensors that can sent TCP RST packets to kill unwanted connections and those that can on-the-fly reconfigure a Checkpoint firewall to block an intruder. Then of course there are host-based IDS like Entercept and RealSecure Desktop that can kill intrusions at the host, in real-time. This is actually one of my bigger complaints with Snort. As capable as it is, it has no integrated response capabilities other than to shoot off alerts. You'd have to custom build a response mechanism for it, which isn't easy. Clearly there is a place for all these products. The real question in many people's minds are: what is necessary and what can I afford? That's a much harder question to answer. ----------------------------------- Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com ------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 14:36:08 PDT