RE: Intrushield vs. ISS once more...

["Eric Hines" <eric.hines () appliedwatch com>]

I'll throw my 2 cents in here just for fun. 

1) ISS engineers have told me time and time again that turning on the
"packet capture" capabilities, which I think ANY IDS/IPS should
automatically be able to provide without turning on, was not recommended.
That is, the performance hit would be too great when these features were
enabled. I don't understand, does ISS really expect us to believe ISS when
it says it's detected a particular attack? By default, not allowing the user
to see the packet is a pretty bold statement from ISS that it doesn't expect
to see any false positives. When ISS acquired NetworkICE I had really
expected Robert Graham to come in and clean up RealSecure. 

2) The Trons functionality you speak of, again, is not recommended for use
due to the impact that has on performance when using too many Snort
signatures.

I reiterate that these are not my opinions, rather, what was said to me when
I last sat in on an ISS sales presentation with several SE's present.


Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Eric Hines, GCIA, CISSP                Toll Free: (877) 262-7593
CEO, President                         Direct: (877) 262-7593 x327
Applied Watch Technologies, Inc.       Fax: (877) 262-7593
1134 N. Main St.                       Web: www.appliedwatch.com
Algonquin, IL 60102 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"Browserless Enterprise Snort Management is Finally Here"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-----Original Message-----
From: Brito, Nelson (ISS Brazil) [mailto:NBrito () iss net] 
Sent: Monday, December 27, 2004 9:28 AM
To: Murtland, Jerry; Jacob Winston; focus-ids () securityfocus com
Subject: RE: Intrushield vs. ISS once more...

I have been asked about those features and what I say is:  
"ISS is fully compatible with Ethereal and TCPDump captured files, you just
have to turn-on the response for this in the policy (aka LOG EVIDENCE)."  
  
You can also use TRONS, snort's style signatures, or even User Defined
signatures that uses regex. So you are able to write your own signatures.
;-)  
  
Just to let you all know, before reviewing any IDS/IPS, ask the manufacture
about the advanced configurations, I can bet that for whoever you ask about,
they will be glad to assist you as they can.

- nb

Merry Christmas and Happy New Year.
Feliz Navidad y Próspero Año Nuevo.
Feliz Natal e Próspero Ano Novo.

{(!($^O=~/^[M]*$32/i)&&($0=~s!^.*/!!))||($0=~s!.*\\!!)}print$0;

 

-----Original Message-----
From: Murtland, Jerry [mailto:MurtlandJ () Grangeinsurance com]
Sent: Monday, December 20, 2004 6:20 PM
To: 'Jacob Winston'; focus-ids () securityfocus com
Subject: RE: Intrushield vs. ISS once more...


Personally, I reviewed ISS along with Cisco's IDS, NetScreen's and a few
other's.  Last week I decided on NetScreen because of it's ease of use (just
like a firewall), and it's compatibility with key software like
Ethereal/TCPDump.  The amount of information it gives you isn't bad although
like ISS and a few others, you will get the occasional alert that really
just doesn't give you enough to go on, so you have to count on other things
like netscout or a packet sniffing package to do some analysis.

I thought ISS was great also, but I also thought that there were too many
steps to get things done.  The interface was a little convoluted and you
were entirely dependant on ISS's X-Force team to write your new signatures.
With NetScreen's Snort engine, I can write my own signatures.  Not to
mention, since they were just bought by Juniper, I'm sure their funding for
new development will surge.  Not trying to sell you on anything, just
offering my own opinion on what I experienced.

I'm not sold on anyone's technology as far as IPS goes, but I would look for
the ability to granularly step into that technology when I decided to block
specific traffic patterns in the future.

Jerry J. Murtland, CISSP



-----Original Message-----
From: Jacob Winston [mailto:jctx09 () yahoo com]
Sent: Friday, December 17, 2004 8:49 PM
To: focus-ids () securityfocus com
Subject: Intrushield vs. ISS once more...




I have been evaluating Intrushield and ISS but am still unsure on which
route to take. Does anyone have compelling info on why Intrushield is better
or vice-versa? Any help is appreciated.



Thank you in advance.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------