Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Intrushield User Experiences Warts 'n' All

from [Ed Gibbs] Network Security [Permanent Link]
Subject: RE: Intrushield User Experiences Warts 'n' All
Date: Wed, 27 Apr 2005 09:46:39 -0700 

How easy is it to tune?  IntruShield is very easy to tune.  There are
several approaches to take, either by creating alert filters to filter our
by SRC/DST IP, or if your in-line, by in-bound, out-bound direction.  You
can also leverage their virtualization and create policies specifically for
VLANs or CIDR blocks (I believe up to 1000 virtual policies on their highest
end model I-4000).  

What are the false positive rates like?   Very low.  I've seen situations
where other products (no vendor bashing) generated as much as 800,000 false
positives a day in one particular environment, and with IntruShield, around
100,000.  Still a lot but a big improvement.

Can you write custom signatures?  Yes, IntruShield supports "User Defined
Signatures".  You can push signatures in real-time without any disruption in
service/sessions.

How easy is it to update, both signatures and appliance patches?  Simple.
Just a couple of clicks.  They can also be scheduled.

How frequently do you receive signature updates?  If no major outbreaks
occur (med-high), then 1 or 2 weeks.

Does it provide sufficient information for an analyst to resolve an event?
Yes, their forensics analysis is fantastic.  Captures the entire flow of
packets if you want.

Does it do packet capture:

        a. per event?  Yes

        b. rolling?  Yes

        c. how easy is it to recover said packets?  Point-and-click.  Uses
Ethereal to display packets.

What is the support like?  Pretty good actually, compared to our former IDS
product support.

Value Added?

Good points?  Easy to manage, accurate, real-time alerts, large signature
base, virtualization, ACL list, SSL decryption and inspection of encrypted
traffic, in-bound/out-bound policy definitions, etc.

Bad Points?  Management interface - heavy on Java, but not necessarly a bad
thing, just be aware.

Those more important points that I can't remember right now?

I realise I can get much of the above from the website, but I would like to
hear it from the horses mouth, from practitioners in the field.


Ed Gibbs
760-687-6768


--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Intrushield User Experiences Warts 'n' All, Brian Smith
Next by Date:  Looking for free IDS training, Angel L Rivera
Previous by Thread:  Intrushield User Experiences Warts 'n' All, Andy Cuff
Next by Thread:  Re: Intrushield User Experiences Warts 'n' All, david kuhlman
Indexes:  [Date] [Thread] [Top] [All Lists]