Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hybrid IDS

From: "Talisker" <Talisker () networkintrusion co uk>
Date: Sat, 9 Sep 2000 11:40:03 +0100
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
nmcbss

IMHO whilst ZoneAlarm is great for the domestic market, primarily because it
is free, as an enterprise solution I would prefer something that feeds
information to a central point.

My questions are:

    Do you wish to roll out ZoneAlarm to your Internet banking customers?

    Or is it for use on your corporate desktops?

Costs - whilst ZoneAlarm is free for personal use, you have to pay to use it
for business use, therefore are you better paying a little more and getting
BlackIce defender?

If it is strictly for corporate use in order to get the centralized
reporting and transparent installation BlackIce Agent may be a better
option.

I use ZoneAlarm at home
But something else at work

Andy
http://www.networkintrusion.co.uk/ Listing all known commercial IDS
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.

---- Original Message -----
From: "nmcbss" <nmcbss () btinternet com>
To: "Martins, Fernando (Lisbon)" <FMartins () pt imshealth com>;
<ids () uow edu au>
Sent: Friday, September 08, 2000 8:01 PM
Subject: Re: IDS: Hybrid IDS



Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--------------------------------------------------------------------------

---

I am a current user of zone labs Zonealarm evaluating it for a individual

PC

protection plan to be run at a leading UK bank. Is free really good enough
and what would you recommend instead?
----- Original Message -----
From: "Martins, Fernando (Lisbon)" <FMartins () pt imshealth com>
To: <ids () uow edu au>
Sent: Friday, September 08, 2000 5:04 PM
Subject: RE: IDS: Hybrid IDS



Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au


--------------------------------------------------------------------------
---

Hi2all

Copied and pasted from the provided link:
"Zone Labs has revolutionized personal Internet security with ZoneAlarm,
which is free for personal and non-profit use"
Also you can take a look at ...
http://www.zonelabs.com/zafreedownload.htm

And also i beleave this will take you to your free copy:




http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/downloading.html?Disp





Category=Internet&DispSubcategory=Internet+Tools&DispTitle=ZoneAlarm&refresh





_url=ftp%3A%2F%2Fzdftp%2Ezdnet%2Ecom%2Fpub%2Fprivate%2FsWlIB%2Finternet%2Fin





ternet%5Ftools%2Fzonalarm%2Eexe&Fcode=0015P7&Category=internet&Subcategory=i

nternet%5Ftools&b=zonealarm

What is not free is the new ZoneAlarm Pro, not the ZoneAlarm 2.1 witch

is

still free for personal and non-profit use.

Kind Regards,

Fernando Martins


-----Original Message-----
From: mht () clark net [SMTP:mht () clark net]
Sent: Friday, September 08, 2000 4:39 PM
To: Martins, Fernando (Lisbon); ids () uow edu au
Subject: RE: IDS: Hybrid IDS

Actually ZoneLabs is no longer free..

Please see http://www.zonelabs.com/pressvpsales.htm

At 11:02 AM 9/8/00 +0200, Martins, Fernando (Lisbon) wrote:

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will

bounce.

SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au



-------------------------------------------------------------------------

----

Hi2all,

John, if 148k packets/second are not enough, try 300k ... this is a

kind

of

test that i wonder why somebody must said at Defcon "hit me, i can

handle

it

...", or something like it. Or Defcon is not what i think it is, or

people

motivation for tests are too low ... but i never been at Defcon so

may

be

i'm wrong.

Mark, if you want to test your IDS without even have to go to Defcon,

pick a

big IRC network, create a # for your IDS support on-line, and tell to

#

operators to go to some nasty other #'s, and say 'hit me, i can

handle

it

...", or something like it.

While i was trying to help Signal9 at Undernet in same kind of tests

for

their ConSeal Firewall, i had not ever the need for challenging

nobody,

since 'challengers' were allways around, and i was there almost 24/7

for

their amusement. And beleave me ... one day, if 300k were not enough,
somebody will use more then that and 'something' will crash ... just

a

guess, but with luck you can get an 'hybrid' crash eheheh (i luv

English

classes here!!).

