Re: ISS RealSecure/SiteProtector or another IDS/firewall client?

[Mike Lyman <mlyman-security () comcast net>]

On Tue, 2003-11-25 at 10:22, Benjamin B. Williams wrote:

> We are planning for the upgrade (several years late) to Windows XP in our
> computer labs, and need a client-based firewall/IDS that can be centrally
> managed and has a decent logging system.  RealSecure looks like a good
> choice for us, but I thought I'd ask if anyone's had experience or could
> recommend an (or several) alternates?

My experience is now a few months old since I've left the job where I
used the stuff but I used BlackICE/RealSecure Desktop protector from
shortly before ISS bought NetworkICE until July this year. Very heavy on
Windows XP in our environment. 

I liked it as a desktop IDS and it provided a darn good picture of what
was going on around the network. Proved to be a big winner during Code
Red, Nimda and Slammer. It even helped us detect SQL Spider before it
was widely noticed around the 'net because we had it deployed to
employee home computers as well as on the corporate network. (Not a lot
before and all we could tell was there was worm like probes hitting the
SQL port and in increasing numbers.)

It has had stability problems since Windows XP was released. ISS always
addressed them as the problems cropped up and the occurrences of
problems became less and less common but they still occurred. I'd test
thing carefully around system suspending and being restored. ISS has
probably fixed that one by now but I've not looked at the product since
before July so I don't know what version is current. 

We had a voluntary desktop deployment so stability issues were not a
significant concern since we'd just have the product uninstalled if it
caused problems.

We made use of Windows XP's built in firewall so we were never concerned
with ISS's product's firewall ability. The stability issues would have
made me a bit concerned about complete reliance on it as the desktop
firewall. 

Ran into a few issues with the system locking up that was partially an
overloaded connection into our SQL Server that we fixed by going to a
gig connection (more going into the DB server than BlackICE data so that
wasn't the problem) and partially a bug in the ICECap management system
that cropped up because of the saturated connection into the DB server.
ISS fixed their bug about the time we went to a gig connection. After
that things ran beautifully. 

If you're looking for a simple to run desktop IDS, I can easily
recommend the product. As for a firewall, I'd check into the stability
issues. ISS was always responsive and the issues did not hit many
systems but as a firewall it would have worried me.

Mike Lyman
pgp keyid 0xAB7F35DA

Attachment: signature.asc
Description: This is a digitally signed message part