RE: RE: Which is the most widely deployed commercial IPS

["Alan Shimel" <ashimel () stillsecure com>]

I think your mistake is you are confusing a consumer version, dumb downed
IPS (host based, not network) with a commercial network IPS.  Apples and
Oranges.  Look at the signature bases for example.

alan

 
StillSecure
Alan Shimel 
Chief Strategy Officer 

O 303.381.3815
C 516.857.7409
F 303.381.3881
email ashimel () stillsecure com
blog http://ashimmy.typepad.com

www.stillsecure.com
The information transmitted is intended only for the person
to whom it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer.

-----Original Message-----
From: thunking () hotmail com [mailto:thunking () hotmail com] 
Sent: Thursday, April 27, 2006 1:50 AM
To: focus-ids () securityfocus com
Subject: Re: RE: Which is the most widely deployed commercial IPS

I should have clarified.. yes I was talking about network IPS. I wasn't so
interested in marketshare as that doesn't necessarily mean a quality product
at least in the network IPS space. What I was really interested in is which
product is known to be deployed on the largest number of machines and
therefore seeing the largest breadth of traffic. Since by the admission of
the someof the vendors on this list, it is notpossible to test in the lab, I
take that to mean that my best bet is to go with a company who;s products
are deployed in blocking mode in the widest variety of machines around. Take
an example.. recently as a pilot we handed out free copies of Norton
Internet Security and Norton Antivirus to a subset of our students and
monitored their experiences. Not a single FP except for an issue with Yahoo
cross-site scripting, which turned out was not really an FP. Both these
products now have Network based Intrusion Prevention, and whats nice is that
all signatures ship in b
 locking mode. Now it occurs to me that of all the NIPS products out there,
NIS and NAV might be the ones that see the largest breadth of traffic. By
last count I believe some analysts estimate the number of customers to be
around the 100 million mark. Thats a 100 million unique users actively
running NIPS signature in blocking mode. To me that pretty convincing that
if just a large deployment of blocking signatures rarely causes FPs (there
are 1 or 2 every now and then), then the enterprise version Symantec Client
Security that has the same signature set must be good as well. Are there
other examples of products from other vendors with this kind of a deployment
?

Where am I going with this...? My biggest concern for the deployment I am
targeting is False Positives. I definitely want the signature to be in
blocking-mode out of the box. I am seeing companies like ISS ship many
signatures in non=blocking mode, which at least for me is useless. Whats the
point having the customer try to figure out if a signature should be
switched back to blocking on not. So a product like that definitely out of
the running. 

Could do with some feedback from customers on here to help cut through the
marketing and false claims.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------