IDS: NSS (was Re: Intrusion Prevention)

[Randy Taylor <gnu () charm net>]

At 07:29 PM 12/25/2002 +0000, Rick Williams wrote:
> [snip]... I will be beginning evals of IntruVert soon, with NetScreen IDP 
> to follow. For functionality ("speeds and feeds") criteria, I am relying 
> heavily on OSEC, because the Neohapsis crew knows their stuff and nothing 
> is hidden .... [snip]
> I like the NeoHapsis guys too, but the OSEC stuff is very like the ICSA 
> certification for firewalls, etc - you get your checklist and your 
> "PASS/FAIL" mark - "Just Another Certification Scheme"
I guess I saw a lot more detail and quality in the OSEC criteria than you did.
To each their own.


> Whilst the OSEC results are always interesting and should not be ignored, 
> anyone serious about deploying Gigabit IDS or Intrusion Prevention should 
> definitely be reading the latest NSS Group report 
> (www.nss.co.uk/gigabitids). The methodology looks every bit as thorough as 
> the OSEC stuff (they complement each other in several areas) but they also 
> go to the trouble of providing many pages per product of detailed 
> subjective technical evaluations - features and benefits, scalability, 
> ease of use, completeness of alert handling, reporting, forensics, etc, etc
> OK, so you have to pay for the full report, but it's only $50 and if you 
> can't get the budget for that then you are definitely NOT interested in 
> deploying Gigabit IDS ;o)
Um, NSS got paid once to do their tests. I'm not ponying up additional
monies for the privilege of reading their results. And for subjective 
issues, I'll
ask the people that actually use the products in question, not NSS. In
addition, because I have adequate background in this field, I'll also eval
the subjective stuff myself and resolve things against my own conclusions
and the user feedback I get.


> I am hoping that both Netscreen and Sourcefire will be in the next edition 
> and I have to say that Dragon was off our list of IDS for ANY speed of 
> network some time ago due to its constant omission from these reports (you 
> don't have to pay for the 100Mbit IDS reports, they are all on-line for 
> free in full).
Enterasys or the Dragon crew can speak to why they
don't submit their stuff to NSS if they have a mind. Or not.
Or something. *shrug*


> My 0.02
>
> Rick
And mine as well.

Best regards,

Randy
-----
"I know what you're thinking, 'cause right now I'm thinking the same thing.
Actually, I've been thinking it ever since I got here: Why oh why didn't I 
take
the BLUE pill?"
-- Cypher - The Matrix --