RE: TippingPoint vs. Intrushield

["Bob Walder" <bwalder () spamcop net>]

Paul,

Interesting that you should infer that TippingPoint "won" the latest NSS
shootout, since we didn't come up with a clear winner overall. In fact
we tend not to do that, since each product could have different
applications in different environments.

Read the report (www.nss.co.uk), and decide for yourselves which of the
performance metrics and the features apply to your environment. For
example:

1. You might only want to protect a single 500Mbps link - therefore you
might be paying over the odds by looking at these two solutions only. 

2. You might never have more than 5000 new connections per second
hitting your Web servers, therefore the ability to go way beyond that
and still detect 100% of all attacks - whilst impressive - is probably
not worth paying for.

3. The ease of policy definition for which we praised Tippingpoint might
not mean a thing to you - it is one of the features that caused us to
rate it highly ALL OTHER THING BEING EQUAL, but you might weight it
lower than we did

4. You might have need of the Virtual IDS capabilities offered by
IntruShield - this is currently the only product we have tested which
offers anything like that. If you need the ability to define and apply
multiple discrete security policies right down to individual host level
and yet supported on a single port pair then IntruShield is your only
option right now

5. Policy enforcement might be as important to you as intrusion
detection/prevention - in which case the Juniper (NetScreen) offering
would be of interest

6. You might like the way ISS correlates its vulnerability scanner data
with alerts from the IPS in order to raise or lower alert priorities -
if that is important to you, ISS should be high on your list (and
neither of the expensive boxes could do that when we looked at them)

Etc, etc, etc.....

These are just EXAMPLES, *NOT* concrete recommendations - try to come up
with some that apply to your environment and then read the report so see
if anything fits the bill.

In other words we try not to run a few tests, draw a line on a graph and
declare winners and losers. Most products have some USPs that may or may
not be important to you. We try to bring those out in the report too.

Oh - and don't believe everything those sales guys tell you. They take
our reports too and pull out JUST the bits that make their products look
good when they slap the "facts and figures" in front of you. I know of
one high-profile vendor (who shall remain nameless) whose sales guys
were going round saying that one of its main competitors could not do
proper protocol analysis because their engine was "based on Snort" -
something that is clearly untrue when you look closely, and can be
discerned as such just by reading our report. 

Use our reports to enable you to ask the sales guys some hard questions,
and hopefully to narrow down your short-list, but at the end of the day
you will probably still need to do some real testing in your own network

Regards,

Bob Walder
Director
The NSS Group





> > -----Original Message-----
> > From: Paul Schmehl [mailto:pauls () utdallas edu] 
> > Sent: 13 July 2004 16:08
> > To: Jacob Winston; focus-ids () securityfocus com
> > Subject: Re: TippingPoint vs. Intrushield
> >
> >
> > --On Tuesday, July 13, 2004 03:22:36 AM +0000 Jacob Winston 
> > <jctx09 () yahoo com> wrote:
> > > I am trying to decide which IPS to buy. I read that 
> > Tippingpoint won 
> > > the latest NSS shootout but Intrushield seems to have won 
> > every other 
> > > shootout before that. Has anyone used either one before? My 
> > > Intrushield rep says that Tippingpoint doesn't have as 
> > many detection 
> > > methods as Intrushield but I can't find a listing of what methods 
> > > Tippingpoint does have. Any info is appreciate. Thank you.
> > We testing Tippingpoint and were very impressed with it.  We 
> > have not 
> > tested Intrushield.  I know of three places that are using 
> > Tippingpoing and 
> > are extremely happy with it.
> >
> > Paul Schmehl (pauls () utdallas edu)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu/ir/security/
> >
> > -------------------------------------------------------------
> > -------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world 
> > attacks from CORE IMPACT. Go to 
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_0
40708 to learn more.
------------------------------------------------------------------------
--




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------