IDS: RE: Intruvert 4000.

["Bob Walder" <bwalder () spamcop net>]

Great to hear about real-world deployments of these devices - take a
look at our new IPS report (www.nss.co.uk/ips) for our take on the
I-4000 and other in-line IPS devices.

Regards,

Bob Walder
Director
The NSS Group

------------------------------------------------------------------------
----------
This message is intended for the addressee only and may contain
information that may be of a privileged or confidential nature. If you
have received this message in error, please notify the sender and
destroy the message immediately. Unauthorised use or reproduction of
this message is strictly prohibited.



> > -----Original Message-----
> > From: Steve Paine [mailto:steve () hiblue com] 
> > Sent: 27 January 2004 10:17
> > To: focus-ids () securityfocus com
> > Subject: Intruvert 4000.
> >
> >
> > By way of an introduction, and using the 'give before you 
> > get' principle, i 
> > thought i'd drop a few lines about our recent purchase of 
> > the Intruvert 4000 
> > from Network associates.
> >
> > We chose the intruvert 4000 over a number of other devices 
> > due to its ability 
> > to handle assymetric traffic in a load-balancing scanario. 
> > We have 2 x 1GB 
> > connections going through this device.
> >
> > We've had it for three weeks now and have been, lets say, 'playing.'
> >
> > Things i like: 
> > Ease of setup. The device must be operated via a seperate 
> > management machine 
> > and after this has been installed, the device can be put 
> > into action as an 
> > IDS device very quickly with the standard profiles.
> > As an active device, things are obviously more tricky. DDOS 
> > protection and 
> > learning profiles caused us some problems for a while as it was very 
> > difficult to see what the device had learnt and what it was 
> > blocking. As we 
> > go furher with testing, this part of the device is becoming 
> > clearer. We havent done any throughput or delay tests and I 
> > guess, we won't do much in 
> > this area. Our traffic loads aren't that high that we need 
> > to worry about 
> > device overloading at this stage.
> >
> > Thing i dont like:
> > The management interface is s-l-o-w. Despite having a P4 2.4 
> > running with 1GB 
> > memory, the java-based management application is too fat for 
> > its job. It  
> > needs a lot of optimisation. Mouse clicks are taking three 
> > seconds to respond 
> > which is a real pain when you have to go through 4 mouse 
> > clicks to get where 
> > you want to go. 
> >
> > Things I want to know more about:
> > Writing signatures and sharing signatures. I will also need 
> > to find out if I 
> > can use some standard format for localy written signatures.  (Snort 
> > standard?)
> >
> > Anyway, things are looking good right now. We deploy in a 
> > coupe of months so I 
> > guess i'll have a few more things to say before then.
> >
> > If anyone else is using Intruvert at all, let me know. 
> >
> > Regards
> >
> > Steve
> >
> >
> > -------------------------------------------------------------
> > --------------
> > -------------------------------------------------------------
> > --------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------