Re: CRIME Checkpoint versus Sonicwall

From: Toby (toby@private)
Date: Tue Sep 03 2002 - 14:59:41 PDT

  • Next message: Crispin Cowan: "Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"

    James Wilcox writes:
    
    > Espousing one tool over another sounds a bit like the old Ford vs. Chevy vs.
    > Dodge argument (which can be kind of fun over beers and billiards).
    > 
    > Peter Tippett has been on a path for a while promoting multiple defenses to
    > compensate for the imperfection of any single one. As Deming used to say,
    > Tippett reiterates, "Technology is not the answer." You can't rebuild an
    > engine with just an end-wrench. You need multiple tools and some knowledge
    > of what you are doing, how to do it, and how the system works. Tippett
    > builds his idea on Bayesian inference.
    
    Which is also what I've been saying all along- you have to use multiple
    products to deal with the fact that they are all faliable.
    
    t
    
    > 
    > http://www.cfo.com/Article?article=7604
    > 
    > By the way, if you don't recall Bayesian history, Thomas Bayes was a
    > minister who was born in Kent in 1701. The problem he dealt with is as
    > follows:
    > 
    > Given that the number of times in which an unknown event has happened and
    > failed, the chance that the probability of its happening in a single trial
    > lies somewhere between any two degrees of probability than can be named. He
    > did his research with a billiard table... he couldn't have been all bad.
    > 
    > 
    > James R. Wilcox, CISSP
    > Western Region Manager
    > SecureInfo Corporation
    > 503 799-8438
    > Sales Support (Brandi McMahan) 888 677-9351
    > TESS Support 888 753-8377
    > james.wilcox@private
    > www.secureinfo.com
    > 
    > -----Original Message-----
    > From: owner-crime@private [mailto:owner-crime@private]On Behalf Of
    > Toby
    > Sent: Tuesday, September 03, 2002 8:40 AM
    > To: Andrew Plato
    > Cc: brvarin@private; crime@private
    > Subject: Re: CRIME Checkpoint versus Sonicwall
    > 
    > 
    > Andrew Plato writes:
    > 
    > > > I was going to leave this conversation alone but I just have to jump in
    > at
    > > > this point. "ISS is the only solution for enterprise IDS as far I I'm
    > > > concerned."? That's an interesting thing to say. Have you ever tried to
    > > > get the packet logs from a BlackICE sensor when you need to figure out
    > why
    > > > you're seeing a false positives? Have you ever had to try and figure out
    > > > why you're seeing an alert when you have no way of telling what
    > triggered the
    > > > system because not only do you not have documentation on the details of
    > the
    > > > protocol engines but the packet log is half empty because only the last
    > > > packet in a sequence is caught?
    > >
    > > Toby, come on, all of these questions can be answered. You just have to
    > know
    > > who to ask. :-) The BlackICE protocol engine is documented in gory detail
    > in
    > > the BlackICE Advanced Administration Guide - which anybody using a
    > > BlackICE based IDS should have a copy of.
    > 
    > Notice, I didn't suggest that ISS was the only one (or even that I was
    > specifically complaining about ISS).
    > I was simply making a point on it. As for the packet logs, you can't fix
    > that because ISS won't fix it. <shrug> such is life.
    > 
    > >
    > > If you want, I will send you a copy of this document as ISS does, for
    > > reasons I have never understood, seems intent on keeping this doc
    > > hidden.
    > 
    > I'd love a copy. You can send it here or to:
    > toby@private
    > 
    > > And if you're nice to me - I'll send you some "secret" commands
    > > that allow you to "look inside" the protocol engine even deeper.
    > 
    > Puh-lease!?!
    > ;)
    > 
    > > >As a manager of mine used to say- I'm a simple man. I don't expect
    > > >perfection from my IDS, these days I don't even expect them to be very
    > > >good. But I've looked at EVERY commercial IDS I could find and every IDS
    > > > technology approach there is and I tell you this-
    > > > THEY ALL SUCK. And ISS sucks just as badly (worse in some places) than
    > any
    > > > other product.
    > >
    > > You're right to a certain extent here. But you could extend this to
    > probably
    > > every technology ever made. Everything has strengths and weaknesses.
    > 
    > Ah, no. Other technologies are in much better shape than IDS.
    > 
    > > One word of warning - be very wary of any IDS vendor (or their reseller)
    > that
    > > won't send you some kind of demo/eval copy. There are a few vendors and
    > resellers
    > > that still do this and it is lame. You wouldn't spend a dime on a car
    > > without taking it for a test drive - same is true of any IDS.
    > 
    > That makes sense except for appliances, where they may have more trouble
    > giving you a box to play with.
    > 
    > t
    > 
    



    This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 15:48:38 PDT