I should have clarified.. yes I was talking about network IPS. I wasn't so interested in marketshare as that doesn't necessarily mean a quality product at least in the network IPS space. What I was really interested in is which product is known to be deployed on the largest number of machines and therefore seeing the largest breadth of traffic. Since by the admission of the someof the vendors on this list, it is notpossible to test in the lab, I take that to mean that my best bet is to go with a company who;s products are deployed in blocking mode in the widest variety of machines around. Take an example.. recently as a pilot we handed out free copies of Norton Internet Security and Norton Antivirus to a subset of our students and monitored their experiences. Not a single FP except for an issue with Yahoo cross-site scripting, which turned out was not really an FP. Both these products now have Network based Intrusion Prevention, and whats nice is that all signatures ship in b locking mode. Now it occurs to me that of all the NIPS products out there, NIS and NAV might be the ones that see the largest breadth of traffic. By last count I believe some analysts estimate the number of customers to be around the 100 million mark. Thats a 100 million unique users actively running NIPS signature in blocking mode. To me that pretty convincing that if just a large deployment of blocking signatures rarely causes FPs (there are 1 or 2 every now and then), then the enterprise version Symantec Client Security that has the same signature set must be good as well. Are there other examples of products from other vendors with this kind of a deployment ?
Where am I going with this...? My biggest concern for the deployment I am targeting is False Positives. I definitely want the signature to be in blocking-mode out of the box. I am seeing companies like ISS ship many signatures in non=blocking mode, which at least for me is useless. Whats the point having the customer try to figure out if a signature should be switched back to blocking on not. So a product like that definitely out of the running. Could do with some feedback from customers on here to help cut through the marketing and false claims. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
