> I was going to leave this conversation alone but I just have to jump in at > this point. "ISS is the only solution for enterprise IDS as far I I'm > concerned."? That's an interesting thing to say. Have you ever tried to > get the packet logs from a BlackICE sensor when you need to figure out why > you're seeing a false positives? Have you ever had to try and figure out > why you're seeing an alert when you have no way of telling what triggered the > system because not only do you not have documentation on the details of the > protocol engines but the packet log is half empty because only the last > packet in a sequence is caught? Toby, come on, all of these questions can be answered. You just have to know who to ask. :-) The BlackICE protocol engine is documented in gory detail in the BlackICE Advanced Administration Guide - which anybody using a BlackICE based IDS should have a copy of. If you want, I will send you a copy of this document as ISS does, for reasons I have never understood, seems intent on keeping this doc hidden. And if you're nice to me - I'll send you some "secret" commands that allow you to "look inside" the protocol engine even deeper. >As a manager of mine used to say- I'm a simple man. I don't expect >perfection from my IDS, these days I don't even expect them to be very >good. But I've looked at EVERY commercial IDS I could find and every IDS > technology approach there is and I tell you this- > THEY ALL SUCK. And ISS sucks just as badly (worse in some places) than any > other product. You're right to a certain extent here. But you could extend this to probably every technology ever made. Everything has strengths and weaknesses. To use an innocuous example - why do I have 5 media players on my computer (WinAmp, QuickTime, Real, MusicMatch, Windows Media)? Because each one sucks in its own unique way. But each one has its value as well. I of course won't dispute the "ISS is the only choice for enterprise" because ....that's what I sell. But the reality is, anybody thinking of implementing IDS needs to test and evaluate the solutions out there and find the solution that best fits their needs and expectations. You can read all the reports you want and listen to sales people until the end of time. The real way to evaluate an IDS is to plug one in at your company and play with it for a few days. See what you like and what you don't like. And if possible - find other users and see what they say. One word of warning - be very wary of any IDS vendor (or their reseller) that won't send you some kind of demo/eval copy. There are a few vendors and resellers that still do this and it is lame. You wouldn't spend a dime on a car without taking it for a test drive - same is true of any IDS. ------------------------------------ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com <http://www.anitian.com> ------------------------------------
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 01:16:43 PDT