Re: ISS RealSecure/SiteProtector or another IDS/firewall client?

[Andrew Plato <aplato () anitian com>]

In-Reply-To: <000001c3b370$55321340$1989a480@catswilliamsxp>


> Has anyone had experience with ISS products, particularly their =
> RealSecure
> line?
>
> We are planning for the upgrade (several years late) to Windows XP in =
> our
> computer labs, and need a client-based firewall/IDS that can be =
> centrally
> managed and has a decent logging system.  RealSecure looks like a good
> choice for us, but I thought I'd ask if anyone's had experience or could
> recommend an (or several) alternates?

Okay…I am more than a little biased on this issue, since I helped design/document BlackICE back in its Network ICE 
days. But BlackICE/RS Desktop is still head n' shoulders above any other product on the market. Its got all the power 
of the big Network and Server Sensors packed into a thin and efficient client.  It also can automatically block nasty 
stuff like Blaster and Welchia. 

If you implement RS Desktop, make sure you get the Advanced Administration Guide. It’s been diluted since it left my 
hands back in 2000. But its the most important doc you can get for RS Desktop. It’s still incomplete and missing a LOT 
of the good parameters. But, it will teach you how to do the really cool stuff with RS Desktop. And anybody who says 
ISS is closed and won't let you do any custom sigs has never read the docs and used any of the advanced features. Peel 
back the GUI and BlackICE can do practically anything you want. Write your own sigs, tune existing sigs, have it watch 
files…you name it. Heck, you can even feed SNORT sigs to the desktop product (unsupported feature, however). 
I've tested a lot of the competitors and I still prefer RS Desktop.  The only thing that comes close is Cisco's Secure 
Agent. But it costs about 2X more and it has some scalability issues.  There are plenty of “personal firewalls” and if 
all you want is just blocking of ports, they will work fine. But none of them are fully-blown intrusion detection 
systems mated to firewall. 

Also, most of the Windows stability issues have been long since solved. 

As for Site Protector, the central console, make sure you use the latest version (2.0 Service Pack 3). The previous 
versions were messy. But they've finally got some of the things fixed now (like not requiring IIS for deployment 
manager).  

Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security 
www.anitian.com 

---------------------------------------------------------------------------
---------------------------------------------------------------------------