TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Having never worked with RealSecure, I was curious why I had seen messages
to this list talking about multi-NIC monitoring, but received differing
information from ISS (both sales and technical support). For the client I'm
working with, cost is an issue if host-based IDS or some other
network-based solution can meet the defined security needs. What I think
happened is that the pricing structure changes from the amount of hosts
monitored to a per-engine model.
I do understand what functions an IDS performs and its application in an
overall security infrastructure but always hope to learn more.
Regards,
Gavin Adams, Ernst & Young Bermuda
W: +1 (441) 295-7000 x445
C: +1 (441) 799-1024
and now for a message from our sponsor...
[EMAIL PROTECTED] on 22/02/2000 23:10:59
To: Gavin Adams/CONSUL/ErnstYoung/BM
cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: FW: Pricing Real Secure was Re: FW: RealSecure Engine with 3
NICs -reply
I think the issue is not cost but understanding what an Intrusion
Detection System is and how it can enhance the overall security posture of
an organization.
I think more homework on your part is needed before suggesting that cost
is an issue.
/m
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/22/00 09:53 AM
To: [EMAIL PROTECTED]
cc: Michael Wilson <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
Subject: Re: FW: Real Secure Engine with 3 NICs -reply
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
---------------------------------------------------------------------------
-
I was more concerned with the product cost. ISS quoted $9,000 for the
RealSecure license, per engine. IDS software alone would run $27K. Just
doing a cost-benifit analysis and the various products and understanding
the monitoring/security implications.
Thanks for all who have responded.
Regards,
Gavin Adams, Ernst & Young Bermuda
W: +1 (441) 295-7000 x445
C: +1 (441) 799-1024
and now for a message from our sponsor...
"HerbalGypsy/justbobthebard" <[EMAIL PROTECTED]> on 21/02/2000
23:02:52
Please respond to [EMAIL PROTECTED]
To: Michael Wilson <[EMAIL PROTECTED]>
cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> (bcc: Gavin
Adams/CONSUL/ErnstYoung/BM)
Subject: Re: FW: Real Secure Engine with 3 NICs -reply
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
---------------------------------------------------------------------------
-
just my two cents, but I belive Mike is exactly correct.
The cost of another engine, reasonable performing box, is relatively
inexpensive if you are seriously trying to protect something your or
your company values.
Have you seen what antisniff does to IDS boxes?
If you do, you will opt for more than one...
bob
Michael Wilson wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
>
---------------------------------------------------------------------------
-
>
> I think the point (Mark's?) was not that se4tting up the probes in a
> stealth configuration (dual-NIC, one set up solely as a listener, one
for
> talking) is less than ideal; I think his point was that having _3_ NICs,
> with two stealthed, is less than ideal. This way, one probe is trying
to
> (presumably) monitor multiple network segments. If an attack comes in
> that floods both network segments, then the probe will probably be
swamped
> and start to lose packets. I'd consider this less than ideal. Better
> would be to have multiple probes. It's worth the expense, especially if
> the probe is monitoring network segments that can both be hit by the
same
> flood. (E.g., monitoring outside the firewall as well as a public DMZ,
> when a flood of a public web server on the public DMZ allows the probe
to
> see traffic from the same attack twice - twice the processing involved.)
>
> -Mike Wilson
> -Sr. Network Computing Pure Scientist
> -UNIFIED Technologies
> -Troy, NY
>
> On Wed, 16 Feb 2000, Lunsford, Scott wrote:
>
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
> >
---------------------------------------------------------------------------
-
> >
> > Actually, this is an ideal IDS architecture. We use this
configuration
to
> > monitor our external ethernet segments (external being outside the
> > firewall). We have 2 nics in the RealSecure box. One nic is
connected
to
> > the external network strictly listening (stealth mode), the other nic
is
> > connected to our internal network and is used to communicate with the
> > console. We find this to be ideal.
> >
> > Scott Lunsford
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, February 17, 2000 7:34 AM
> > > To: Benjamin Mah
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: Real Secure Engine with 3 NICs -reply
> > >
> > >
> > >
> > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> > > your message to
> > > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> > > with any problems!
> > > --------------------------------------------------------------
> > > --------------
> > >
> > > It works, but it is not an ideal IDS architecture. Is there
> > > a reason why
> > > you are setting up your IDS system this way??
> > >
> > > /m
> > >
> > >
> > >
> > >
> > > "Benjamin Mah" <[EMAIL PROTECTED]>
> > > Sent by: [EMAIL PROTECTED]
> > > 02/14/00 04:57 PM
> > >
> > >
> > > To: <[EMAIL PROTECTED]>
> > > cc:
> > > Subject: Real Secure Engine with 3 NICs
> > >
> > >
> > >
> > > I am trying to do an engine with 3 NICs which means there
> > > will be 2 NICs
> > > without any IPs and IP forwarding ... the last NIC would
> > > have an internal
> > > IP address which reports back to the internal Console... Has
> > > anyone tried
> > > this ? Does this work ? Are there any security complication
> > > if i really
> > > implement this ?
> > >
> > > Thanks
> > > BenJiZs
> > >
> > >
> > >
> > >
> >
> >
---------------------------------------------------------------------------
This message is intended only for the use of the individual or entity to
which it is addressed and may contain information which is privileged,
confidential or subject to copyright. Ernst & Young disclaim all
responsibility and accept no liability (including negligence) for the
consequences for any person acting, or refraining from acting, on such
information prior to the receipt by those persons of subsequent written
confirmation. Any unauthorised use, disclosure, distribution or copying of
this communication by anyone other than the intended recipient is strictly
prohibited. When addressed to our clients any opinions or advice contained
in this email are subject to the terms and conditions expressed in the
governing Ernst & Young client engagement contract.
If you have received this message in error, please notify us immediately
by telephone at +1-441-295-7000 and destroy and delete the message
from your computer.
---------------------------------------------------------------------------
This message is intended only for the use of the individual or entity to
which it is addressed and may contain information which is privileged,
confidential or subject to copyright. Ernst & Young disclaim all
responsibility and accept no liability (including negligence) for the
consequences for any person acting, or refraining from acting, on such
information prior to the receipt by those persons of subsequent written
confirmation. Any unauthorised use, disclosure, distribution or copying of
this communication by anyone other than the intended recipient is strictly
prohibited. When addressed to our clients any opinions or advice contained
in this email are subject to the terms and conditions expressed in the
governing Ernst & Young client engagement contract.
If you have received this message in error, please notify us immediately
by telephone at +1-441-295-7000 and destroy and delete the message
from your computer.
