Re: ISS RealSecure/SiteProtector or another IDS/firewall client?

From: Andrew Plato (aplato_at_anitian.com)
Date: 11/27/03

  • Next message: Martin Roesch: "Re: ISS RealSecure/SiteProtector or another IDS/firewall client?" 
    Date: 27 Nov 2003 02:52:49 -0000
To: focus-ids@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <000001c3b370$55321340$1989a480@catswilliamsxp>

    >Has anyone had experience with ISS products, particularly their =
    >RealSecure
    >line?
    >
    >We are planning for the upgrade (several years late) to Windows XP in =
    >our
    >computer labs, and need a client-based firewall/IDS that can be =
    >centrally
    >managed and has a decent logging system. RealSecure looks like a good
    >choice for us, but I thought I'd ask if anyone's had experience or could
    >recommend an (or several) alternates?

    Okay…I am more than a little biased on this issue, since I helped design/document BlackICE back in its Network ICE days. But BlackICE/RS Desktop is still head n' shoulders above any other product on the market. Its got all the power of the big Network and Server Sensors packed into a thin and efficient client. It also can automatically block nasty stuff like Blaster and Welchia.

    If you implement RS Desktop, make sure you get the Advanced Administration Guide. It’s been diluted since it left my hands back in 2000. But its the most important doc you can get for RS Desktop. It’s still incomplete and missing a LOT of the good parameters. But, it will teach you how to do the really cool stuff with RS Desktop. And anybody who says ISS is closed and won't let you do any custom sigs has never read the docs and used any of the advanced features. Peel back the GUI and BlackICE can do practically anything you want. Write your own sigs, tune existing sigs, have it watch files…you name it. Heck, you can even feed SNORT sigs to the desktop product (unsupported feature, however).
    I've tested a lot of the competitors and I still prefer RS Desktop. The only thing that comes close is Cisco's Secure Agent. But it costs about 2X more and it has some scalability issues. There are plenty of “personal firewalls” and if all you want is just blocking of ports, they will work fine. But none of them are fully-blown intrusion detection systems mated to firewall.

    Also, most of the Windows stability issues have been long since solved.

    As for Site Protector, the central console, make sure you use the latest version (2.0 Service Pack 3). The previous versions were messy. But they've finally got some of the things fixed now (like not requiring IIS for deployment manager).

    Andrew Plato, CISSP
    President/Principal Consultant
    Anitian Enterprise Security
    www.anitian.com

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Martin Roesch: "Re: ISS RealSecure/SiteProtector or another IDS/firewall client?"
    • Quantcast