Windows based Monitoring ToolRainier, Speaking for myself, only, I did not find your email intrusive...it remains to be seen about the rest of the list. Personally, I'd LOVE it if more vendors asked questions of THEIR security maillists (say Microsoft in the ms-vuln list?). The above said, our methodology is 4-phased: 1. Vendor 2. CERT (with peculiarities for the country the server islocated in, as prescribed by that country's CERT or equivalent if applicable - Link: http://www.cert.org/security-improvement/#general - also any regulatory requirements issues fall in this stage, for industries, such as Insurance and Banking that are regulated 3. If the customer is in the US or has a significant business presence there, the NSA "Securing..." practices (Link: http://nsa1.www.conxion.com/win2k/download.htm). For other countries, we use that country's INFOSEC guidelines, if applicable and available. 4. If applicable, we use the internal best practices of the customer, preferably those dictated by their outside auditors. If these standards and practices don't exist, we use Lance Spitzner's excellent Guides (Link: http://www.enteract.com/~lspitz/papers.html), as well as the previous ones, in helping us develop them for our customers and clients (then we pass that final product on to the internal and outside auditors, if applicable - easy to do, as they are part of the editorial board that writes and approves the final product). All of the above guides are somewhat redundant, when it comes to securing NT/2000/XP, and some are outdated and do not approach the peculiarities of newer versions of the OS, or patched versions, with the SPs in place. We have a standard template that, we think, addresses the issues, and we use the SNORT/SNOOP rulesets as further guidance. The biggest issue, WRT NT logging/syslog is the CPU overhead imposed. SNORT/SNOOP with ACID is free and somewhat solves this problem, but a true 'thin' solution, running as an agent, does not yet exist. This is in direct contrast to the various Unix solutions out there. The final issue is one of price. If you are expecting to charge the equivalent of a Unicenter price for your product, you'll get a large amount of interest from the uncommited Global 2000 community. That is NOT where the problem is. It is for the smaller businesses and ISPs that run NT (although they are re-thinking their commitmant, currently, given the Microsoft security flaws and licensing issues) that the market really falls apart. What is REALLY needed is a free or almost free solution, commercially supported (at, say USD$50/IP address /year) that improves on the situation with Microsoft's toolset (especially WRT the CPU loading problem, network traffic problem and memory footprint) and has acceptance of the security community - especially INFOSEC government entities and Big Four. That would be the security 'killer app' in the Microsoft OS space, IMNSHO, especially if it were able to be extended to SQL Server, Oracle, or Db2 in a way that Microsoft, Oracle and IBM don't seem able to get right. I'll download your product and check the manual out, but if you are using Microsoft's 'normal' toolset/APIs/libraries, you've already failed, since you won't address the CPU, network traffic and memory problems. Michael J. Cannon President Ubiquicomm ----- Original Message ----- From: Rainer Gerhards To: 'loganalysisat_private' Sent: Friday, September 28, 2001 11:16 AM Subject: [logs] Windows based Monitoring Tool Hi list, I am with Adiscon, a vendor of Windows based monitoring solutions. I would like to gather some feedback on a new product we are currently developing. I definitely do not want to advertise something here, I somebody is upset with my message please accept my apologies. The reason I am writing is: we are currently implementing a monitoring solution which includes syslog as well as NT event monitoring. There is more to come and I would like to gather real-world feedback on what is needed. This is also one of my primary reasons for reading this list. The product is not yet for analysis but enables data to be entered into central systems. We have today officially announced a preview release and I would be very greatful if some of you dealing with mixed Unix/NT environments could have a look at the product itself or the manual. I can promise we will take every comment very seriously. BTW: we do not yet support the syslog RFC, but this is on the todo list (including reliable syslog). If you'd like to have a look, please turn to www.monitorware.com/en/. There is a link off this page both to the manual as well as the download set. Once again, my apologies if you consider this mai intrusive. Best regards, Rainer Gerhards Adiscon --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 10:57:17 PDT