Re: Email reputation for inout to IDSs?

[Tremaine Lea <focus-ids () ddiction com>]

On 26-Nov-08, at 8:37 AM, Joel Snyder wrote:

> There are a few IPS/IDS solutions out there utilizing email reputation
> > as part of their solutions, and they primarily get their strength  
> from a
> > centralized managed db on the part of the vendor supplying the  
> solution.
>
> I haven't seen this actually happening; do you have specific  
> products in mind?  Other than 'intention,' it doesn't seem to have  
> been rolled out yet.

I'm drawing a blank on the vendor, it came up when we were evaluating  
UTM solutions.  It may have been Juniper or Checkpoint, I don't recall  
and am unable to devote the time to dig back at the moment I'm  
afraid.  The other possibility is Tipping Point, but again I'm having  
a morning where my recollection is a bit hazy ;)

I'm definitely interested in seeing how the various vendors address  
this from an architecture design stance, and particularly how much  
flexibility they provide to the client in making choices with regards  
to the reputation information.  Also be interesting to see if this  
gets extended beyond email reputation to straight IP reputation,  
perhaps utilizing information similar to that found on MyNetWatchMan  
or sites like ISC.

Cheers, and thanks for the well thought out response - it was a good  
read!

---

Tremaine Lea
Network Security Consultant
Intrepid ACL
Paranoia for hire

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------