Re: ??? vs blackice -reply

[Mark.Teicher () predictive com]

OK.

The last time we spoke you were going to have somebody from NetworkICE 
contact me and send me an eval copy of the NetworkICE Sentry version.
NetworkICE Defender is the only version that was available to me at the 
time of my evaluation..

OK

Here is the correct  lineup

ISS RealSecure
NFR IDA
NetworkICE Sentry
Cisco NetSonar
Axent ITA/NetProwler


Did I miss anything in the Enterprise IDS space..


If ISS RealSecure is properly configured, it will not drown the user in 
meaningless alerts, but that requires a skill set above the average 
monitor monkey.  NetworkICE Defender can also give meaningless alerts if 
not configured properly also.

So once again, if an IDS system is not properly configured and tuned on a 
regular basis, as traffic analyzed over time is deemed normal versus the 
abnomalies. It is a constant struggle of finding customizing the rule base 
and/or policies within each of the IDS systems to cater to the particular 
organization's environment and tracking down the abnomalies.

The explanations of each alert can vary from IDS system to IDS system, as 
each vendor is slowly migrating to the standards of the CVE, this will 
more or less normalize over the few months, few years depending on how 
fast each vendor revs their product offerings and releases updates.

If you want a vendor neutral review, I suggest contacting a vendor neutral 
network consulting company for a very thorough product comparison test. 
(Product Bakeoff) 

Robert, contact me privately and I can suggest a few network consulting 
companies that offer these type of services.. :)

/mark





Robert Graham <robert_david_graham () yahoo com>
03/23/00 10:31 AM

 
        To:     Mark.Teicher () predictive com
        cc:     firewall-wizards () nfr net, owner-firewall-wizards () lists nfr net, 
rgrimsha () syr edu
        Subject:        Re: [fw-wiz] ??? vs blackice -reply


--- Mark.Teicher () predictive com wrote:
> What I meant in the previous message was that NetworkICE cannot be 
placed
> in the same category as ISS RealSecure or NFR IDA 4.01.  These products
> address completely different segments of the IDS product space.

Hhhmm. Apparently you haven't used BlackICE Sentry yet. The Sentry version 
does
the following:
* promiscuous packet capture
* over 400 signatures
* full stateful protocol analysis
* centralized mgmt/reporting
* etc.

In Greg Shiply's review at http://www.nwc.com/1023/1023f19.html, you can see
the performance of the network engine when compared with alternatives.

Moreover, the "full stateful analysis" means the signatures are much more
robust. For example, we have only one signature for a POP3 buffer overflow 
in
the user name field, whereas other products have as many as 20.

We have several customers who have thrown out RealSecure and replaced with
BlackICE Sentry because:
* Sentry handles higher traffic rates
* Sentry has extensive anti-evasion capabilities (reassembles packets, 
handles
all whisker evasions, etc.)
* Sentry has dramatically fewer false positives (a lot of customers end up
paying a lot for RealSecure, then stop using it because they are drowned 
in
meaningless alerts).
* Its explanation of alerts is much better than the X Force stuff.

What feature is BlackICE Sentry missing such that you don't put it in the 
same
category?

> NetworkICE
> Lockdown 2000
> Bonzi Intruder
> are addressing the personal firewall and personal IDS space while

Uh, no. Lockdown2000 and Bonzi Intruder are neither firewalls or real 
IDSs.
They are port monitors like Nukenabber. They contain zero packet filtering
capabilities.

In contrast, BlackICE Defender is currently the market leader in personal
firewalls. Both Defender and Sentry make use of the same underlying IDS 
engine,
but please don't confuse one for the other.

Robert Graham
CTO/Network ICE



__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com