Re: Intrusion Prevention

[Randy Taylor <gnu () charm net>]

Thanks Dave and Steve. That info just what I needed and
right on time.

I will be beginning evals of IntruVert soon, with NetScreen IDP to follow.
For functionality ("speeds and feeds") criteria, I am relying heavily on OSEC,
because the Neohapsis crew knows their stuff and nothing is hidden - all
the details are there in the criteria. IntruVert has been through OSEC - I
haven't seen a date for NetScreen set yet, so I'll be holding off their eval
until they've been through that process.

I'm looking at IntruVert for my project's Gig pipes, and NetScreen's IDP
for the sub-Gig pipes. I can't justify IntruVert's cost for anything under
Gig speeds yet.

Beyond that, I am looking for feedback on "human factors" issues,
such as scalability (ok that's a cross between technical and human),
manageability, ease-of-use, forensics capability, sensor/analyst
ratios, etc. for both IntruVert and NetScreen IDP. Folks out there using
either of these products, please feel free to email me directly with your
experiences with them in the real work world. I'd really appreciate
your input.

Best regards and happy holidays to all,

Randy

-----
"Go ahead and quit. We'll just hire dumber people to
replace you." -- Demetri Fanourgiakis, Security VP,
Enterasys Networks, Summer 2002. Yeah, this is
the guy that replaced Ron Gula. You may now boggle. ---


At 12:52 PM 12/23/2002 -0700, Dave Mitchell wrote:
> I personally recommend the Netscreen IDP. It uses flow based packet 
> inspection, can ride
> in-line or in sniffer, and has a realtime Java GUI for Windows or Linux. 
> Policy options include
> the ability to allow, discard, TCP RST client, TCP RST server, or both. 
> The 2.0 code allows
> for in-line with spanning tree and can also use VRRP. They are reliable, 
> easy to install,
> and best of all, easy to manage.
>
> I was able to push near ~450mb/s at the IDP 500.
>
> -dave
>
> On Mon, Dec 23, 2002 at 11:52:08AM -0600, Carey, Steve T GARRISON wrote:
> > We are currently testing it.  It is pretty impressive.  Gives you the 
> capability
> > to either look at just the packet that caused the alert, or the alert 
> packet and
> > five subsequent packets, or entire flow (which gives you the traffic 
> from the
> > source and the destination).  Currently the best commercial product we have
> > looked at.
> >
> > Steven T. Carey
> > LCIRT-R Team Leader
> > Comm (256) 876-5811
> > Cell (256) 947-0225
> >
> >
> > -----Original Message-----
> > From: Johnny Kho [mailto:johnnyk () mailhost net]
> > Sent: Sunday, December 22, 2002 10:14 PM
> > To: Johnny Kho
> > Cc: focus-ids () securityfocus com
> > Subject: Intrusion Prevention
> >
> >
> > Hi.
> >
> > Anyone have tested Intruvert Network IPS? It is pretty impressive from the
> > NSS test results...
> >
> > www.intruvert.com
> >
> > Merry Christmas and Holiday Cheers to all..
> >
> > Johnny