TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
I cannot help it - I have to comment this, since this was exactly _not_ the information that was asked for. It's okay to advertise your products on your own mailinglist, but please keep in mind what the sender has asked. Note: I am not sponsored by or affiliated with Enterasys. The following is my personal opinion. Comments in-line: >-----Original Message----- >From: Haradon, Dorita (ISSAtlanta) >Sent: Friday, July 19, 2002 5:48 PM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Cc: ISS XForce >Subject: RE: comparison Dragon - Real Secure > > >Hi Manuel, > >Here's the competitive information you requested: No, it's not. He requested a pointer to free research information, not sales song and dance. >DRAGON SENSOR WEAKNESSES > >1. Extensive Unix experience required - this product is NOT for the >mainstream user. Mainstream users are not qualified to perform IDS administration anyway :) IDS administration and Intrusion Analysis require additional skills. >2. Difficult to install, configure, and manage. Granted, the second is true. You have to know what you're doing and configuration takes some planning and you might encounter problems. I had some probs but this was mainly due to the fact that Dragon does not run well on SuSE (why, I don't know, yet). >3. No Windows sensor or management solution - this is a huge >disadvantage for them. Correct me if I am wrong, but I think you can access the DPM via a Windows machine. The Web GUI requires a webserver on the DPM. The connection can be SSL encrypted. >4. Pattern matching and stateful inspection signatures mostly - very >few protocol analysis signatures. This means that a new signature must be >written for every attack, unlike RealSecure's protococol analysis which can >detect most attacks without requiring an update. This is a major advantage >of doing protocol analysis vs. pure pattern-matching. Dragon requires that >only one method of attack, not variants of the same attack like RealSecure. >This is why they need so many signatures and require such frequent updates. I have not enough experience with Dragon to confirm this. Have you? Yes, protocol analysis is getting more important. In order to compare proto-analysis features between various products, we need independent tests - this is what Manuel asked for in the first place. In theory you are right, but in everyday life it's much more difficult to validate the profits of the proto-analysis feature. >5. No high level logic on ANY signatures. There is a single ASCII >signature file that users can edit to create their own signatures. All sigs >we've seen seem to be simple pattern or string-based matching - no >complicated algorithms or decryption like many of the RealSecure sigs. The success of Snort as shown us that simplicity of a signature definition language has certain benefits. BTW: I have tested RealSecure 6.5 and desperately searched for any documentation on how to define custom signatures for the NetworkSensor. I have read something about SecureLogic, but this seems to be only available for ServerSensor and I did not get any free documentation, so I was not able to create custom signatures that deserve their name. Now you have the TRONS feature, which eats Snort signatures. Now please, tell me how I can edit custom signatures using "complicated algorithms or decryption" in RS 7? >6. Very easy to "break" a signature while trying to fine-tune it. >7. Limited response options compared to RealSecure - Dragon only >supports Email/Paging, SNMP traps, Syslog, and User-defined scripts. Yes, and RealSecure has crackheaded defaults, like embedding the customer ID in the Reset Kill packets (NetworkSensor) and blocking based solely on the source IP address for half an hour (ServerSensor). BTW: Has this changed since 6.5? According to Robert Graham it has not, but you are working on the blocking feature. >8. No third party integration like we have with Check Point where a >triggered event can invoke rule creation on the firewall. This simply is not true if I am not utterly wrong, there is third party integration in Dragon. >9. Based on TCPDump-like model - they capture data then parse it to >trigger events; not quite real-time. Not quite realtime??? Hmmmm, I guess you are the expert. Please define realtime for us. >10. Weak integrated host- and network-based IDS solution. May be correct. <more sales song and dance> >WHY REALSECURE 7.0 SLAYS DRAGON SENSOR 6.0: > >Accuracy >Performance >Integration >Security Content >Service and Support > >RealSecure employs a combination of state-of-the-art IDS techniques, >resulting in the most accurate and best performing IDS on the market today. > > >� 7-layer protocol analysis and anomaly detection >� attack pattern matching >� stateful packet inspection >� real-time attack verification (server responses) >� vulnerability correlation via the Security Fusion module >� standard user-defined signatures and Snort imports with a validation >tool to ensure the signature is constructed properly >� statistical anomaly detection via SiteProtector and FastAnalysis >� behavior-based/application-based detection via RealSecure Desktop >Protector > >Our protocol analysis detects actual attacks, thus virtually eliminating >false positives, false negatives, and mis-identified attacks. RealSecure >analyzes nearly 100 protocols, detecting over 1500 known attacks and >countless unknown attacks - REAL attacks, not just non-standard packets like >most other IDSs that employ an elementary form of protocol analysis. >RealSecure is irrefutably the most accurate IDS on the market. Dragon just >can't compete with ISS' accuracy. > >RealSecure recently won the "NSS Approved" award from the prestigious, >independent testing firm, The NSS Group, based in the UK. Check out >www.nss.co.uk to download a copy of the complete evaluation of the >RealSecure 7.0 Protection System. > >Let me know if you need anything else. >-Dorita > >******************************************* >Dorita Haradon ([EMAIL PROTECTED]) >Technical Marketing Manager >Internet Security Systems (NASDAQ: ISSX) >6303 Barfield Road, Building B, 4th Floor >Atlanta, Georgia 30328 >Office: 404-236-2856 Mobile: 770-598-2502 >http://www.iss.net - The Power to Protect >ISS Press Releases: >http://bvlive01.iss.net/issEn/delivery/prlist.jsp >******************************************** <end sales song and dance> I hope I will not be banned from the list for my comments. :) Sincerely, Detmar -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
