Espousing one tool over another sounds a bit like the old Ford vs. Chevy vs. Dodge argument (which can be kind of fun over beers and billiards). Peter Tippett has been on a path for a while promoting multiple defenses to compensate for the imperfection of any single one. As Deming used to say, Tippett reiterates, "Technology is not the answer." You can't rebuild an engine with just an end-wrench. You need multiple tools and some knowledge of what you are doing, how to do it, and how the system works. Tippett builds his idea on Bayesian inference. http://www.cfo.com/Article?article=7604 By the way, if you don't recall Bayesian history, Thomas Bayes was a minister who was born in Kent in 1701. The problem he dealt with is as follows: Given that the number of times in which an unknown event has happened and failed, the chance that the probability of its happening in a single trial lies somewhere between any two degrees of probability than can be named. He did his research with a billiard table... he couldn't have been all bad. James R. Wilcox, CISSP Western Region Manager SecureInfo Corporation 503 799-8438 Sales Support (Brandi McMahan) 888 677-9351 TESS Support 888 753-8377 james.wilcox@private www.secureinfo.com -----Original Message----- From: owner-crime@private [mailto:owner-crime@private]On Behalf Of Toby Sent: Tuesday, September 03, 2002 8:40 AM To: Andrew Plato Cc: brvarin@private; crime@private Subject: Re: CRIME Checkpoint versus Sonicwall Andrew Plato writes: > > I was going to leave this conversation alone but I just have to jump in at > > this point. "ISS is the only solution for enterprise IDS as far I I'm > > concerned."? That's an interesting thing to say. Have you ever tried to > > get the packet logs from a BlackICE sensor when you need to figure out why > > you're seeing a false positives? Have you ever had to try and figure out > > why you're seeing an alert when you have no way of telling what triggered the > > system because not only do you not have documentation on the details of the > > protocol engines but the packet log is half empty because only the last > > packet in a sequence is caught? > > Toby, come on, all of these questions can be answered. You just have to know > who to ask. :-) The BlackICE protocol engine is documented in gory detail in > the BlackICE Advanced Administration Guide - which anybody using a > BlackICE based IDS should have a copy of. Notice, I didn't suggest that ISS was the only one (or even that I was specifically complaining about ISS). I was simply making a point on it. As for the packet logs, you can't fix that because ISS won't fix it. <shrug> such is life. > > If you want, I will send you a copy of this document as ISS does, for > reasons I have never understood, seems intent on keeping this doc > hidden. I'd love a copy. You can send it here or to: toby@private > And if you're nice to me - I'll send you some "secret" commands > that allow you to "look inside" the protocol engine even deeper. Puh-lease!?! ;) > >As a manager of mine used to say- I'm a simple man. I don't expect > >perfection from my IDS, these days I don't even expect them to be very > >good. But I've looked at EVERY commercial IDS I could find and every IDS > > technology approach there is and I tell you this- > > THEY ALL SUCK. And ISS sucks just as badly (worse in some places) than any > > other product. > > You're right to a certain extent here. But you could extend this to probably > every technology ever made. Everything has strengths and weaknesses. Ah, no. Other technologies are in much better shape than IDS. > One word of warning - be very wary of any IDS vendor (or their reseller) that > won't send you some kind of demo/eval copy. There are a few vendors and resellers > that still do this and it is lame. You wouldn't spend a dime on a car > without taking it for a test drive - same is true of any IDS. That makes sense except for appliances, where they may have more trouble giving you a box to play with. t
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 10:17:16 PDT