TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Gavin,
OK, at this point, a well-thought out design to address the analysis, the
requirements and long term gain of the customer is the phase you should be
at right now.
RealSecure 3.2.x has the following attributes: Console, Engine, Agent.
Depending on the architecture chosen based on the previous statement, most
likely a custom IDS system may be in order, but if cost is really an
issue, then you may have to seek out a solution that is less developed and
less feature rich than ISS RealSecure.
ISS RealSecure is one of the simplest IDS systems to install, configure,
implement and maintain. The other IDS offerings require a higher level of
Security and Network expertise to install, configure and implement
correctly.
Finally, I suggest your customer seek out qualified information security
consultants that are capable of designing a IDS system that fits their
specific requirements and parameters.
Not having those requirements captured and agreed upon, could present
solutions that does not fit their current and future needs.
Assess
Analyze
Design
are the first three steps in designing any practical and viable IDS
solution, so I suggest you go back to the drawing board and ensure that
you have completed the Assessment phase, the Analysis phase and Design
Phase. In the data collection phase, a spreadsheet should be created
listing each company that offers an IDS solution, and basically listing
out how their features match or do not match your Assessment and Analysis
phase
P.S. The advice stated above just cost you 3 hours x the current hourly
rate of a E&Y senior consultant.
Please send payment to the nearest Predictive Systems office :)
[EMAIL PROTECTED]
02/23/00 04:24 AM
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: FW: Pricing Real Secure was Re: FW: RealSecure Engine with
3 NICs
-reply
Having never worked with RealSecure, I was curious why I had seen messages
to this list talking about multi-NIC monitoring, but received differing
information from ISS (both sales and technical support). For the client
I'm
working with, cost is an issue if host-based IDS or some other
network-based solution can meet the defined security needs. What I think
happened is that the pricing structure changes from the amount of hosts
monitored to a per-engine model.
I do understand what functions an IDS performs and its application in an
overall security infrastructure but always hope to learn more.
Regards,
Gavin Adams, Ernst & Young Bermuda
W: +1 (441) 295-7000 x445
C: +1 (441) 799-1024
and now for a message from our sponsor...
[EMAIL PROTECTED] on 22/02/2000 23:10:59
To: Gavin Adams/CONSUL/ErnstYoung/BM
cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: FW: Pricing Real Secure was Re: FW: RealSecure Engine with 3
NICs -reply
I think the issue is not cost but understanding what an Intrusion
Detection System is and how it can enhance the overall security posture of
an organization.
I think more homework on your part is needed before suggesting that cost
is an issue.
/m
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
02/22/00 09:53 AM
To: [EMAIL PROTECTED]
cc: Michael Wilson <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
Subject: Re: FW: Real Secure Engine with 3 NICs -reply
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
---------------------------------------------------------------------------
-
I was more concerned with the product cost. ISS quoted $9,000 for the
RealSecure license, per engine. IDS software alone would run $27K. Just
doing a cost-benifit analysis and the various products and understanding
the monitoring/security implications.
Thanks for all who have responded.
Regards,
Gavin Adams, Ernst & Young Bermuda
W: +1 (441) 295-7000 x445
C: +1 (441) 799-1024
and now for a message from our sponsor...
"HerbalGypsy/justbobthebard" <[EMAIL PROTECTED]> on 21/02/2000
23:02:52
Please respond to [EMAIL PROTECTED]
To: Michael Wilson <[EMAIL PROTECTED]>
cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> (bcc: Gavin
Adams/CONSUL/ErnstYoung/BM)
Subject: Re: FW: Real Secure Engine with 3 NICs -reply
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
---------------------------------------------------------------------------
-
just my two cents, but I belive Mike is exactly correct.
The cost of another engine, reasonable performing box, is relatively
inexpensive if you are seriously trying to protect something your or
your company values.
Have you seen what antisniff does to IDS boxes?
