Re: RE: Which is the most widely deployed commercial IPS

[thunking () hotmail com]

I should have clarified.. yes I was talking about network IPS. I wasn't so interested in marketshare as that doesn't 
necessarily mean a quality product at least in the network IPS space. What I was really interested in is which product 
is known to be deployed on the largest number of machines and therefore seeing the largest breadth of traffic. Since by 
the admission of the someof the vendors on this list, it is notpossible to test in the lab, I take that to mean that my 
best bet is to go with a company who;s products are deployed in blocking mode in the widest variety of machines around. 
Take an example.. recently as a pilot we handed out free copies of Norton Internet Security and Norton Antivirus to a 
subset of our students and monitored their experiences. Not a single FP except for an issue with Yahoo cross-site 
scripting, which turned out was not really an FP. Both these products now have Network based Intrusion Prevention, and 
whats nice is that all signatures ship in b
 locking mode. Now it occurs to me that of all the NIPS products out there, NIS and NAV might be the ones that see the 
largest breadth of traffic. By last count I believe some analysts estimate the number of customers to be around the 100 
million mark. Thats a 100 million unique users actively running NIPS signature in blocking mode. To me that pretty 
convincing that if just a large deployment of blocking signatures rarely causes FPs (there are 1 or 2 every now and 
then), then the enterprise version Symantec Client Security that has the same signature set must be good as well. Are 
there other examples of products from other vendors with this kind of a deployment ?

Where am I going with this...? My biggest concern for the deployment I am targeting is False Positives. I definitely 
want the signature to be in blocking-mode out of the box. I am seeing companies like ISS ship many signatures in 
non=blocking mode, which at least for me is useless. Whats the point having the customer try to figure out if a 
signature should be switched back to blocking on not. So a product like that definitely out of the running. 

Could do with some feedback from customers on here to help cut through the marketing and false claims.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------