RE: eEye Blink and other Endpoint IPS solutions.

From: Palmer, Paul (ISSAtlanta) (PPalmer_at_iss.net)
Date: 07/01/05

  • Next message: X-Force: "ISS Protection Brief: Microsoft ICM Image Compromise"
    Date: Thu, 30 Jun 2005 18:25:03 -0400
    To: <mashraf@hushmail.com>, <focus-ids@securityfocus.com>
    
    

    Mina writes:

    "On the plus side it makes evaluating the options much easier when
    there seem to be only Cisco and eEye in the marketplace :)"

    ISS also provides HIPS products. I work for ISS, so I have a high
    opinion of our products.

    If I recall correctly, McAfee also sells a HIPS product.

    -----Original Message-----
    From: mashraf@hushmail.com [mailto:mashraf@hushmail.com]
    Sent: Thursday, June 30, 2005 7:27 AM
    To: focus-ids@securityfocus.com
    Subject: RE: eEye Blink and other Endpoint IPS solutions.

    Hi,

    Just wanted to say thanks for all your replies, here and emailed!
    There were some valuable comments and suggestions especially
    considering I gave so little information in my original questions.
    I've been working with IDS for a few years now and it has been
    problematic and ultimately judged unsuccessful by any currently
    meaningful criteria. Business requirements have changed so much in
    the last 3 or 4 years that what was once intended as a perimeter
    monitoring tool has ended up being judged on its ability to detect
    internal intrusions. This meant deploying unmanageable numbers of
    Snort sensors, being completely overwhelmed by the false alerts and
    spending countless hours fine tuning signatures on server by server
    basis. I know many of you must have had similar problems.

    I'd love to have a NIP appliance that could protect the entire
    server subnet but with 50 or more MS servers each connected by dual
    gigabit ethernet to switches with a notional backplane throughput
    of 64Gbs I think I may be being a bit optimistic! I've yet to find
    a NIPS that even claims to be able to exceed 5Gbs so I think that
    my only real option is something host based and maybe a couple of
    perimeter NIP devices for DDoS protection if I decide the risk
    warrants the cost.
    I can't imagine that our requirements are so very different from
    other much larger organisations so it is strange that so many IPS
    companies seem hung up on perimeter defence while the rest of the
    security industry has changed.

    On the plus side it makes evaluating the options much easier when
    there seem to be only Cisco and eEye in the marketplace :)

    Thanks,
    Mina

    Concerned about your privacy? Follow this link to get
    secure FREE email: http://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    http://www.hushmail.com/services-messenger?l=434

    Promote security and make money with the Hushmail Affiliate Program:
    http://www.hushmail.com/about-affiliate?l=427

    ------------------------------------------------------------------------

    --
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------
    --
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: X-Force: "ISS Protection Brief: Microsoft ICM Image Compromise"