If you do, you will opt for more than one...
bob
Michael Wilson wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
>
---------------------------------------------------------------------------
-
>
> I think the point (Mark's?) was not that se4tting up the probes in a
> stealth configuration (dual-NIC, one set up solely as a listener, one
for
> talking) is less than ideal; I think his point was that having _3_ NICs,
> with two stealthed, is less than ideal. This way, one probe is trying
to
> (presumably) monitor multiple network segments. If an attack comes in
> that floods both network segments, then the probe will probably be
swamped
> and start to lose packets. I'd consider this less than ideal. Better
> would be to have multiple probes. It's worth the expense, especially if
> the probe is monitoring network segments that can both be hit by the
same
> flood. (E.g., monitoring outside the firewall as well as a public DMZ,
> when a flood of a public web server on the public DMZ allows the probe
to
> see traffic from the same attack twice - twice the processing involved.)
>
> -Mike Wilson
> -Sr. Network Computing Pure Scientist
> -UNIFIED Technologies
> -Troy, NY
>
> On Wed, 16 Feb 2000, Lunsford, Scott wrote:
>
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
> >
---------------------------------------------------------------------------
-
> >
> > Actually, this is an ideal IDS architecture. We use this
configuration
to
> > monitor our external ethernet segments (external being outside the
> > firewall). We have 2 nics in the RealSecure box. One nic is
connected
to
> > the external network strictly listening (stealth mode), the other nic
is
> > connected to our internal network and is used to communicate with the
> > console. We find this to be ideal.
> >
> > Scott Lunsford
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, February 17, 2000 7:34 AM
> > > To: Benjamin Mah
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: Real Secure Engine with 3 NICs -reply
> > >
> > >
> > >
> > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> > > your message to
> > > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> > > with any problems!
> > > --------------------------------------------------------------
> > > --------------
> > >
> > > It works, but it is not an ideal IDS architecture. Is there
> > > a reason why
> > > you are setting up your IDS system this way??
> > >
> > > /m
> > >
> > >
> > >
> > >
> > > "Benjamin Mah" <[EMAIL PROTECTED]>
> > > Sent by: [EMAIL PROTECTED]
> > > 02/14/00 04:57 PM
> > >
> > >
> > > To: <[EMAIL PROTECTED]>
> > > cc:
> > > Subject: Real Secure Engine with 3 NICs
> > >
> > >
> > >
> > > I am trying to do an engine with 3 NICs which means there
> > > will be 2 NICs
> > > without any IPs and IP forwarding ... the last NIC would
> > > have an internal
> > > IP address which reports back to the internal Console... Has
> > > anyone tried
> > > this ? Does this work ? Are there any security complication
> > > if i really
> > > implement this ?
> > >
> > > Thanks
> > > BenJiZs
> > >
> > >
> > >
> > >
> >
> >
---------------------------------------------------------------------------
This message is intended only for the use of the individual or entity to
which it is addressed and may contain information which is privileged,
confidential or subject to copyright. Ernst & Young disclaim all
responsibility and accept no liability (including negligence) for the
consequences for any person acting, or refraining from acting, on such
information prior to the receipt by those persons of subsequent written
confirmation. Any unauthorised use, disclosure, distribution or copying of
this communication by anyone other than the intended recipient is strictly
prohibited. When addressed to our clients any opinions or advice contained
in this email are subject to the terms and conditions expressed in the
governing Ernst & Young client engagement contract.
If you have received this message in error, please notify us immediately
by telephone at +1-441-295-7000 and destroy and delete the message
from your computer.
---------------------------------------------------------------------------
This message is intended only for the use of the individual or entity to
which it is addressed and may contain information which is privileged,
confidential or subject to copyright. Ernst & Young disclaim all
responsibility and accept no liability (including negligence) for the
consequences for any person acting, or refraining from acting, on such
information prior to the receipt by those persons of subsequent written
confirmation. Any unauthorised use, disclosure, distribution or copying of
this communication by anyone other than the intended recipient is strictly
prohibited. When addressed to our clients any opinions or advice contained
in this email are subject to the terms and conditions expressed in the
governing Ernst & Young client engagement contract.
If you have received this message in error, please notify us immediately
by telephone at +1-441-295-7000 and destroy and delete the message
from your computer.
