On Thu, 17 Feb 2005 02:29:43 -0700, Shawn <[EMAIL PROTECTED]> wrote: > I did a quick review of SecureIIS > (http://www.eeye.com/html/products/secureiis/), and it looks like it might do > most of what I'm after. I'm assuming you've used this? Or is this a case of > you only being aware of the tool ? Either way is good, but if you've used > it, I'd be interested to hear your opinion regarding effectiveness and > performance. Also, are there any tricks to installation? Does it need to > be installed before the application server? Can it be easily installed > afterwards? Do you have a ballpark figure on the cost for this? (I'll > contact a sales rep after I have a little more data from the field... > <grins>)
I have recommended it for several clients in the past but have never installed it personally. During penetration tests it did an excellent job preventing some attacks that I didn't expect to see any resistance against. You can be sure that you can use it to adequately filter against IIS-specific attacks and things like SQL injection attacks. As for performance, at least two of the clients I've had that use this are high-traffic sites and they haven't had any problems. Considering it is just filtering HTTP requests you should expect it to be optimized for that task. The one problem might be the cost, which I believe is around $1000 USD. Depending on how heavily used your client's web system is and how seriously they take security (or how well you pitch the potential threats), you hopefully won't have a hard time selling them on the idea. _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
