Firewall Wizards mailing list archives
RE: ??? vs blackice -reply
From: "Cotter, David" <dcotter () allianttech com>
Date: Wed, 29 Mar 2000 07:08:23 -0500
Maybe just for clarification: Cisco's NetSonar is the vulnerability scanning tool, not IDS. The IDS product is their "Cisco Secure Intrusion Detection System, v2.2.1", previously known as NetRanger. Hope this helps. -----Original Message----- From: Mark.Teicher () predictive com To: Robert Graham Cc: firewall-wizards () nfr net; CrumrineGL () state gov Sent: 3/23/00 1:52 PM Subject: Re: [fw-wiz] ??? vs blackice -reply OK. The last time we spoke you were going to have somebody from NetworkICE contact me and send me an eval copy of the NetworkICE Sentry version. NetworkICE Defender is the only version that was available to me at the time of my evaluation.. OK Here is the correct lineup ISS RealSecure NFR IDA NetworkICE Sentry Cisco NetSonar Axent ITA/NetProwler Did I miss anything in the Enterprise IDS space.. If ISS RealSecure is properly configured, it will not drown the user in meaningless alerts, but that requires a skill set above the average monitor monkey. NetworkICE Defender can also give meaningless alerts if not configured properly also. So once again, if an IDS system is not properly configured and tuned on a regular basis, as traffic analyzed over time is deemed normal versus the abnomalies. It is a constant struggle of finding customizing the rule base and/or policies within each of the IDS systems to cater to the particular organization's environment and tracking down the abnomalies. The explanations of each alert can vary from IDS system to IDS system, as each vendor is slowly migrating to the standards of the CVE, this will more or less normalize over the few months, few years depending on how fast each vendor revs their product offerings and releases updates. If you want a vendor neutral review, I suggest contacting a vendor neutral network consulting company for a very thorough product comparison test. (Product Bakeoff) Robert, contact me privately and I can suggest a few network consulting companies that offer these type of services.. :) /mark Robert Graham <robert_david_graham () yahoo com> 03/23/00 10:31 AM To: Mark.Teicher () predictive com cc: firewall-wizards () nfr net, owner-firewall-wizards () lists nfr net, rgrimsha () syr edu Subject: Re: [fw-wiz] ??? vs blackice -reply --- Mark.Teicher () predictive com wrote:
What I meant in the previous message was that NetworkICE cannot be
placed
in the same category as ISS RealSecure or NFR IDA 4.01. These
products
address completely different segments of the IDS product space.
Hhhmm. Apparently you haven't used BlackICE Sentry yet. The Sentry version does the following: * promiscuous packet capture * over 400 signatures * full stateful protocol analysis * centralized mgmt/reporting * etc. In Greg Shiply's review at http://www.nwc.com/1023/1023f19.html, you can see the performance of the network engine when compared with alternatives. Moreover, the "full stateful analysis" means the signatures are much more robust. For example, we have only one signature for a POP3 buffer overflow in the user name field, whereas other products have as many as 20. We have several customers who have thrown out RealSecure and replaced with BlackICE Sentry because: * Sentry handles higher traffic rates * Sentry has extensive anti-evasion capabilities (reassembles packets, handles all whisker evasions, etc.) * Sentry has dramatically fewer false positives (a lot of customers end up paying a lot for RealSecure, then stop using it because they are drowned in meaningless alerts). * Its explanation of alerts is much better than the X Force stuff. What feature is BlackICE Sentry missing such that you don't put it in the same category?
NetworkICE Lockdown 2000 Bonzi Intruder are addressing the personal firewall and personal IDS space while
Uh, no. Lockdown2000 and Bonzi Intruder are neither firewalls or real IDSs. They are port monitors like Nukenabber. They contain zero packet filtering capabilities. In contrast, BlackICE Defender is currently the market leader in personal firewalls. Both Defender and Sentry make use of the same underlying IDS engine, but please don't confuse one for the other. Robert Graham CTO/Network ICE __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Re: ??? vs blackice Robert Graham (Mar 21)
- <Possible follow-ups>
- Re: ??? vs blackice -reply Robert Graham (Mar 28)
- Re: ??? vs blackice -reply Mark . Teicher (Mar 28)
- RE: ??? vs blackice -reply Mark . Teicher (Mar 29)
- RE: ??? vs blackice -reply Cotter, David (Mar 29)
- RE: ??? vs blackice -reply LaPane, Mike (Mar 29)