IDS mailing list archives

Re: How to choose an IDS/FW MSS provider

From: "David W. Goodrum" <dgoodrum () nfr com>
Date: Sat, 12 Mar 2005 08:54:30 -0500

I think it's interesting how this is an unwinnable argument for anyvendor. At NFR our signatures are openly readable by our customers, butwe've heard the exact opposite argument of what you are presentinghere: "A potential hacker can read how the signatures work, and usethat information to try to evade the IDS". So, if we appeased them,we'd close our signature base, and then we'd be hearing it from theother side of the house. This is a no-win situation for the vendor.We've tried to appease both sides by not having our sigs "publicly"available, but all a really determined hacker has to do is buy ourproduct to read the signatures.So, before you ask ISS to release their codebase for their signatureset, you might want to think about what the full consequences of thatwould be. Snort has had 2 or 3 remote exploits. The only reason thiswas possible is because their entire product is totally open to theworld. I doubt ISS wants to open themselves up to that type ofpublicity. :)


-dave

Jeff Boggie wrote:

No, the lack of visibility into ISS signature content is a major bone of
contention in my shop.

-----Original Message-----

From: Brady, Rick [mailto:Rick.Brady () LibertyMutual com]Sent: Wednesday, March 09, 2005 5:08 PM

To: Melih Kirkgöz (Koç.net); Stephane; focus-ids () securityfocus com
Subject: RE: How to choose an IDS/FW MSS provider


Melih,
I guess you must be special to ISS, from my experience the support has been
sub-par. Also do you like the idea that ISS IDS signatures are not known to

the customer and only ISS ?

Rick Brady
Liberty Mutual Group
I/S TSSS Engineering Network Access Control
mailto:rick.brady () libertymutual com

(603) 245-4214 8-435-4214sdn

-----Original Message-----

From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net]Sent: Tuesday, March 08, 2005 2:22 AM

To: Stephane; focus-ids () securityfocus com
Subject: RE: How to choose an IDS/FW MSS provider
Importance: High

Hello Stephane,

We have been using ISS since last two years.(50 Server Sensor,15 Network
Sensor,1 Proventia G 100 IPS),managed by SiteProtector. We tested
Netscreen,ISS,Radware,NAI Intrushield and Checkpoint during our evaluation
period for intrusion detection/prevention systems. Strong level of expertise
and good technical support was one of the big reasons choosing ISS.

-----Original Message-----

From: Stephane [mailto:stephane.d () ecologie net]Sent: Monday, March 07, 2005 12:42 PM

To: focus-ids () securityfocus com
Subject: How to choose an IDS/FW MSS provider

Dear All,

How do I choose an IDS/IPS provider if I need a strong level of expertise
24x7x365 and a worldwide representaion? I need it on Netscreen, PIX,
CheckPoint and ISS Realsecure and Proventia.

Thank you,

S.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.

--------------------------------------------------------------------------_____________________________________________________________________________________________________________________________________________Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger

bu e-posta mesaji size yanlislikla ulasmissa,  icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta
mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj
kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac
icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu e-posta
mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak
yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol
ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek

zararlardan dogacak hicbir sorumlulugu kabul etmez.This message is intended solely for the use of the individual or entity to

whom it is addressed , and may contain confidential  information. If you are
not the intended recipient of this message or you receive this mail in
error, you should refrain from making any use of the contents and from
opening any attachment. In that case, please notify the sender immediately
and return the message to the sender, then, delete and destroy all copies.
This e-mail message, can not be copied, published or sold for any reason.
This e-mail message has been swept by anti-virus systems for the presence of
computer viruses. In doing so, however,  sender  cannot warrant that virus
or other forms of data corruption may not be present and do not take any

responsibility in any occurrence._____________________________________________________________________________________________________________________________________________




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------


--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

Re: How to choose an IDS/FW MSS provider, (continued)
- - - Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
    - RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
    - Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
    - Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
    - Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)
    - Re: How to choose an IDS/FW MSS provider Ron Gula (Mar 24)
    - RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 16)
  - Has ISS a SOC in Europe? Stephane (Mar 11)
    - RE: Has ISS a SOC in Europe? Gregory Bell (Mar 14)
  - RE: How to choose an IDS/FW MSS provider Jeff Boggie (Mar 11)
    - Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
    - Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 16)
    - Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
    - Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 19)
    - Re: How to choose an IDS/FW MSS provider Thomas H . Ptacek (Mar 23)
    - Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 23)
    - Re: How to choose an IDS/FW MSS provider Dave Aitel (Mar 19)
- RE: How to choose an IDS/FW MSS provider Palmer, Paul (ISSAtlanta) (Mar 10)
  - RE: How to choose an IDS/FW MSS provider Randy Golly (Mar 10)
- RE: How to choose an IDS/FW MSS provider Koç.net (Mar 11)
- Re: How to choose an IDS/FW MSS provider Mark Teicher (Mar 11)

(Thread continues...)