James Wilcox writes: > Espousing one tool over another sounds a bit like the old Ford vs. Chevy vs. > Dodge argument (which can be kind of fun over beers and billiards). > > Peter Tippett has been on a path for a while promoting multiple defenses to > compensate for the imperfection of any single one. As Deming used to say, > Tippett reiterates, "Technology is not the answer." You can't rebuild an > engine with just an end-wrench. You need multiple tools and some knowledge > of what you are doing, how to do it, and how the system works. Tippett > builds his idea on Bayesian inference. Which is also what I've been saying all along- you have to use multiple products to deal with the fact that they are all faliable. t > > http://www.cfo.com/Article?article=7604 > > By the way, if you don't recall Bayesian history, Thomas Bayes was a > minister who was born in Kent in 1701. The problem he dealt with is as > follows: > > Given that the number of times in which an unknown event has happened and > failed, the chance that the probability of its happening in a single trial > lies somewhere between any two degrees of probability than can be named. He > did his research with a billiard table... he couldn't have been all bad. > > > James R. Wilcox, CISSP > Western Region Manager > SecureInfo Corporation > 503 799-8438 > Sales Support (Brandi McMahan) 888 677-9351 > TESS Support 888 753-8377 > james.wilcox@private > www.secureinfo.com > > -----Original Message----- > From: owner-crime@private [mailto:owner-crime@private]On Behalf Of > Toby > Sent: Tuesday, September 03, 2002 8:40 AM > To: Andrew Plato > Cc: brvarin@private; crime@private > Subject: Re: CRIME Checkpoint versus Sonicwall > > > Andrew Plato writes: > > > > I was going to leave this conversation alone but I just have to jump in > at > > > this point. "ISS is the only solution for enterprise IDS as far I I'm > > > concerned."? That's an interesting thing to say. Have you ever tried to > > > get the packet logs from a BlackICE sensor when you need to figure out > why > > > you're seeing a false positives? Have you ever had to try and figure out > > > why you're seeing an alert when you have no way of telling what > triggered the > > > system because not only do you not have documentation on the details of > the > > > protocol engines but the packet log is half empty because only the last > > > packet in a sequence is caught? > > > > Toby, come on, all of these questions can be answered. You just have to > know > > who to ask. :-) The BlackICE protocol engine is documented in gory detail > in > > the BlackICE Advanced Administration Guide - which anybody using a > > BlackICE based IDS should have a copy of. > > Notice, I didn't suggest that ISS was the only one (or even that I was > specifically complaining about ISS). > I was simply making a point on it. As for the packet logs, you can't fix > that because ISS won't fix it. <shrug> such is life. > > > > > If you want, I will send you a copy of this document as ISS does, for > > reasons I have never understood, seems intent on keeping this doc > > hidden. > > I'd love a copy. You can send it here or to: > toby@private > > > And if you're nice to me - I'll send you some "secret" commands > > that allow you to "look inside" the protocol engine even deeper. > > Puh-lease!?! > ;) > > > >As a manager of mine used to say- I'm a simple man. I don't expect > > >perfection from my IDS, these days I don't even expect them to be very > > >good. But I've looked at EVERY commercial IDS I could find and every IDS > > > technology approach there is and I tell you this- > > > THEY ALL SUCK. And ISS sucks just as badly (worse in some places) than > any > > > other product. > > > > You're right to a certain extent here. But you could extend this to > probably > > every technology ever made. Everything has strengths and weaknesses. > > Ah, no. Other technologies are in much better shape than IDS. > > > One word of warning - be very wary of any IDS vendor (or their reseller) > that > > won't send you some kind of demo/eval copy. There are a few vendors and > resellers > > that still do this and it is lame. You wouldn't spend a dime on a car > > without taking it for a test drive - same is true of any IDS. > > That makes sense except for appliances, where they may have more trouble > giving you a box to play with. > > t >
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 15:48:38 PDT