RE: Intrusion Prevention requirements document

["Andy Cuff" <AndyCuff () securitywizardry com>]

VT,
My suggestion would be a compromise, test products on a dev network and
whittle down the contenders you will find showstoppers for certain products

Andy Cuff
Chief Technology Officer
Computer Network Defence Ltd
http://www.securitywizardry.com

07010 709014
 

> -----Original Message-----
> From: vendortrebuchet () comcast net [mailto:vendortrebuchet () comcast net]
> Sent: 29 October 2005 20:40
> To: focus-ids () securityfocus com
> Subject: Re: Intrusion Prevention requirements document
>
> Another question for everyone,
> When you brought in each vendor for evaluation, did you configure a test
> network for them or did you use your production network?  My 1st concern
> is  keeping my job :o)  If I test in production, I could impact production
> traffic.  If I don't test in production, how can I best ensure that I
> won't have problems with custom applictions, older IP stacks which could
> be an issue if RFC compliance checks are done, etc.
> The vendor answer is always, "don't turn on blocking and just monitor."
> Is that a reality?   I'd like some testimonials to this and some real life
> instances of what has been done from unbiased sources.
>
> Thanks,
>
> VT
>
>
> > All,
> >
> > I work on a team that manages signature and behavioral based intrusion
> detection
> > systems today.  We have been tasked with reviewing IPS (or whatever
> vendor name
> > acronym you prefer) in '06.  Our normal process is to put together a
> base
> > requirements document to weed out vendors in the first round through a
> paper
> > excercise and then bring in the best we can identify.  My question is,
> has
> > anyone developed a matrix that identifies key qualifiers in an IPS
> solution
> > (e.g. in-line, fails open/closed, reporting features, etc.).  If so,
> could you
> > provide links or the documents?
> >
> > If not, what categories are most significant to consider in your expert
> > opinions?  What reasons did you choose the solution you have?  What
> would you
> > consider if you had to choose over again, etc?
> >
> > Thanks in advance for your responses.
> >
> > VT
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------