Re: Entercept HIDS Question

[John Bedrick <john_bedrick () nai com>]

In-Reply-To: <OFEC323AFF.071F29CA-ON85256E51.006AA5E5-85256E51.006B19D0 () sct com>

Network Associates Inc. acquired Entercept in May of 2003.

Dimitri and Zach, I can not explain why your calls were not returned; certainly that is not the way we conduct business 
here at Network Associates Inc. and McAfee Security.  It would be helpful to understand when this occurred for 
follow-up purposes.  To be sure, we here at Network Associates, Inc. and McAfee Security take pride in making sure that 
our customers and prospects are well treated.

Josh, as far as the claims of product problems are concerned, I think knowing when would be extremely helpful.  What 
was the version of the product and also what Operating System was it installed on?  Feel free to contact me directly to 
discuss this issue.

Entercept recently underwent rigorous testing at an independent, 3rd party security and IDS/IPS testing organization 
called The NSS Group (http://www.nss.co.uk/default.htm).  The results of this testing are available directly from The 
NSS Group for all to read; however, I will state for this thread that Entercept earned the right to be called “NSS 
Approved”.

Please do not hesitate to contact me on important issues like these.

Thank you for your indulgence in letting me post my response.

Regards,

John Bedrick
Group Product Marketing Manager – Systems Security
Network Associates, Inc. / McAfee Security
John_Bedrick () nai com



> Subject: RE: Entercept HIDS Question
> To: Ralph.Chapman () aebs com
> Cc: focus-ids () securityfocus com
> From: dlimanov () sct com
> Date: Mon, 8 Mar 2004 14:27:33 -0500
>
>
>
>
>
> Our experience was early last year, not sure if it was already part of
> NAI then.. This said, we had gotten our share of confusion when Cisco
> bought Okena, especially from Cisco Tech Support not even knowing that
> Okena StormWatch was now part of their product line. :)
> Thanks,
>
> Dimitri
>
>
>
> |---------+---------------------------->
> |         |           "Ralph H.        |
> |         |           Chapman"         |
> |         |           <Ralph.Chapman@ae|
> |         |           bs.com>          |
> |         |                            |
> |         |           03/04/2004 09:30 |
> |         |           PM               |
> |         |                            |
> |---------+---------------------------->
>  >--------------------------------------------------------------------------------------------------------------|
>  |                                                                                                              |
>  |       To:       <focus-ids () securityfocus com>                                                                |
>  |       cc:                                                                                                    |
>  |       Subject:  RE: Entercept HIDS Question                                                                  |
>  >--------------------------------------------------------------------------------------------------------------|
>
>
>
> I would be interested in hearing when (what time frame) are these
> "horror" stories coming from. Before or after Entercept was purchased
> by NAI? Was the "blue screen" incident, as mentioned before, using
> version 2.5 or 4.1? Thanks!
>
> ________________________________
>
> From: dlimanov () sct com [mailto:dlimanov () sct com]
> Sent: Thu 3/4/2004 9:25 AM
> To: Zach.Forsyth () kiandra com
> Cc: focus-ids () securityfocus com
> Subject: RE: Entercept HIDS Question
>
>
>
>
> Same situation here. At the time of evaluation, we've contacted
> Entercept only to give up after two months of silence.. Needless to
> say, we went with Okena (now Cisco) and are very happy with it.
> Just like Zach, I had completely unpatched Windows2000 box with
> everything on it in the wild for over three month, protected by Okena
> - it did not get hacked. This was one of the best real-life tests I
> ever performed. :)
> HTH,
>
> Dimitri
>
>
>
> |---------+---------------------------->
> |         |           "Zach Forsyth"   |
> |         |           <Zach.Forsyth@kia|
> |         |           ndra.com>        |
> |         |                            |
> |         |           03/03/2004 05:39 |
> |         |           PM               |
> |         |                            |
> |---------+---------------------------->
>
> > --------------------------------------------------------------------------------------------------------------|
>
>  |
> |
>  |       To:       <focus-ids () securityfocus com>
> |
>  |       cc:
> |
>  |       Subject:  RE: Entercept HIDS Question
> |
>
> > --------------------------------------------------------------------------------------------------------------|
>
>
>
>
> I have used the cisco security agent (use to be okena stormwatch) and
> the product was very good.
> I wanted to use entercept but after trying to contact them for over a
> month I gave up.
>
> To test the agent I put a completely unpatched win2k server out on the
> internt with the default server agent protecting it.
> It sat their for a month and was not compromised at all.
> A few hours after the trial period license for the agent expired the
> server was hit with sql slammer and infected.
>
> I did a lot more testing in the lab and was pleased with the product
> overall.
> Unfortunately the client we were looking to deploy the agent changed
> their mind and I never got to use it in as real world scenario.
> Download the trial and do some internal testing to see what you think.
>
> Cheers
>
> Zach
>
> > -----Original Message-----
> > From: Josh.Berry () compucom com [mailto:Josh.Berry () compucom com]
> > Sent: Wednesday, 3 March 2004 5:25 AM
> > To: sam () neuroflux com
> > Cc: focus-ids () securityfocus com
> > Subject: RE: Entercept HIDS Question
> >
> > My company bought Entercept and then immediately removed it
> > from production if that tells you anything.  It caused
> > blue-screen's like crazy, huge performance issues, and
> > blocked an inordinate amount of allowed traffic.  This was
> > even in detect only mode.
> >
> > -----Original Message-----
> > From: sam () neuroflux com [mailto:sam () neuroflux com]
> > Sent: Tuesday, March 02, 2004 11:31 AM
> > To: focus-ids () securityfocus com
> > Subject: Entercept HIDS Question
> >
> > Hello..  We are currently in the process of selecting a HIDS
> > based product, and according to the Entercept sales person,
> > they claim that the product has a feature that works very
> > much like Tripwire.
> >
> > My question here, is how much overhead does it add to a
> > server, to watch the filesystem in real time?  And, if we
> > already have Tripwire, would their File Integrity checking
> > process be enough to replace Tripwire?
> >
> > And, if anyone is currently using the Entercept HIDS product,
> > I'm wondering how easily it can be managed (not only from the
> > HIDS piece, but from the file integrity standpoint --
> > excluding files, creating policies,
> > etc.)
> >
> > Thanks!
> > -Sam

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------