Re: BlackICE IDS

[justin.lister () csfb com (Lister, Justin)]

Sender: jflowers () feynman hiverworld com
Message-ID: <38485F2A.68E137B9 () hiverworld com>
Date: Fri, 03 Dec 1999 16:24:10 -0800
From: John S Flowers <jflowers () hiverworld com>
Organization: Hiverworld, Inc.
X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.3-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: "'ids () uow edu au'" <ids () uow edu au>
Subject: Re: IDS: BlackICE IDS
References: <F143B4C87388D31181F3009027A88A1D15D5D9 () gblon1c5ex1 wcom co uk>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

First of all -- I haven't properly introduced myself to the list.  My
name is John S Flowers and I'm the founder and CTO (head geek) for a
small security company called Hiverworld.  We're located in Berkeley, CA
and we're the producers of a couple of pretty cool technologies that
perform real-time network security assurance and risk management
[imagine a version of ISS or CyberCop on steroids -- with 10x the number
of vulnerabilities and customizable options].

We've been primarly privately held, with only a few Fortune 500 clients
funding our efforts, but we're beginning to take our technology public. 
You can even search our vulnerability database on our website [we have
more than 1,000 public vulnerabilities listed].

Anyway, enough about me.  On to the post.

Am I reading this quote [below] correctly?  148,000 packets per second. 
That can't be right.  We're talking about a Windows NT product that
requires the underlying hardware and software to be available enough
(processing-wise) for the IDS to perform properly.

Most IDSs, even dedicated to the task of performing IDS, with a lot of
power and RAM, still can't perform this many operations.  I mean, if the
NFR IDA can't do 140k packets a second, how do you expect some Windows
system to perform?

Oh, yeah.  You wanted advice.  "Unless you have 1,000 senior technical
geeks to manage the software, buy a Network IDS."  ;)

P.S. Hey Ranum, speaking of cooking results.  Damn.  This *must* be a
misprint of the Network ICE claim of performance.

-- 
John S Flowers                   <jflowers () hiverworld com>
Chief Technology Officer         http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

"Riley, Steven" wrote:
> Have any of you guys come across BlackICE or NetworkICE. Has anyone
> evaluated it? What do you think of it? This is what one of my colleagues
has
> told me:
>
> <QUOTE>blackice runs at 148,000 packets per second, checks all 7 layers of
> the stack and rates each attack on a scale of 1 to 100 so that only
attacks
> it considers serious are alerted on</QUOTE>
>
> What questions would you ask? Could anyone validate or invalidate these
> claims?
>
> Any advice would be greatly appreciated...
>
> Steve.
>
>
> ===================================================
> This communication contains information which is confidential and
> may also be privileged.  It is for the exclusive use of the
> intended recipient(s).  If you are not the intended recipient(s),
> please note that any distribution, copying or use of this
> communication or the information in it is strictly prohibited.
> If you have received this communication in error, please notify
> the sender immediately and then destroy any copies of it.
> --
> MCI WorldCom Year 2000 information http://www.wcom.co.uk/2000
END

This message is for the named person's use only.  It may contain
confidential, proprietary or legally privileged information.  No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender.  You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient. CREDIT SUISSE GROUP, CREDIT SUISSE FIRST BOSTON, and each of
their subsidiaries each reserve  the right to monitor all e-mail 
communications through its networks.  Any views expressed in this message
are those of the individual sender, except where the message states 
otherwise and the sender is authorised to state them to be the views of 
any such entity.
.