RE: ISS RealSecure/SiteProtector or another IDS/firewall client?

["Teicher, Mark (Mark)" <teicher () avaya com>]

"
Up to now, this isn't verified by any supporting authority but a lot of the IDS's out there are using the opensource 
technologies under the covers with proprietary changes. Look at sourcefire the underbelly is Snort (I know that Marty 
Roesch created Snort and started Sourcefire) but it is just an example of what technologies are using."

Yes, there are quite of few product in the NIDS space that utilize Sn0rt signatures, most of them not well, or they 
have mutilated some of the IDS signatures so they do not have to abide by any software license agreements or opensource 
(as in acknowledge they are using opensource code) in their products.  A majority of them do not have enough coverage 
or enough detail other than an IDS signature was triggered.  SourceFire is the commercial version of Sn0rt which has 
lots of bells and whistles and gets Sn0rt into major corporations who have played with Sn0rt but could not get upper 
management to approve opensource code into production environments.

Sn0rt is vastly different from ISS, as are other products in the NIDS/NIPS space. NAI Intruvert straddles both worlds, 
and have some IDS signatures that are not in either Sn0rt or protocol decodes that can be seen in IDS Proventia M/ISS 
Site Protector.

I would agree that ISS Site Protector is not easy to install and configure, but what other commercial products combines 
that many products to one console and succeeds without killing boxes left and right.  Some products that attempt to 
advertise that much functionality lack the depth in some of the features they advertise as their competitive edge and 
others just plain broken.

/m

-----Original Message-----
From: Bohling James CONT JBC [mailto:james.bohling () JBC JFCOM MIL] 
Sent: Wednesday, November 26, 2003 10:05 AM
To: Luke Leboeuf; Benjamin B. Williams; focus-ids () securityfocus com; firewalls () securityfocus com
Subject: RE: ISS RealSecure/SiteProtector or another IDS/firewall client?


        My team here has done some pretty good research and assessment on the ISS SiteProtector system.  There 
conclusion is that it is way too immature and that Group manager should be used until future upgrades. I also would 
suggest that the group manager be looked at because of the maturity.  However, with the ISS products the interfaces are 
not too intuitive or clean.  Also, I would definitely look into the open source products, tripwire and snort (Now 
supports Windows and Linux), Samhain, Integrit, Osiris, and Prelude.  We have had a lot of success with open source 
products and the life cycle and open support for Snort is very good for being open source.  
        Up to now, this isn't verified by any supporting authority but a lot of the IDS's out there are using the 
opensource technologies under the covers with proprietary changes. Look at sourcefire the underbelly is Snort (I know 
that Marty Roesch created Snort and started Sourcefire) but it is just an example of what technologies are using.


Thank You,
James T. Bohling, CCNA, Security+, MCP-Win2k
Network Security Engineer - JBC CoE
Joint C4ISR Battle Center (AMSEC)
116 Lake View Parkway
Suffolk, VA 23435
(W) 757-638.4032
Web: www.jbc.jfcom.mil
This email was produced and manufactured in America, and is a one-of-a-kind original.



-----Original Message-----
From: Luke Leboeuf [mailto:luke () arcsight com] 
Sent: Tuesday, November 25, 2003 1:04 PM
To: Benjamin B. Williams; focus-ids () securityfocus com; firewalls () securityfocus com
Subject: RE: ISS RealSecure/SiteProtector or another IDS/firewall client?

By client based IDS do you mean host based IDS? If so, I would recommend Okena Stormwatch (now owned by Cisco) over ISS 
or even tripwire. What version of ISS are you looking towards? Realsecure 6.x or Siteprotector 2.X?


Luke LeBoeuf
ArcSight, Inc.
(c) 571.331.3809
(e) luke () arcsight com
http://www.arcsight.com


CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed 
and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you 
have received this communication in error, please do not distribute, notify the sender by E-Mail at the address shown 
and delete the original message along with any attachments. Thank you for your compliance


-----Original Message-----
From: Benjamin B. Williams [mailto:benw () gwu edu] 
Sent: Tuesday, November 25, 2003 11:23 AM
To: focus-ids () securityfocus com; firewalls () securityfocus com
Subject: ISS RealSecure/SiteProtector or another IDS/firewall client?

Hey all -

Has anyone had experience with ISS products, particularly their RealSecure line?

We are planning for the upgrade (several years late) to Windows XP in our computer labs, and need a client-based 
firewall/IDS that can be centrally managed and has a decent logging system.  RealSecure looks like a good choice for 
us, but I thought I'd ask if anyone's had experience or could recommend an (or several) alternates?

Thanks,

Benjamin B. Williams
Senior Programmer/Analyst
Computer Lab Support Services
The Center for Academic Technologies
The George Washington University

(202) 412-4697 (m)
(202) 994-7611 (p)
(202) 994-3600 (f)

"Una giornata senza riso è una giornata sprecata"




---------------------------------------------------------------------------
---------------------------------------------------------------------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------