Firewall Wizards mailing list archives

Re: ??? vs blackice -reply

From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 23 Mar 2000 10:31:07 -0800 (PST)

--- Mark.Teicher () predictive com wrote:

What I meant in the previous message was that NetworkICE cannot be placed 
in the same category as ISS RealSecure or NFR IDA 4.01.  These products 
address completely different segments of the IDS product space.


Hhhmm. Apparently you haven't used BlackICE Sentry yet. The Sentry version does
the following:
* promiscuous packet capture
* over 400 signatures
* full stateful protocol analysis
* centralized mgmt/reporting
* etc.

In Greg Shiply's review at http://www.nwc.com/1023/1023f19.html, you can see
the performance of the network engine when compared with alternatives.

Moreover, the "full stateful analysis" means the signatures are much more
robust. For example, we have only one signature for a POP3 buffer overflow in
the user name field, whereas other products have as many as 20.

We have several customers who have thrown out RealSecure and replaced with
BlackICE Sentry because:
* Sentry handles higher traffic rates
* Sentry has extensive anti-evasion capabilities (reassembles packets, handles
all whisker evasions, etc.)
* Sentry has dramatically fewer false positives (a lot of customers end up
paying a lot for RealSecure, then stop using it because they are drowned in
meaningless alerts).
* Its explanation of alerts is much better than the X Force stuff.

What feature is BlackICE Sentry missing such that you don't put it in the same
category?

NetworkICE
Lockdown 2000
Bonzi Intruder
are addressing the personal firewall and personal IDS space while


Uh, no. Lockdown2000 and Bonzi Intruder are neither firewalls or real IDSs.
They are port monitors like Nukenabber. They contain zero packet filtering
capabilities.

In contrast, BlackICE Defender is currently the market leader in personal
firewalls. Both Defender and Sentry make use of the same underlying IDS engine,
but please don't confuse one for the other.

Robert Graham
CTO/Network ICE



__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Current thread:

Re: ??? vs blackice Robert Graham (Mar 21)
- <Possible follow-ups>
- Re: ??? vs blackice -reply Robert Graham (Mar 28)
- Re: ??? vs blackice -reply Mark . Teicher (Mar 28)
- RE: ??? vs blackice -reply Mark . Teicher (Mar 29)
- RE: ??? vs blackice -reply Cotter, David (Mar 29)
- RE: ??? vs blackice -reply LaPane, Mike (Mar 29)