Re: [logs] Sentry/Counterpane how is it working ?

From: Tina Bird (tbird@precision-guesswork.com)
Date: Wed Mar 13 2002 - 08:59:24 PST

  • Next message: John Campbell: "RE: [logs] Distributed attack on port 6398?"

    Thanks Sweth, Faron, for your answers.  I'll just
    add that yes, the Sentry is completely passive -- we
    work with our customers to get their network devices
    forwarding to us over syslog, SNMP and SMTP.  The
    Sentry doesn't take any of the various encrypted 
    flavors of syslog at this point, mostly from lack of
    customer demand.
    
    Sweth spotted my least favorite bit of our current 
    Web site descriptions.  "Network monitoring" as described
    below -- or as used by Bruce once too often in his
    copious public speaking -- doesn't mean what we the
    geeks mean by "network monitoring".  Bruce means, 
    collecting and processing all the log files produced
    on your network.  What the rest of the world means, 
    of course, is sniffing packets and detecting evil...
    I've been trying to come up with a more effective
    phrase than "network wide log file collection and
    analysis" so I can eliminate "network monitoring"
    from the doc, but no luck so far.  Suggestions
    gleefully accepted.
    
    What >do< we call what we do?
    
    On Tue, 12 Mar 2002, n gold wrote:
    
    > The Counterpane Sentry is a "passive" monitoring appliance in that it
    > "listens" to devices that are configured to send their logs or alerts or
    > traps to the Sentry...That is to say, the Sentry does not do "sniffing".
    > their knowledge of the customer's network, current attacks, etc..
    
    <aggressive clipping>
    
    > 
    > The Sentry uses an outbound SSL connection to set up an encrypted tunnel
    > from it to the remote monitoring centers..And it is a little more than just
    > a straight SSL connection (after all, the CTO is himself a
    > cryptographer-extraordinaire, non?).
    > 
    > HTH,
    > n gold
    
    > ----- Original Message -----
    > From: "Sweth Chandramouli" <loganalysisat_private>
    > To: <loganalysisat_private>
    > Sent: Tuesday, March 12, 2002 4:00 PM
    > Subject: Re: [logs] Sentry/Counterpane how is it working ?
    > 
    > > That conflicts with what it says at:
    > > >   (check out Question 7 : http://www.counterpane.com/questions.html)
    > > , however, now that I look at that link:
    > > "Counterpane's business model works because network monitoring is
    > > fundamentally better than device monitoring" _does_ imply pretty
    > > strongly that they don't gather data from routers, switches, servers,
    > > etc.  Either that piece of marketing was written by someone who is
    > > using "device monitoring" to mean something different (I do notice that
    > > earlier in the same section they use the phrase "device monitoring/
    > > management", so perhaps they are just trying to emphasize that they
    > > only monitor things--they aren't like some companies whose business
    > > model was to actually go in and manage devices as part of their security
    > > services), or things have changed greatly.
    > >
    > > >  - How the device handles encrypted connection (like SSL/TLS, SSH...) ?
    > > >  - Maybe you can store private key on the sentry box ? (maybe quite
    > dangerous
    > > I'm not sure I understand these questions; could you
    > > clarify them?
    > >
    > > > - So with this type of system where can you get the system log for
    > > > example ? (Event log and audit log from WIN32 ? Specific application
    > > > log ?)
    > > Again, as of last year, all of this info would be
    > > redirected to the sentries just like syslog info would be.
    > >
    > > > - Another question : Is it possible to get the software of sentry ?
    > > > Or having a technical overview of the software ?
    > > There's a whole lot of proprietary stuff on those boxes
    > > that I don't think they'd want to give away to competitors. :)  I'm
    > > sure if you had specific questions, though, their sales folks could
    > > get you the appropriate info.
    > >
    > > -- Sweth.
    > >
    > > --
    > > Sweth Chandramouli ; <svcat_private>
    > > President, Idiopathic Systems Consulting
    > >
    > > ---------------------------------------------------------------------
    > > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > > For additional commands, e-mail: loganalysis-helpat_private
    > >
    > >
    > 
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    > 
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 16:27:43 PST