Intrusion Detection Systems mailing list archives

Re: BlackICE IDS

From: robert_david_graham () yahoo com (Robert Graham)
Date: Sat, 4 Dec 1999 15:16:31 -0800 (PST)



--- Ron Gula <rgula () network-defense com> wrote:

It should be pointed out that Mr. Graham is an employee of 
Network Ice Corp. Obviously Marcus is from NFR and I am from
Security Wizards.


Yeah; I'm not a CEO though :-), just a lowly CTO. I still get to influence
things, though.

...no way a nod that says one IDS is
better than another.


Better? Network ICE, NFR, and Dragon are very _different_ programs and take
very different approaches. Firewalling is a science, and you really only need
one vendor, but IDS is an art, and each vendor does things very differently,
and you could probably use the overlap. I admire both NFR and Dragon for the
approaches they've taken.

My largest concern is with BlackICE's marketing claims of 
protecting the CEO's laptop with a packet based IDS. During 
my past experience conducting many penetration tests and
network security audits, targeting a CEO's computer usually 
revealed completely shared out hard drives and similar 
usernames and passwords.


Again, there are two variants. The host-based variant comes with a built-in
personal firewall managed from the centralized console. One of the cool things
is that the console can act as a hunter/killer: it can monitor your corporation
looking for anybody who has file sharing enabled, then remotely install onto
their machines. At this point, the firewall filters will prevent the outside
world from getting at the CEO's hard-disk.

If the CEO is not
security friendly, then I would first invest the time and
effort to educate the CEO.


That is why the console allows the network manager to easily manage/install the
system. BlackICE can be installed invisibly so that the CEO isn't even aware
that it is there. But when he/she takes the little Win98 notebook on the road
and starts dialing up the web, he/she will still be 'behind the firewall'.

FYI, BlackICE was recently reviewed in NWC's IDS article and
they had a lot of good things to say about including its
performance and accurate network session reconstruction. The
URL for the BlackICE piece is at:

http://www.nwc.com/1023/1023f18.html


This discussion was about performance numbers when doing sniffer-style
intrusion detection. Please see the graph labeled "Network IDS Failure Points"
that compares many products:
http://www.nwc.com/1023/1023f19.html

Regards,
Rob.

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com

Current thread:

Re: BlackICE IDS (More comments ...), (continued)
- - - Re: BlackICE IDS (More comments ...) Ron Gula (Dec 05)
  - Re: BlackICE IDS Dug Song (Dec 04)
  - BlackICE Defender w/ McAfee/NAI PGP Desktop Shawn A. Clifford (Dec 07)
    - RE: BlackICE Defender w/ McAfee/NAI PGP Desktop Bill Royds (Dec 07)
    - Hacking Exposed Wagner Brett (Dec 08)
    - Re: Hacking Exposed Eric Budke (Dec 08)
    - Nice IDS links Dano (Dec 08)
    - Re: BlackICE Defender w/ McAfee/NAI PGP Desktop Eric Budke (Dec 08)
    - Re: BlackICE Defender w/ McAfee/NAI PGP Desktop Shawn A. Clifford (Dec 09)
    - new subscriber Dean J. Cox (Dec 08)
- Re: BlackICE IDS Robert Graham (Dec 04)
- Re: BlackICE IDS Robert Graham (Dec 04)
  - Re: BlackICE IDS Greg Shipley (Dec 05)
  - RE: Network Utilization discussion... Ryan M. Ferris (Dec 06)
    - Re: RE: Network Utilization discussion... Misha (Dec 06)
    - IDS Dafunquia, Facundo (Dec 07)
    - Re: IDS Trevor Schroeder (Dec 07)
    - Re: RE: Network Utilization discussion... Ron Gula (Dec 07)
  - Half-Assed Review site Troy Billington (Dec 28)
  - Half-Assed Review site Troy Billington (Dec 28)
- Re: BlackICE IDS Marcus J. Ranum (Dec 05)

(Thread continues...)