Firewall Wizards mailing list archives

RE: ??? vs blackice -reply

From: "LaPane, Mike" <MGL () para-protect com>
Date: Wed, 29 Mar 2000 11:27:41 -0500

I'm not sure how to classify NetSonar as an IDS. It's an assessment tool
(same space as S2 or Axent ESM). NetRanger is Cisco's IDS entry. Also,
what about DRAGON from NSW? Good product. 

Agree on the statement that any IDS will give garbage if improperly
configured, but I don't care for RealSecure when deployed in large
scale. The console quickly becomes inundated. Hard to manage if you have
multiple masters (read, impossible), other than read-only access and
buffer logging only.

My 2 cents
-----Original Message-----
From: Mark.Teicher () predictive com [mailto:Mark.Teicher () predictive com]
Sent: Thursday, March 23, 2000 1:52 PM
To: Robert Graham
Cc: firewall-wizards () nfr net; CrumrineGL () state gov
Subject: Re: [fw-wiz] ??? vs blackice -reply


OK.

The last time we spoke you were going to have somebody from NetworkICE 
contact me and send me an eval copy of the NetworkICE Sentry version.
NetworkICE Defender is the only version that was available to me at the 
time of my evaluation..

OK

Here is the correct  lineup

ISS RealSecure
NFR IDA
NetworkICE Sentry
Cisco NetSonar
Axent ITA/NetProwler


Did I miss anything in the Enterprise IDS space..


If ISS RealSecure is properly configured, it will not drown the user in 
meaningless alerts, but that requires a skill set above the average 
monitor monkey.  NetworkICE Defender can also give meaningless alerts if

not configured properly also.

So once again, if an IDS system is not properly configured and tuned on
a 
regular basis, as traffic analyzed over time is deemed normal versus the

abnomalies. It is a constant struggle of finding customizing the rule
base 
and/or policies within each of the IDS systems to cater to the
particular 
organization's environment and tracking down the abnomalies.

The explanations of each alert can vary from IDS system to IDS system,
as 
each vendor is slowly migrating to the standards of the CVE, this will 
more or less normalize over the few months, few years depending on how 
fast each vendor revs their product offerings and releases updates.

If you want a vendor neutral review, I suggest contacting a vendor
neutral 
network consulting company for a very thorough product comparison test. 
(Product Bakeoff) 

Robert, contact me privately and I can suggest a few network consulting 
companies that offer these type of services.. :)

/mark





Robert Graham <robert_david_graham () yahoo com>
03/23/00 10:31 AM

 
        To:     Mark.Teicher () predictive com
        cc:     firewall-wizards () nfr net,
owner-firewall-wizards () lists nfr net, 
rgrimsha () syr edu
        Subject:        Re: [fw-wiz] ??? vs blackice -reply


--- Mark.Teicher () predictive com wrote:

What I meant in the previous message was that NetworkICE cannot be

placed

in the same category as ISS RealSecure or NFR IDA 4.01.  These

products

address completely different segments of the IDS product space.


Hhhmm. Apparently you haven't used BlackICE Sentry yet. The Sentry
version 
does
the following:
* promiscuous packet capture
* over 400 signatures
* full stateful protocol analysis
* centralized mgmt/reporting
* etc.

In Greg Shiply's review at http://www.nwc.com/1023/1023f19.html, you can
see
the performance of the network engine when compared with alternatives.

Moreover, the "full stateful analysis" means the signatures are much
more
robust. For example, we have only one signature for a POP3 buffer
overflow 
in
the user name field, whereas other products have as many as 20.

We have several customers who have thrown out RealSecure and replaced
with
BlackICE Sentry because:
* Sentry handles higher traffic rates
* Sentry has extensive anti-evasion capabilities (reassembles packets, 
handles
all whisker evasions, etc.)
* Sentry has dramatically fewer false positives (a lot of customers end
up
paying a lot for RealSecure, then stop using it because they are drowned

in
meaningless alerts).
* Its explanation of alerts is much better than the X Force stuff.

What feature is BlackICE Sentry missing such that you don't put it in
the 
same
category?

NetworkICE
Lockdown 2000
Bonzi Intruder
are addressing the personal firewall and personal IDS space while


Uh, no. Lockdown2000 and Bonzi Intruder are neither firewalls or real 
IDSs.
They are port monitors like Nukenabber. They contain zero packet
filtering
capabilities.

In contrast, BlackICE Defender is currently the market leader in
personal
firewalls. Both Defender and Sentry make use of the same underlying IDS 
engine,
but please don't confuse one for the other.

Robert Graham
CTO/Network ICE



__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Current thread:

Re: ??? vs blackice Robert Graham (Mar 21)
- <Possible follow-ups>
- Re: ??? vs blackice -reply Robert Graham (Mar 28)
- Re: ??? vs blackice -reply Mark . Teicher (Mar 28)
- RE: ??? vs blackice -reply Mark . Teicher (Mar 29)
- RE: ??? vs blackice -reply Cotter, David (Mar 29)
- RE: ??? vs blackice -reply LaPane, Mike (Mar 29)