IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Intrushield User Experiences Warts 'n' All

From: "Ed Gibbs" <ed () digitalconclave com>
Date: Wed, 27 Apr 2005 09:46:39 -0700

How easy is it to tune?  IntruShield is very easy to tune.  There are
several approaches to take, either by creating alert filters to filter our
by SRC/DST IP, or if your in-line, by in-bound, out-bound direction.  You
can also leverage their virtualization and create policies specifically for
VLANs or CIDR blocks (I believe up to 1000 virtual policies on their highest
end model I-4000).  

What are the false positive rates like?   Very low.  I've seen situations
where other products (no vendor bashing) generated as much as 800,000 false
positives a day in one particular environment, and with IntruShield, around
100,000.  Still a lot but a big improvement.

Can you write custom signatures?  Yes, IntruShield supports "User Defined
Signatures".  You can push signatures in real-time without any disruption in
service/sessions.

How easy is it to update, both signatures and appliance patches?  Simple.
Just a couple of clicks.  They can also be scheduled.

How frequently do you receive signature updates?  If no major outbreaks
occur (med-high), then 1 or 2 weeks.

Does it provide sufficient information for an analyst to resolve an event?
Yes, their forensics analysis is fantastic.  Captures the entire flow of
packets if you want.

Does it do packet capture:

        a. per event?  Yes

        b. rolling?  Yes

        c. how easy is it to recover said packets?  Point-and-click.  Uses
Ethereal to display packets.

What is the support like?  Pretty good actually, compared to our former IDS
product support.

Value Added?

Good points?  Easy to manage, accurate, real-time alerts, large signature
base, virtualization, ACL list, SSL decryption and inspection of encrypted
traffic, in-bound/out-bound policy definitions, etc.

Bad Points?  Management interface - heavy on Java, but not necessarly a bad
thing, just be aware.

Those more important points that I can't remember right now?

I realise I can get much of the above from the website, but I would like to
hear it from the horses mouth, from practitioners in the field.


Ed Gibbs
760-687-6768


--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: