Re: kernel implementations

[John S Flowers <jflowers () hiverworld com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Dug,

The total irony is that a) I agree with you and b) your link (below)
points to an original message between yourself and Ryan M Ferris, who is
the QA person at Hiverworld.  Hopefully, we'll start to use some of the
testing methodologies that you've outlined below and in the original
discussion archived at securepoint.

I'd further like to point out that Ryan wasn't our QA person when the
Oct 1999 discussions first happened.  We hired him to help us do a
decent job of honestly providing QA on our products -- something that I
believe most vendors are not willing to do.

Finally, I hope everyone who's reading this message realizes that I'm
not trying to stand up and pimp our products, but that I'm genuinely
interested in making sure I talk about the benefits and pitfalls of IDS
technology.  I'm not trying to pull any punches when it comes to the
things we're succeeding at or the things that are giving us trouble. 
So, while you may not ultimately purchase our products, I hope that
you'll at least think about some of the comments that have been made in
this forum and ask tougher questions of your vendors.

I'm looking forward to working with smarter, more well informed
customers as we start to grow and push out our next set of products.  I
think there's still a lot of mysticism around the IDS space and the
vendors aren't helping by tossing out a bunch of FUD and marketing hype.

Dug Song wrote:
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> -----------------------------------------------------------------------------
> On Sat, 22 Jul 2000 mht () CLARK NET wrote:
>
> > The true test lies within how fast a particular IDS can go, the least
> > amount of false positives reported, and interoperability with other
> > security devices that may be present in a particular organization.
>
> oh, but vendors will simply claim that they're "the fastest, most
> accurate, and most widely interoperable" in the absence of any hard and
> fast criteria. just look to the firewall market for precedent.
>
> without well-defined quality metrics, who's to say for certain how any two
> IDSs compare? what you measure, and how you measure it, are of the utmost
> importance when evaluating a system - but we haven't even begun to develop
> test methodologies that are generally useful.
>
> but we've been over all this before.
>
>         http://msgs.SecurePoint.com/cgi-bin/get/ids-9910/9/1/1/1/2.html
>
> just spinning my wheels,
>
> -d.
>
> ---
> http://www.monkey.org/~dugsong/

-- 
John S Flowers                   <jflowers () hiverworld com>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management