Re: BlackICE IDS

[jflowers () hiverworld com (John S Flowers)]

[This is a resend (from before 4PM PDT today).  The first message was
rejected.  My apologies if you receive two copies of this message.]

First of all -- I haven't properly introduced myself to the list.  My
name is John S Flowers and I'm the founder and CTO (head geek) for a
small security company called Hiverworld.  We're located in Berkeley, CA
and we're the producers of a couple of pretty cool technologies that
perform real-time network security assurance and risk management
[imagine a version of ISS or CyberCop on steroids -- with 10x the number
of vulnerabilities and customizable options].

We've been primarly privately held, with only a few Fortune 500 clients
funding our efforts, but we're beginning to take our technology public. 
You can even search our vulnerability database on our website [we have
more than 1,000 public vulnerabilities listed].

Anyway, enough about me.  On to the post.

Am I reading this quote [below] correctly?  148,000 packets per second. 
That can't be right.  We're talking about a Windows NT product that
requires the underlying hardware and software to be available enough
(processing-wise) for the IDS to perform properly.

Most IDSs, even dedicated to the task of performing IDS, with a lot of
power and RAM, still can't perform this many operations.  I mean, if the
NFR IDA can't do 140k packets a second, how do you expect some Windows
system to perform?

Oh, yeah.  You wanted advice.  "Unless you have 1,000 senior technical
security people on your staff to manage the software, buy a Network
IDS."  ;)

P.S. Hey Ranum, speaking of cooking results.  Damn.  This *must* be a
misprint of the Network ICE claim of performance.

-- 
John S Flowers                   <jflowers () hiverworld com>
Chief Technology Officer         http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

"Riley, Steven" wrote:
> ---------------------------------------------------------------------------
> Have any of you guys come across BlackICE or NetworkICE. Has anyone
> evaluated it? What do you think of it? This is what one of my colleagues has
> told me:
>
> <QUOTE>blackice runs at 148,000 packets per second, checks all 7 layers of
> the stack and rates each attack on a scale of 1 to 100 so that only attacks
> it considers serious are alerted on</QUOTE>
>
> What questions would you ask? Could anyone validate or invalidate these
> claims?
>
> Any advice would be greatly appreciated...
>
> Steve.
>
>
> ===================================================
> This communication contains information which is confidential and
> may also be privileged.  It is for the exclusive use of the
> intended recipient(s).  If you are not the intended recipient(s),
> please note that any distribution, copying or use of this
> communication or the information in it is strictly prohibited.
> If you have received this communication in error, please notify
> the sender immediately and then destroy any copies of it.
> --
> MCI WorldCom Year 2000 information http://www.wcom.co.uk/2000