brvarin@private writes: > Proxy based firewalls aren't really that slow. Sure a Checkpoint is faster > but slap on all the 3rd party application inspection engines and it too > starts slowing down. In todays world, having a firewall that only goes down > to Layer 4 just won't cut it IMHO. And hiding details from the outside > world is a good thing! > > As for Snort...I love it but have to agree that it's just not something you > want for an enterprise IDS. I use it at home and it smokes. If I had to > manage more than a few?....ugh. ISS is the only solution for enterprise IDS > as far I I'm concerned. I was going to leave this conversation alone but I just have to jump in at this point. "ISS is the only solution for enterprise IDS as far I I'm concerned."? That's an interesting thing to say. Have you ever tried to get the packet logs from a BlackICE sensor when you need to figure out why you're seeing a false positives? Have you ever had to try and figure out why you're seeing an alert when you have no way of telling what triggered the system because not only do you not have documentation on the details of the protocol engines but the packet log is half empty because only the last packet in a sequence is caught? As a manager of mine used to say- I'm a simple man. I don't expect perfection from my IDS, these days I don't even expect them to be very good. But I've looked at EVERY commercial IDS I could find and every IDS technology approach there is and I tell you this- THEY ALL SUCK. And ISS sucks just as badly (worse in some places) than any other product. I won't make statements about my preference for one product or another, but I'll simply put forth that before you say that ISS is the one true path, you consider what an IDS really needs to do for you- find bad things, tell you about them, tell you why they think it is a bad thing, give you a way to teach them. toby > > > > > > Proxy-based firewalls are also a hell of a lot slower than stateful packet > firewalls. They also can hide the details of the outside world, making > IDSs unusable inside your network. Personally, I find that a good stateful > firewall can filter out all the junk and handle authentication and > monitoring. And then a well tuned IDS can focus in on the traffic and what > it is trying to do. The two working together can form a rather significant > barrier to hacker scum. It also creates a "separation of duties" the > firewall does its job and the IDS does its job. You don't have one unit > (hence a single point of failure) trying to do both. > . > > Once again, this is an area where Snort is extremely difficult to use > because there is no centralized policy creation and management system as > well as a reporting mechanism. Something that virtually all the commercial > products - even Sourcefire's commercial product - has. > > > > > >
This archive was generated by hypermail 2b30 : Sat Aug 31 2002 - 00:52:35 PDT