RE: IDS Comparison

[andyb () lexmark com (andyb () lexmark com)]

If I may, I'd like to introduce a couple other topics (fuel?) on this thread...

What about the issue of covering VLANs with an IDS?  Or just fully switched
networks?  I'd greatly appreciate expert opinion on these topics....

regards,
Andy
------------------------------
J. Andrew Brinkhorst
Global Information & Technology Security
Lexmark International, Inc.

Lexmark International, Inc. is a global developer, manufacturer and supplier of
printing solutions and products, including laser, inkjet and dot matrix printers
and associated consumable supplies for the office and home markets.  The company
is a wholly owned subsidiary of Lexmark International Group, Inc. (NYSE: LXK -
news). Lexmark is on the Internet at www.lexmark.com or
http://press.lexmark.com.

broyds%Home.com () interlock lexmark com on 03/06/2000 02:19:38 PM

To:   rgula%network-defense.com () interlock lexmark com,
      jflowers%hiverworld.com () interlock lexmark com
cc:   ids%uow.edu.au () interlock lexmark com (bcc: Andy Brinkhorst/Lex/Lexmark)
Subject:  RE: IDS: IDS Comparison

As someone who is evaluating IDS (and trying to persuade management that an IDS
is not a magic bullet), this debate is wonderful. There has been more points to
consider than I have had in months reading articles and reviews.
  The real problem in IDS is fitting it into ones network/system architecture.
No IDS can monitor an OC3 at full speed and properly assess traffic. There has
to be a sound network design to allow your sensors to be at appropriate points.
There has to be rule sets and signatures that reflect the corporate security
policy and needs. There has to be intelligent administrators to analyse the
results, whether in pretty reports or flat logs. I am leaning towards NFR and
Dragon because they are more flexible, but I get pressure to install RealSecure
because of "what happens if you leave?" questions.
   IDS us similar to firewalls in that it is not what they do that counts in
selling as much as whose ass gets covered. Since FW-1 is best selling firewall,
using it is "best practice", so one doesn't really have to analyse corporate
needs. Similarly RealSecure falls into same spot, "If I use it, then no one will
blame me if we got hacked". That is not security but it is reality and until
someone gets sued for negligence for not having a defragging IDS, it will still
be reality.

-----Original Message-----
From: owner-ids () uow edu au [mailto:owner-ids () uow edu au]On Behalf Of Ron
Gula
Sent: Sunday, March 05, 2000 20:33
To: John S Flowers
Cc: ids () uow edu au
Subject: Re: IDS: IDS Comparison

<snip>

All in all, I hope that any lurkers on this list who have questions won't
be intimidated that the respective CTO's and Chief Scientists from a
variety of strong network security companies are sparring it out here. If
you have questions, let them fly. I'd also like to give a shout out to all
of those new companies that will be releasing an IDS some time in 2000 or
2001. There is always more than one way to skin a cat.

Ron Gula, CTO
Network Security Wizards
http://www.securitywizards.com