Re: BlackICE IDS

[rgula () network-defense com (Ron Gula)]

Hi all, 

It should be pointed out that Mr. Graham is an employee of 
Network Ice Corp. Obviously Marcus is from NFR and I am from
Security Wizards. Having said that, I agree with most of the
points he makes about BlackICE. 

And by agreeing, it is in no way a nod that says one IDS is
better than another. Most network security engineers test
several different products before selecting a solution. 
Sometimes they buy Dragon, sometimes they buy BlackICE. No
one ever gets fired for buying Cisco or ISS for that matter
either.

My largest concern is with BlackICE's marketing claims of 
protecting the CEO's laptop with a packet based IDS. During 
my past experience conducting many penetration tests and
network security audits, targeting a CEO's computer usually 
revealed completely shared out hard drives and similar 
usernames and passwords. Adding an IDS to this situation 
did not help much. 

But if the CEO is security aware then by all means, load up 
BlackICE, Symantec's anti-virus products, Back Officer 
Friendly, NT Objectives Desktop Sentry, a proprietary network
shim so that the CEO can communicate with the company's VPN, 
the Tripwire version of NT, some Java and Active X "sandbox" 
style security programs possibly from Pelican Security, and
while all that is occurring, keep up with the latest service
patches and bug fixes for the laptop. If the CEO is not
security friendly, then I would first invest the time and
effort to educate the CEO. 

FYI, BlackICE was recently reviewed in NWC's IDS article and
they had a lot of good things to say about including its
performance and accurate network session reconstruction. The
URL for the BlackICE piece is at:

http://www.nwc.com/1023/1023f18.html

Ron Gula
Network Security Wizards