Re: CRIME Checkpoint versus Sonicwall

From: Toby (toby@private)
Date: Tue Sep 03 2002 - 08:40:11 PDT

Next message: George Heuston: "CRIME FW: [Cyber_threats] Daily News 09/03/02"

Previous message: Crispin Cowan: "Re: CRIME Checkpoint versus Sonicwall"
Next in thread: James Wilcox: "RE: CRIME Checkpoint versus Sonicwall"
Reply: James Wilcox: "RE: CRIME Checkpoint versus Sonicwall"
Reply: Jerry Krummel: "RE: CRIME Checkpoint versus Sonicwall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrew Plato writes:

> > I was going to leave this conversation alone but I just have to jump in at
> > this point. "ISS is the only solution for enterprise IDS as far I I'm
> > concerned."? That's an interesting thing to say. Have you ever tried to
> > get the packet logs from a BlackICE sensor when you need to figure out why
> > you're seeing a false positives? Have you ever had to try and figure out
> > why you're seeing an alert when you have no way of telling what triggered the
> > system because not only do you not have documentation on the details of the
> > protocol engines but the packet log is half empty because only the last
> > packet in a sequence is caught?
>  
> Toby, come on, all of these questions can be answered. You just have to know 
> who to ask. :-) The BlackICE protocol engine is documented in gory detail in 
> the BlackICE Advanced Administration Guide - which anybody using a 
> BlackICE based IDS should have a copy of. 

Notice, I didn't suggest that ISS was the only one (or even that I was
specifically complaining about ISS).
I was simply making a point on it. As for the packet logs, you can't fix
that because ISS won't fix it. <shrug> such is life.

>  
> If you want, I will send you a copy of this document as ISS does, for 
> reasons I have never understood, seems intent on keeping this doc
> hidden. 

I'd love a copy. You can send it here or to:
toby@private

> And if you're nice to me - I'll send you some "secret" commands
> that allow you to "look inside" the protocol engine even deeper. 

Puh-lease!?!
;)

> >As a manager of mine used to say- I'm a simple man. I don't expect
> >perfection from my IDS, these days I don't even expect them to be very
> >good. But I've looked at EVERY commercial IDS I could find and every IDS
> > technology approach there is and I tell you this-
> > THEY ALL SUCK. And ISS sucks just as badly (worse in some places) than any
> > other product. 
> 
> You're right to a certain extent here. But you could extend this to probably 
> every technology ever made. Everything has strengths and weaknesses. 

Ah, no. Other technologies are in much better shape than IDS.

> One word of warning - be very wary of any IDS vendor (or their reseller) that 
> won't send you some kind of demo/eval copy. There are a few vendors and resellers
> that still do this and it is lame. You wouldn't spend a dime on a car
> without taking it for a test drive - same is true of any IDS. 

That makes sense except for appliances, where they may have more trouble
giving you a box to play with.

t

Next message: George Heuston: "CRIME FW: [Cyber_threats] Daily News 09/03/02"
Previous message: Crispin Cowan: "Re: CRIME Checkpoint versus Sonicwall"
Next in thread: James Wilcox: "RE: CRIME Checkpoint versus Sonicwall"
Reply: James Wilcox: "RE: CRIME Checkpoint versus Sonicwall"
Reply: Jerry Krummel: "RE: CRIME Checkpoint versus Sonicwall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 09:28:09 PDT