RE: How to choose an IDS/FW MSS provider

[Melih Kırkgöz (Koç.net) <melihk () koc net>]

Hi,

Evaluation Criterias for an IPS maybe generally;

-Catching Modified Worm Variants(not detecting only patterns,looking for the underlying vulnerability) -False 
Positive/Negative ratio under heavy load -ability of stateful inspection -stability of the appliance in a long term 
period -Fail Safe solutions -Simulation Mode Property(first deploying in an in-line simulation mode to see what it does 
with your true network traffic in real time-good for tuning an inline appliance without disrupting network 
availability) -some firewall capabilities(dynamic firewall blocking an intruder for sometime without inspecting traffic 
coming from that intruder-helps improve performance) -different blocking options for different situations:

 Drop Packet-For icmp/udp related events  Drop Connection - For TCP based events  Connection With Reset - For IM/P2P 
based "smart" applications

These are some general specifications that comes first in my mind


-----Original Message-----
From: Giner Albarracin, Virgilio [mailto:Virgilio.GinerAlbarracin () telekom de]
Sent: Friday, March 11, 2005 3:39 PM
To: Melih Kırkgöz (Koç.net)
Subject: AW: How to choose an IDS/FW MSS provider

Hi Melih,
I would apreciate very much if you can provide me some information about your evaluation: Evaluation Criteria, Results, 
...
I'm at the begining of an IDS/IPS Evaluation, and your experience could help me very much.

Thanks in advance,
Virgilio

> -----Ursprüngliche Nachricht-----
> Von: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net]
> Gesendet: Dienstag, 8. März 2005 08:22
> An: Stephane; focus-ids () securityfocus com
> Betreff: RE: How to choose an IDS/FW MSS provider
> Wichtigkeit: Hoch
>
>
> Hello Stephane,
>
> We have been using ISS since last two years.(50 Server
> Sensor,15 Network Sensor,1 Proventia G 100 IPS),managed by 
> SiteProtector. We tested Netscreen,ISS,Radware,NAI Intrushield and 
> Checkpoint during our evaluation period for intrusion 
> detection/prevention systems. Strong level of expertise and good 
> technical support was one of the big reasons choosing ISS.
>  
>
> -----Original Message-----
> From: Stephane [mailto:stephane.d () ecologie net]
> Sent: Monday, March 07, 2005 12:42 PM
> To: focus-ids () securityfocus com
> Subject: How to choose an IDS/FW MSS provider
>
> Dear All,
>
> How do I choose an IDS/IPS provider if I need a strong level of 
> expertise 24x7x365 and a worldwide representaion? I need it on 
> Netscreen, PIX, CheckPoint and ISS Realsecure and Proventia.
>
> Thank you,
>
> S.
>
> --------------------------------------------------------------
> ------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT. Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------
> ------------
> ______________________________________________________________
> ______________________________________________________________
> _________________
> Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. 
> Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir 
> sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen 
> e-posta mesajini kullaniciya hemen geri gonderiniz  ve  tum 
> kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir 
> sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para 
> karsiligi satilamaz.  Bu e-posta mesaji viruslere karsi anti-virus 
> sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta 
> mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - 
> virus icermedigini garanti etmez ve meydana gelebilecek zararlardan 
> dogacak hicbir sorumlulugu kabul etmez.
> This message is intended solely for the use of the individual or 
> entity to whom it is addressed , and may contain confidential 
> information. If you are not the intended recipient of this message or 
> you receive this mail in error, you should refrain from making any use 
> of the contents and from opening any attachment. In that case, please 
> notify the sender immediately and return the message to the sender, 
> then, delete and destroy all copies. This e-mail message, can not be 
> copied, published or sold for any reason. This e-mail message has been 
> swept by anti-virus systems for the presence of computer viruses. In 
> doing so, however,  sender  cannot warrant that virus or other forms 
> of data corruption may not be present and do not take any 
> responsibility in any occurrence.
> ______________________________________________________________
> ______________________________________________________________
> _________________
>  
>  
>  
>
> --------------------------------------------------------------
> ------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
0708
to learn more.
--------------------------------------------------------------------------
_____________________________________________________________________________________________________________________________________________
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla 
ulasmissa,  icerigini hic bir sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini 
kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, 
herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu e-posta mesaji viruslere karsi 
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma sistemleri ile 
kontrol ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir 
sorumlulugu kabul etmez.  
This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain 
confidential  information. If you are not the intended recipient of this message or you receive this mail in error, you 
should refrain from making any use of the contents and from opening any attachment. In that case, please notify the 
sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can 
not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the 
presence of computer viruses. In doing so, however,  sender  cannot warrant that virus or other forms of data 
corruption may not be present and do not take any responsibility in any occurrence. 
_____________________________________________________________________________________________________________________________________________
 
_____________________________________________________________________________________________________________________________________________
 
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla 
ulasmissa,  icerigini hic bir sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini 
kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, 
herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu e-posta mesaji viruslere karsi 
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma sistemleri ile 
kontrol ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir 
sorumlulugu kabul etmez.  
This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain 
confidential  information. If you are not the intended recipient of this message or you receive this mail in error, you 
should refrain from making any use of the contents and from opening any attachment. In that case, please notify the 
sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can 
not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the 
presence of computer viruses. In doing so, however,  sender  cannot warrant that virus or other forms of data 
corruption may not be present and do not take any responsibility in any occurrence. 
_____________________________________________________________________________________________________________________________________________
 
 
 
 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------