I was betatesting BlackICE, but during the trial period i didn't have

the

time for real tests. Also, i wonder why it stops working before the

trial

period was over ... Without time and without the trial version i had

stop

what i probably not even started, at least for real. I have not the

time

as

i use to, for this kind of things (like working for free while others
getting the money), but i can give a try if Xmas arrive in September

this

year and i got a BlackICE copy for free =;o)

And Mark, about Zonelabs market place, yours will never be the same,

since

Zonelabs have other commercial politic for home users, it's free,

remember?


Kind Regards,
Fernando Martins



-----Original Message-----
From: John S Flowers [SMTP:jflowers () hiverworld com]
Sent: Friday, September 08, 2000 12:29 AM
To:   mark.teicher () networkice com
Cc:   FOCUS-IDS () securityfocus com; ids () uow edu au
Subject:      Re: IDS: Hybrid IDS

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will

bounce.

SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au





--------------------------------------------------------------------------

---
Mark,

I've had a message into Robert Graham and cc'd other persons for

the

last 2 weeks or so.  I've sent numerous messages commenting on the
challenge and even replied to the document entitled "jolt2" that

was

sent by Robert to myself and others.

In reference to the document -

http://www.robertgraham.com/op-ed/jolt2

-- On August 24th I said, "I like what you've written (jolt2) and

think

you should publish it."

I believe that the claims made by Robert Graham are so outrageous

that

there's no real need to even validate them (see the link above, if

it's

even active).  I'm sure that everyone will see this to be the case

if

this document actually makes it to the public.

Otherwise, I'm more than happy to actually run a real test against

your

IDS and see if it can sustain 148,800 packets per second and

provide

alerting/counting on the attack.

This was the original claim made by Robert to the crowd at Defcon

and

to

the IDS list a while ago (i.e. not the single packet against an

invalid

IP address that is mentioned in this document).  This is the claim

that

I believe Robert should stick to, not the "jolt2 test" in the

document

at the link above.

I've not yet received a copy of BlackICE for the purpose of this

real

world test and I haven't heard from Robert since Aug 24th (2 weeks

ago).


For the record -- I've been seriously busy, but I HAVE kept in

touch

with Network ICE and Robert Graham since this claim was made.  So

the

accusation that "no one has heard from Hiverworld since" is

completely

misleading.

"Teicher, Mark" wrote:


At 10:02 AM 9/7/00 -0400, Marcus J. Ranum wrote:


One place where the personall firewall / IDS hybrids present an
interesting challenge to clarity is in performance marketing.
Since they're operating at a packet level (sort of) an

unscrupulous

vendor (hi! you know who you are!) could claim their

performance

figures in terms of packets processed/second. So the vendor

could

say "in recent tests, our network IDS handled 10,000,000,000
packets/second!!" without mentioning clearly that this was
accomplished using a single host on a switch, but the host was
only looking for attacks directed at itself... Such claims have
already been made - clearly deceptive, but there you have it.


Whoa, wait a minute here, Network ICE accepted the challenge

from

Hiverworld at DefCon, and Network ICE was ready,  No one has

heard

from

HiverWorld since.

Ah yes, Marketing, blame NAI, Symantec and Zonelabs for

re-defining

the

market space or in other words segmenting a very infant market

space.

So

every vendor is attempting fit into as many market spaces as it

can,

in

order to get the largest customer base.


Is there a clear cut definition out there somewhere?


You're asking if marketing respects technical language?

<giggle>

I wish...  :(  We went through the same kind of nonsense early
on in the firewall days - proxy firewalls, stateful turbo
multi-whomping packet examination, etc, etc. Eventually terms
settle down when the marketing folks find a set of features
they can tout that don't cause people to break out in belly
laughter whenever they use it.n


I tend to agree with MJR on this space, the marketing type firms

out

there

don't really understand the space or the techie geekie stuff

that

some

of

us utter to them.  The tend to grab onto the first one or two

blurbs

of

techie talk and that what they stick with.  You try to explain

them

the

different between packet grepping and protocol decode, they get

all

glossy

eyed and almost fall over from boredom.  The marketing type

people

layman

explanations that some of us can never get across to them

without

bursting

out laughing.. :)

/mark


mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com


--
John S Flowers                <jflowers () hiverworld com>
Chief Scientist              http://www.hiverworld.com
510.848.0740 x 724 [Office]         510.841.2447 [Fax]





---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.189 / Virus Database: 90 - Release Date: 01/09/00
Previous By Date Next
Previous By Thread Next

Current thread: