Folks,
First off, I work for ISS. While this certainly colors my perspective,
I hope that I can add some value.
The Sentriant Security Appliance is a nice idea for managing security in
an Extreme switch today. The detection is pretty limited, though. If
you need something to knock down worm propagation, it will do the trick
at very high speed. Extreme understands the limitations of the
technology and that's why they have partnered with ISS in taking it to
the next level by using ISS X-Force security info. Check out the press
announcements from Interop. While this was a proof of concept that was
demo'd, one might reasonably expect products around this in the
not-too-distant future.
As to the question on the difference in ISS and Juniper's protocol
anomaly detection, this seems to really miss the underlying security
differences. Protocol anomaly detection is a very small piece of
protection. While you should care if attackers are violating RFC's,
it's much more important to determine how well your security provider
detects higher level attacks. Does the solution detect fragmented RPC
attacks? At what minimum fragment size? The Juniper folks have some
difficulties here.
A great test tool to prove all of this is Metasploit. Fire up their WMF
exploit and see who catches it.
Bob Waldron at NSS is about to release the latest round (edition 4) of
his test results. If you can't do the testing yourself, contact him to
see if you can purchase an early copy of the results. He provides
objective criteria and gives detailed analysis.
Hope that this helps.
- Eric
-------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
