IDS mailing list archives
RE: ISS RealSecure/SiteProtector or another IDS/firewall client?
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Wed, 26 Nov 2003 15:57:18 -0700
" Up to now, this isn't verified by any supporting authority but a lot of the IDS's out there are using the opensource technologies under the covers with proprietary changes. Look at sourcefire the underbelly is Snort (I know that Marty Roesch created Snort and started Sourcefire) but it is just an example of what technologies are using." Yes, there are quite of few product in the NIDS space that utilize Sn0rt signatures, most of them not well, or they have mutilated some of the IDS signatures so they do not have to abide by any software license agreements or opensource (as in acknowledge they are using opensource code) in their products. A majority of them do not have enough coverage or enough detail other than an IDS signature was triggered. SourceFire is the commercial version of Sn0rt which has lots of bells and whistles and gets Sn0rt into major corporations who have played with Sn0rt but could not get upper management to approve opensource code into production environments. Sn0rt is vastly different from ISS, as are other products in the NIDS/NIPS space. NAI Intruvert straddles both worlds, and have some IDS signatures that are not in either Sn0rt or protocol decodes that can be seen in IDS Proventia M/ISS Site Protector. I would agree that ISS Site Protector is not easy to install and configure, but what other commercial products combines that many products to one console and succeeds without killing boxes left and right. Some products that attempt to advertise that much functionality lack the depth in some of the features they advertise as their competitive edge and others just plain broken. /m -----Original Message----- From: Bohling James CONT JBC [mailto:james.bohling () JBC JFCOM MIL] Sent: Wednesday, November 26, 2003 10:05 AM To: Luke Leboeuf; Benjamin B. Williams; focus-ids () securityfocus com; firewalls () securityfocus com Subject: RE: ISS RealSecure/SiteProtector or another IDS/firewall client? My team here has done some pretty good research and assessment on the ISS SiteProtector system. There conclusion is that it is way too immature and that Group manager should be used until future upgrades. I also would suggest that the group manager be looked at because of the maturity. However, with the ISS products the interfaces are not too intuitive or clean. Also, I would definitely look into the open source products, tripwire and snort (Now supports Windows and Linux), Samhain, Integrit, Osiris, and Prelude. We have had a lot of success with open source products and the life cycle and open support for Snort is very good for being open source. Up to now, this isn't verified by any supporting authority but a lot of the IDS's out there are using the opensource technologies under the covers with proprietary changes. Look at sourcefire the underbelly is Snort (I know that Marty Roesch created Snort and started Sourcefire) but it is just an example of what technologies are using. Thank You, James T. Bohling, CCNA, Security+, MCP-Win2k Network Security Engineer - JBC CoE Joint C4ISR Battle Center (AMSEC) 116 Lake View Parkway Suffolk, VA 23435 (W) 757-638.4032 Web: www.jbc.jfcom.mil This email was produced and manufactured in America, and is a one-of-a-kind original. -----Original Message----- From: Luke Leboeuf [mailto:luke () arcsight com] Sent: Tuesday, November 25, 2003 1:04 PM To: Benjamin B. Williams; focus-ids () securityfocus com; firewalls () securityfocus com Subject: RE: ISS RealSecure/SiteProtector or another IDS/firewall client? By client based IDS do you mean host based IDS? If so, I would recommend Okena Stormwatch (now owned by Cisco) over ISS or even tripwire. What version of ISS are you looking towards? Realsecure 6.x or Siteprotector 2.X? Luke LeBoeuf ArcSight, Inc. (c) 571.331.3809 (e) luke () arcsight com http://www.arcsight.com CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute, notify the sender by E-Mail at the address shown and delete the original message along with any attachments. Thank you for your compliance -----Original Message----- From: Benjamin B. Williams [mailto:benw () gwu edu] Sent: Tuesday, November 25, 2003 11:23 AM To: focus-ids () securityfocus com; firewalls () securityfocus com Subject: ISS RealSecure/SiteProtector or another IDS/firewall client? Hey all - Has anyone had experience with ISS products, particularly their RealSecure line? We are planning for the upgrade (several years late) to Windows XP in our computer labs, and need a client-based firewall/IDS that can be centrally managed and has a decent logging system. RealSecure looks like a good choice for us, but I thought I'd ask if anyone's had experience or could recommend an (or several) alternates? Thanks, Benjamin B. Williams Senior Programmer/Analyst Computer Lab Support Services The Center for Academic Technologies The George Washington University (202) 412-4697 (m) (202) 994-7611 (p) (202) 994-3600 (f) "Una giornata senza riso รจ una giornata sprecata" --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- ISS RealSecure/SiteProtector or another IDS/firewall client? Benjamin B. Williams (Nov 25)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Alan Shimel (Nov 26)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Gwendolynn ferch Elydyr (Nov 26)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Jack Whitsitt (jofny) (Nov 26)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Mike Lyman (Nov 27)
- Re: ISS RealSecure/SiteProtector or another IDS/firewall client? Mike Lyman (Nov 26)
- <Possible follow-ups>
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Luke Leboeuf (Nov 25)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Sergey V. Gordeychik (Nov 26)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Bohling James CONT JBC (Nov 26)
- Re: ISS RealSecure/SiteProtector or another IDS/firewall client? Martin Roesch (Nov 27)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Teicher, Mark (Mark) (Nov 27)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Teicher, Mark (Mark) (Nov 27)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Chan Kien Eng (Nov 27)
- Re: ISS RealSecure/SiteProtector or another IDS/firewall client? Andrew Plato (Nov 27)
- RE: ISS RealSecure/SiteProtector or another IDS/firewall client? Alan Shimel (Nov 26)