Re: FW: Q1 Labs: Network Security for Colleges and Universities

[Jason Richardson <A00JER2 () WPO CSO NIU EDU>]

We have not used Q1's product but we did evaluate and ultimately
purchase Lancope's Stealthwatch appliance and we have been happy with
it.  The only thing that I feel that these devices are lacking is the
ability to positively identify known "bad" traffic by name instead of
the other sort of arbitrary statistical anomaly names that it gives
them.  E.g., a Sasser like worm that our Lancope device just found on 5
hosts is identified as ICMP flood instead of just calling it by name.  I
realize that that is what Snort or the like is for, but it seems like it
wouldn't be hard to integrate.  Lancope sells a console device that
aggregates data from multiple Lancope devices, and a few other IDS
sensors, including Ghost, but I have not explored that option yet.
Anyway, our experience with statistical anomaly based NIDS has been
good.

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

> > > sjs74 () CORNELL EDU 10/5/2004 11:46:55 AM >>>
We have just purchased this product at Cornell and are working through
the
steps to get it fully implemented.  Feeling like IDS/IPS would not work
in
our environment we began looking at the Network Based Anomaly
Detection
space.  We brought both Q1 Labs and Lancope in for testing into our
environment and selected Q1 Labs based upon our selection criteria.

To be honest, I have very high hopes for what this technology will
bring to
our analysis and incident response capabilties.

sjs

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.