Re: Sharing Information [Was: BlackICE IDS]

[rgula () network-defense com (Ron Gula)]

> In the spirit of testing and cooperation, it would be nice if the
> vendors would provide a complementary copy of their technology to their
> "competition."  That way, we could all shrug off the facade of guessing
> what each vendor product does and actually admire each product in
> action.  It would also be nice if we had some standardized traffic that
> we could use as test cases for different network conditions.  

I feel that what John suggest's is actually the role of the VAR or 
managed service provider. They know their customers much better than 
the IDS vendors do. Many VARs we deal with already have a lot of 
expertise in IDS and we give them Dragon demos as long as we have
agreements not to share the demo with other vendors and competition.

We work with many VARs already who have customer demo labs where
almost every IDS vendor (and many others that are not spoken about 
on this list) is present for customers to see side by side. 

It seems like the key to configuring tools like Dragon, NFR and the
future products from Hiverworld involve configuring the "sensors" with
an intimate knowledge of a target network. This is something much 
more than the 1-2 week burn in of an IDS in which one disables the
signatures that cause a false alarm. A VAR who has a relationship
with a customer will be better able to bring in more complex products
like we mentioned to do a host of things other than look for hackers
or the latest hack of the week. 

Ron Gula
Network Security Wizards