|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Best IDS??
Good review, "Version 6.0 of RealSecure addresses most of the issues that we found ourselves struggling with in version 5.5. We were able to evaluate 6.0 only in the lab and thus couldn't seriously bang on it." I would agree that 6.0 fixes a lot of problems they had before, but I think it should be said that 6.0 is a radical change from the way the old product worked. In 5.5, you had to have at least one MASTER CONSOLE running to log events from sensors. This was not a service, but a GUI APP. If it crashed, your sensors would spool up events until they ran out of space. Then you get the "buffer full" messages (how did they have space to que those if buffer was full??? heh) RealSecure 6.0 has the job of collection of logs seperated into a separate task "collector service". There can be several collectors, so it's more scalable. The gui is not much different, and I think it's mostly good for a "what's up right NOW" use. Because the logs are in a SQL database, it is easy to script more complicated analysis of logs such as correlating firewall logs, ids logs, and system logs together or whatever else you need to do. Other comments: 1) "RealSecure can only log packets for Telnet, ftp etc." (sic) This is not the case in RS6.0, however logging RAW packets to a SQL database was a painfull experience for me. I recommend using RealSecure to trigger NAI Sniffer to do the packet captures, and their decode is the best I have seen anyway. 2) "RealSecure peformance is questionable for enterprise use..." (sic) The RS5.x sensors were CPU and memory hogs. In RS6.0, I have noticed vast improvement in the network sensor area over previous releases. Would be nice to sress test the new version for some real numbers. 3) "No ability to build custom/user-defined events..." (sic) In RS6.0, you can actually build custom events using one of the "known" protocols and with regular expressions, however you can't just write an event that has access to all aspects of the packet received. RealSecure is ignorant of the need to be able to filter certain protocols like 50, 47 etc... RealSecure is expensive, especially with a lot of nodes. If money is the object, and you have good engineers/skills then you can buy a LOT of linux boxes running snort for the same money and get pretty good results. Would be nice to play with Dragon some, alas I have no employers will to purchase the product. > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On > Behalf Of Wang, Arnold > Sent: Monday, December 03, 2001 2:05 PM > To: [email protected] > Subject: [FW-1] Best IDS?? > > > I hope this article will help you. > http://www.nwc.com/1217/1217f2.html > > Date: Fri, 30 Nov 2001 09:56:26 -0500 > From: Charles Piombi <[email protected]> > Subject: Re: Best IDS?? > > The best IDS would be Cisco's IDS blades for there 6500 series switch > they are non-intrusive and can handle 30 Gig's on the back plane much > higher than any other IDS system and you can set it up via vlans for > internal and external traffic. > > That's my two cents! > > Thanks Charles Piombi > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On > Behalf Of Enno > Rey > Sent: Thursday, November 29, 2001 1:51 PM > To: [email protected] > Subject: Re: [FW-1] Best IDS?? > > Hi, > > don't take RealSecure. They (still) have bandwidth issues, you can't > write > your own signatures [which is rather critical for an IDS] and > you can't > do > any forensics [there's no recording of the raw packets for > retrospective > investigation], which may be even more critical for an IDS. > > But I'm sure your sales guy will tell you 'the next version will > definitely > include all this'... this is what they do since many versions... > > Take snort or Dragon. > > > just my 0.02 > > Enno Rey > > [email protected] --- www.security-academy.de > PGP 585F B0B9 F429 35EF 73A4 BC33 8F4B A629 C181 2EF1 > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of Tim > Anderson > Sent: Donnerstag, 29. November 2001 18:16 > To: [email protected] > Subject: [FW-1] Best IDS?? > > > We have budget to purchase an IDS and would like to get > suggestions from > you > fine folks. We are looking at SNORT since it is free (except for the > equipment costs) and ISS Real Secure. We are open to other > suggestions > as > well. Also where do you guys have your sensors? We were > thinking that > having one on the DMZ is probably enough but we want some input from > others > before we decide. Thanks! > > Tim Anderson > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
