RE: How to choose an IDS/FW MSS provider

From: Andrew Plato (andrew.plato_at_anitian.com)
Date: 03/11/05

  • Next message: Richard Bejtlich: "Re: How to choose an IDS/FW MSS provider" 
    Date: Fri, 11 Mar 2005 11:42:25 -0800
To: "Stephane" <stephane.d@ecologie.net>, <rick.brady@libertymutual.com>

    Honestly, how many people, except security geeks like us, really care what is inside the signatures? Sure, its fun to look inside them and see what they are keying on, but since ISS signatures are not purely "match this string" kind of stuff that Snort does, its not that simple. And more importantly, who the heck has time to do that? In the zillions of Proventias and server sensors I've deployed, I don't think anybody has ever once asked me "gosh, can we see the signature code." They were to busy running their systems to obsess over the code inside signatures.

    I think the "I can't see the signatures, I don't trust them" argument isn't a viable reason to turn down an IPS/IDS vendor. If it was, then it would put Cisco, Symantec, TippingPoint, and just about everybody else with a high-performance IPS off the map.

    ISS MSS from our experience as an ISS reseller has been positive. But, I am an ISS reseller so I have to say that. Another that comes to mind is Counterpane.

    ___________________________________
    Andrew Plato, CISSP
    President/Principal Consultant
    ANITIAN ENTERPRISE SECURITY

    3800 SW Cedar Hills Blvd, Suite 280
    Beaverton, OR 97005
    503-644-5656 Office
    503-214-8069 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________

    GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
    GPG public key available at: http://www.anitian.com/corp/keys.htm
     

    -----Original Message-----
    From: Stephane [mailto:stephane.d@ecologie.net]
    Sent: Thursday, March 10, 2005 12:38 AM
    To: Brady, Rick
    Cc: "Melih Kirkgöz (Koç.net)"; focus-ids@securityfocus.com
    Subject: Re: How to choose an IDS/FW MSS provider

    Brady, Rick wrote:

    >Melih,
    >I guess you must be special to ISS, from my experience the support has been sub-par. Also do you like the idea that ISS IDS signatures are not known to the customer and only ISS ?
    >
    >Rick Brady
    >Liberty Mutual Group
    >I/S TSSS Engineering Network Access Control
    >mailto:rick.brady@libertymutual.com
    >(603) 245-4214 8-435-4214sdn
    >
    >

    Hi there,

    What are you talking about? The support? do you mean people behind support@iss.net or mss.support@iss.net ?

    What looks good with ISS, MSS Dept is that you have somehow the X-Force support http://xfoce.iss.net ; as far as I know and tell me if I am wrong, ISS is the only security provider having an R&D dept which is the X-Force team. My impression about Cisco IDS for example is that they just do follow the CERT to react (to react, this word is important, not to prevent). ISS supported by X-Force provides signatures sometimes a long time before the thread is even known. Do you want those guys to post those signatures to the mass in order to have Symatntec, Cisco or other Netscreen getting R&D free profits out of it? Not sure you'd do so.

    Also, my question was about how to choose an IDS *AND* FW firewall. I know I am a bit out of the topic of this mailing-list but you can be good at IDS and maybe bad at firewalls which are much more complex through.

    PS: and once again, ISS is in the gane for 10 long years. What about the competitors?

    Thanks,

    Stephane

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Richard Bejtlich: "Re: How to choose an IDS/FW MSS provider"

    Relevant Pages

    • RE: IDS recommendations
      ... Ernon was the market leader in their business sector also. ... heard Enron was ISS' biggest customer so perhaps after Enron falls ISS will no ... We have replaced our Dragon sensors with Snort and our parent company is ... They are also the market leader in IDS ...
      (Focus-IDS)
    • RE: IDS ISS
      ... Have had several years experience with ISS. ... Sourcefire is doing some very interesting and innovative work with snort ... Subject: IDS ISS ... > Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • RE: How to choose an IDS/FW MSS provider
      ... but since ISS signatures are not purely "match this ... ISS MSS from our experience as an ISS reseller has been positive. ... >I guess you must be special to ISS, from my experience the support has been ... My impression about Cisco IDS for example is that they just do follow ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... I love the ISS products. ... They are also the market leader in IDS ... If you like Linux you may also want to give Snort a whirl from ... to install and get running. ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
      (Focus-IDS)
    Loading