Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to choose an IDS/FW MSS provider

from [Mark Teicher] Network Security [Permanent Link]
Subject: Re: How to choose an IDS/FW MSS provider
Date: Tue, 15 Mar 2005 07:32:34 -0500 (GMT-05:00) 
Again, most people compare IDS/IPS vendor for the number of signatures they 
have in the product and the ability to add them on their own.  Great stuff, 
interesting, but some IDS/IPS vendors do more than just pattern matching.  This 
reply is to re-ignite the argument between pattern matching and protocol 
decodes.  But how many
SubSeven signatures does one really need?  If I observe a SubSeven attack, it 
is nice to see the granularity, but the difference in the pattern is very 
little, essentially it is a SubSeven attack, whether it is real or not, that is 
for the person to determine, etc.  Whether or not a IDS vendor provides the 
ability to add signatures is irrelevant, some products have the ability to 
detect unknowns before there is an update to the product.  Some customers get 
the warm and fuzzies when they can see "CODE RED" or "SASSER" in their reports, 
but that doesn't improve the product any better.  What really is needed in most 
of the products out there, is the ability to query data without learning the 
ins and outs of SQL queries or futzing with Oracle Client to extract the data 
that is meaningful.

  

-----Original Message-----
From: "David W. Goodrum" <dgoodrum@nfr.com>
Sent: Mar 12, 2005 8:54 AM
To: Jeff Boggie <jeff.boggie@comcast.net>
Cc: "'Brady, Rick'" <Rick.Brady@LibertyMutual.com>, 
        "'Melih Kirkgöz (Koç.net)'" <melihk@koc.net>, 
        'Stephane' <stephane.d@ecologie.net>, focus-ids@securityfocus.com
Subject: Re: How to choose an IDS/FW MSS provider

I think it's interesting how this is an unwinnable argument for any 
vendor.  At NFR our signatures are openly readable by our customers, but 
we've heard the exact opposite argument of what you are presenting 
here:  "A potential hacker can read how the signatures work, and use 
that information to try to evade the IDS".  So, if we appeased them, 
we'd close our signature base, and then we'd be hearing it from the 
other side of the house.  This is a no-win situation for the vendor.  
We've tried to appease both sides by not having our sigs "publicly" 
available, but all a really determined hacker has to do is buy our 
product to read the signatures. 

So, before you ask ISS to release their codebase for their signature 
set, you might want to think about what the full consequences of that 
would be.  Snort has had 2 or 3 remote exploits.  The only reason this 
was possible is because their entire product is totally open to the 
world.  I doubt ISS wants to open themselves up to that type of 
publicity.  :)

-dave

Jeff Boggie wrote:


No, the lack of visibility into ISS signature content is a major bone of
contention in my shop.

-----Original Message-----
From: Brady, Rick [mailto:Rick.Brady@LibertyMutual.com] 
Sent: Wednesday, March 09, 2005 5:08 PM
To: Melih Kirkgöz (Koç.net); Stephane; focus-ids@securityfocus.com
Subject: RE: How to choose an IDS/FW MSS provider


Melih,
I guess you must be special to ISS, from my experience the support has been
sub-par. Also do you like the idea that ISS IDS signatures are not known to
the customer and only ISS ? 

Rick Brady
Liberty Mutual Group
I/S TSSS Engineering Network Access Control
mailto:rick.brady@libertymutual.com
(603) 245-4214   8-435-4214sdn 

-----Original Message-----
From: Melih Kirkgöz (Koç.net) [mailto:melihk@koc.net] 
Sent: Tuesday, March 08, 2005 2:22 AM
To: Stephane; focus-ids@securityfocus.com
Subject: RE: How to choose an IDS/FW MSS provider
Importance: High

Hello Stephane,

We have been using ISS since last two years.(50 Server Sensor,15 Network
Sensor,1 Proventia G 100 IPS),managed by SiteProtector. We tested
Netscreen,ISS,Radware,NAI Intrushield and Checkpoint during our evaluation
period for intrusion detection/prevention systems. Strong level of expertise
and good technical support was one of the big reasons choosing ISS.


-----Original Message-----
From: Stephane [mailto:stephane.d@ecologie.net] 
Sent: Monday, March 07, 2005 12:42 PM
To: focus-ids@securityfocus.com
Subject: How to choose an IDS/FW MSS provider

Dear All,

How do I choose an IDS/IPS provider if I need a strong level of expertise
24x7x365 and a worldwide representaion? I need it on Netscreen, PIX,
CheckPoint and ISS Realsecure and Proventia.

Thank you,

S.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
-------------------------------------------------------------------------- 
____________________________________________________________________________
_________________________________________________________________ 
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger
bu e-posta mesaji size yanlislikla ulasmissa,  icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta
mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj
kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac
icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu e-posta
mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak
yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol
ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek
zararlardan dogacak hicbir sorumlulugu kabul etmez.  
This message is intended solely for the use of the individual or entity to
whom it is addressed , and may contain confidential  information. If you are
not the intended recipient of this message or you receive this mail in
error, you should refrain from making any use of the contents and from
opening any attachment. In that case, please notify the sender immediately
and return the message to the sender, then, delete and destroy all copies.
This e-mail message, can not be copied, published or sold for any reason.
This e-mail message has been swept by anti-virus systems for the presence of
computer viruses. In doing so, however,  sender  cannot warrant that virus
or other forms of data corruption may not be present and do not take any
responsibility in any occurrence. 
____________________________________________________________________________
_________________________________________________________________ 




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

 



-- 
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to choose an IDS/FW MSS provider, Peter Schawacker
Next by Date:  RE: How to choose an IDS/FW MSS provider, Joshua Berry
Previous by Thread:  Re: How to choose an IDS/FW MSS provider, Peter Schawacker
Next by Thread:  Re: How to choose an IDS/FW MSS provider, David W. Goodrum
Indexes:  [Date] [Thread] [Top] [All Lists]