Re: BlackICE IDS

[mjr () nfr net (Marcus J. Ranum)]

> <QUOTE>blackice runs at 148,000 packets per second, checks all 7 layers of
> the stack and rates each attack on a scale of 1 to 100 so that only attacks
> it considers serious are alerted on</QUOTE>

It's somewhat deceptive marketing, in my opinion - perhaps someone from
Network Ice could clarify/contradict if I'm off base.

As I understand it, the product is a cross between a firewall "shim" at the
bottom of the IP stack, and an intrusion detection system. Since it's operating
in the bottom of an individual machine's IP stack, it doesn't need to
deal with packets promiscuously; it's more like a firewall doing multilayer
packet inspection with some attack detection thrown in. So, it's a host-based
solution. Arguing that it can run at <some number> of packets/second is
pointless since it's really based on the number of packets directed to the
host in question.

"BlackICE is a sophisticated application that is designed to run on every PC in your extended enterprise"

It's definitely not a sniffer-type IDS, which means the packets/second count
is irrelevant. Host based IDS are free to drop all the packets they like, since
the loading and retransmission properties are very different from a sniffer-type
IDS.

I'm sure it's a fine solution if you want to watch your Windows machines
and only your windows machines, and are willing to shim out the bottom
of IP on every desktop and server.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr