I was not going to get into this because I'm so far behind. But since you mentioned an appliance I thought I would comment. SAGE will in fact allow a company up to a 90 day free trial of BRICKServer. Of course we use this for companies serious about using the product. But if they don't like it after trying it, all they have to do is call and we will take it back. The trial can be live on their system or in a lab, which ever they prefer. My point here is even an appliance should be able to be tried before you buy. Jerry Jerry Krummel Senior Account Executive SAGE, Inc. Western Region 30339 SW Thomas St., #803 Wilsonville, OR 97070 Tel: 503-682-3995; Cell: 503-936-6987 Email: jerry@sage-inc.com www.sage-inc.com www.thirdpig.com -----Original Message----- From: owner-crime@private [mailto:owner-crime@private]On Behalf Of Toby Sent: Tuesday, September 03, 2002 8:40 AM To: Andrew Plato Cc: brvarin@private; crime@private Subject: Re: CRIME Checkpoint versus Sonicwall Andrew Plato writes: > > I was going to leave this conversation alone but I just have to jump in at > > this point. "ISS is the only solution for enterprise IDS as far I I'm > > concerned."? That's an interesting thing to say. Have you ever tried to > > get the packet logs from a BlackICE sensor when you need to figure out why > > you're seeing a false positives? Have you ever had to try and figure out > > why you're seeing an alert when you have no way of telling what triggered the > > system because not only do you not have documentation on the details of the > > protocol engines but the packet log is half empty because only the last > > packet in a sequence is caught? > > Toby, come on, all of these questions can be answered. You just have to know > who to ask. :-) The BlackICE protocol engine is documented in gory detail in > the BlackICE Advanced Administration Guide - which anybody using a > BlackICE based IDS should have a copy of. Notice, I didn't suggest that ISS was the only one (or even that I was specifically complaining about ISS). I was simply making a point on it. As for the packet logs, you can't fix that because ISS won't fix it. <shrug> such is life. > > If you want, I will send you a copy of this document as ISS does, for > reasons I have never understood, seems intent on keeping this doc > hidden. I'd love a copy. You can send it here or to: toby@private > And if you're nice to me - I'll send you some "secret" commands > that allow you to "look inside" the protocol engine even deeper. Puh-lease!?! ;) > >As a manager of mine used to say- I'm a simple man. I don't expect > >perfection from my IDS, these days I don't even expect them to be very > >good. But I've looked at EVERY commercial IDS I could find and every IDS > > technology approach there is and I tell you this- > > THEY ALL SUCK. And ISS sucks just as badly (worse in some places) than any > > other product. > > You're right to a certain extent here. But you could extend this to probably > every technology ever made. Everything has strengths and weaknesses. Ah, no. Other technologies are in much better shape than IDS. > One word of warning - be very wary of any IDS vendor (or their reseller) that > won't send you some kind of demo/eval copy. There are a few vendors and resellers > that still do this and it is lame. You wouldn't spend a dime on a car > without taking it for a test drive - same is true of any IDS. That makes sense except for appliances, where they may have more trouble giving you a box to play with. t
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 14:50:55 PDT