RE: How to choose an IDS/FW MSS provider

Since you can't see the signature, how do you know they aren't doing simple 
string matching?  Second, obviously you aren't very familiar with Snort's rule 
language, it isn't just simple string matching, there is a *ton* of other logic 
available to reduce false positives/negatives.  Snort also has conveniently had 
support for PCRE matching for a long time now.

-----Original Message-----
From: Andrew Plato [mailto:andrew.plato@anitian.com] 
Sent: Friday, March 11, 2005 1:42 PM
To: Stephane; rick.brady@libertymutual.com
Cc: focus-ids@securityfocus.com
Subject: RE: How to choose an IDS/FW MSS provider

Honestly, how many people, except security geeks like us, really care what is 
inside the signatures? Sure, its fun to look inside them and see what they are 
keying on, but since ISS signatures are not purely "match this string" kind of 
stuff that Snort does, its not that simple. And more importantly, who the heck 
has time to do that? In the zillions of Proventias and server sensors I've 
deployed, I don't think anybody has ever once asked me "gosh, can we see the 
signature code." They were to busy running their systems to obsess over the 
code inside signatures. 

I think the "I can't see the signatures, I don't trust them" argument isn't a 
viable reason to turn down an IPS/IDS vendor. If it was, then it would put 
Cisco, Symantec, TippingPoint, and just about everybody else with a 
high-performance IPS off the map. 


ISS MSS from our experience as an ISS reseller has been positive. But, I am an 
ISS reseller so I have to say that. Another that comes to mind is Counterpane. 

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
GPG public key available at: http://www.anitian.com/corp/keys.htm 
 



-----Original Message-----
From: Stephane [mailto:stephane.d@ecologie.net] 
Sent: Thursday, March 10, 2005 12:38 AM
To: Brady, Rick
Cc: "Melih Kirkgöz (Koç.net)"; focus-ids@securityfocus.com
Subject: Re: How to choose an IDS/FW MSS provider

Brady, Rick wrote:

> Melih,
> I guess you must be special to ISS, from my experience the support has been 
> sub-par. Also do you like the idea that ISS IDS signatures are not known to 
> the customer and only ISS ? 
>
> Rick Brady
> Liberty Mutual Group
> I/S TSSS Engineering Network Access Control 
> mailto:rick.brady@libertymutual.com
> (603) 245-4214   8-435-4214sdn 
>  

Hi there,

What are you talking about? The support? do you mean people behind 
support@iss.net or mss.support@iss.net ?

What looks good with ISS, MSS Dept is that you have somehow the X-Force support 
http://xfoce.iss.net ; as far as I know and tell me if I am wrong, ISS is the 
only security provider having an R&D dept which is the X-Force team. My 
impression about Cisco IDS for example is that they just do follow the CERT to 
react (to react, this word is important, not to prevent). ISS supported by 
X-Force provides signatures sometimes a long time before the thread is even 
known. Do you want those guys to post those signatures to the mass in order to 
have Symatntec, Cisco or other Netscreen getting R&D free profits out of it? 
Not sure you'd do so.

Also, my question was about how to choose an IDS *AND* FW firewall. I know I am 
a bit out of the topic of this mailing-list but you can be good at IDS and 
maybe bad at firewalls which are much more complex through.

PS: and once again, ISS is in the gane for 10 long years. What about the 
competitors?

Thanks,

Stephane

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------