RE: RE: Which is the most widely deployed commercial IPS

["Andrew Plato" <andrew.plato () anitian com>]

> Where am I going with this...? My biggest concern for the deployment 
> I am targeting is False Positives. I definitely want the signature to 
> be in blocking-mode out of the box. I am seeing companies like ISS 
> ship many signatures in non=blocking mode, which at least for me is 
> useless. Whats the point having the customer try to figure out if a 
> signature should be switched back to blocking on not. So a product 
> like that definitely out of the running. 

> Could do with some feedback from customers on here to help cut 
> through the marketing and false claims.

Well, keep in mind that everybody on this list is going to portray
whatever they sell, support or adore sound great. So, its difficult if
not impossible to avoid bias and false claims. 

That much said, no IPS is going to be perfect out of the box. You have
to invest in tuning and analysis to get them in a sweet spot. Moreover,
every environment is different. So even though a vendor or reseller may
say "this is what the big boys use" doesn't mean it will work for you.

I would suggest you write down a set of requirements for an IPS. Then
pick off the top 3 or 4 IPS vendors, demo their gear, and figure out
which product fits best with your requirements. Don't trust what we say,
get the gear in front of you and use it. That's a much more appropriate
way to test which solution works.

Furthermore, you might want to consider using an managed security
provider to manage your IPS. If you're not sure what signatures to turn
on or off, let a third party experts manage this for you. 

Oh, an one last note. Symantec's host and network products are totally
different. So, your experiences in one (their host AV product) won't
apply with their network products. 

_____________________________________
Andrew Plato, CISSP
President / Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------