> Hi > I placed Server Sensor on the NNIDS page under guidance from > ISS, I saw the > product as a hybrid IDS, but bowed to the vendors > judgement.(it may even be > on both!)
I think our ISS IDS solution fits into both categories. The RealSecure server version of IDS has NNIDS + log analysis + many sec. assessment checks + file integrity checking + honeypot deception ports. The sec. assessment checks are used to help validate and correlate whether an attack was against something vulnerable or not. The RealSecure network version of IDS has NIDS. Both host and network are integrated very tightly to be a hybrid of host & network IDS, and to the user, is managed from a single console. BTW, we just announced our new console called RealSecure SiteProtector, which allows management of RealSecure and Internet Scanner. It also enables operationalizing Internet Scanner to do routine scans at specified times, and the vulnerability data results are correlated with the attacks. Makes it easy for the operator see not only see if a computer was attacked, but whether it was vulnerable or not. The RealSecure server sensor been completely integrated in the NetworkICE's BlackIce NNIDS technology as the chassis for that particular IDS area. This work is done and is in the latest version of RealSecure Server Sensor. The RealSecure network sensor is rapidly being integrated. We are using the BlackICE NIDS component as the chassis for doing packet analysis, and integrated in RealSecure 7 the protocol analysis and signatured based technologies into an optimized model where we take the best of BlackIce algorithms and RealSecure algorithms and turn into a single Protocol Analysis Module (PAM). PAM will be plugged into all our IDS agents. Talisker, 3 other IDS categories that ISS is pioneering, with the recently acquired NetworkICE technology, that aren't categorized on your web site: One category, Desktop IDS. We break the NNIDS into two groups: server IDS and desktop IDS. For server IDS, we already have RealSecure Server Sensor. For desktop IDS, we now have BlackIce agent. I believe ISS has the only desktop IDS out there. Most other technologies on desktops are simple personal firewalls that don't do IDS technology (like protocol analysis). I personally believe as applications become more complex (i.e., peer-to-peer, video conferencing), desktop IDS will be needed to allow the applications to run, but by analyzing the protocol and looking at the data within the packet, it still can block the attacks and threat. Personal firewall technologies are more simple, they either allow the application to run or not. If the user allows the application to run, the personal firewall does not stop any attacks against it. BTW, We are adding outbound blocking through Rogue Application Control on the desktop IDS. Another category, Gigabit IDS. With protocol analysis and because of the experience of NetworkICE, especially from the team's days at Network General (where they built fast packet analyzing sniffers), they really know how to examine packets extremely fast. I believe ISS has the only gigabit network IDS based on software solely that approaches the performance that we get, that doesn't cheat by compromising how many signatures are turned on. (It's easy to claim high speeds if you only look for 1 or 2 attacks.) Another category, Inline IDS. Network ICE launched Guard last year in December. It was the first inline IDS that I am aware of that was publicly available. Guard is still the only commercially available inline IDS that I know of. This puts IDS inline like a firewall with the ability to stop attacks, not just monitor them. Last June or July, I believe someone converted Snort into a freeware version called HogWash, and there's a good article on how it was used at: http://www.securityfocus.com/infocus/1208 One really neat thing about our inline IDS, because it leverages our high speed performance experience, Guard has the equivalent speed of a 100mbit switch which is very fast, to minimize latency slowdown. So, if one looks at our depth and breadth of IDS, we cover: inline IDS gigabit IDS network IDS server IDS desktop IDS ISS uniquely provides the widest coverage of IDS. One additional IDS category not on your web site, but is not a product: remote monitoring IDS service. With our 6 Security Operation Centers (SOCs) around the globe that provide high value added extended service of remote monitoring of IDS, companies that normally do not have the budget to hire a security team to just watch the IDS screens around the clock, can get their IDS monitored 24x7 more economically and get more out of their investment in IDS. This IDS service is actually giving us significant advancement on the product development side, because we leverage the feedback loop between our operators in the SOC and the X-Force who develops the signatures and algorithms to really fine-tune the accuracy of these signatures to dramatically reduce false positives. For RealSecure 7, I think customers will see that many of the false positives will no longer show up because of this constant feedback loop. By having the product development team within the same organization that is proving the IDS service, our IDS service benefits by continuiung to make major leaps since they have such a direct influence on the product direction. They get to play with the technology while in beta, so when we are ready for production, the IDS service has lot of familiarity with the new features and signatures. Hope this provides an overview of where our IDS solution is. > perhaps ISS could give a more objective view on this > > -andy > http://www.networkintrusion.co.uk > ----- Original Message ----- > From: "Mitchell, Brian (ISS Atlanta)" <[EMAIL PROTECTED]> > To: "'Hihsam Kotry'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Wednesday, October 17, 2001 8:51 PM > Subject: RE: Regarding NNIDSs > > > > > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of > your message > to > > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any > problems! > > > -------------------------------------------------------------- > ------------ > -- > > > > I think support may have thought you were referring to > promiscuous mode > > network intrusion detection, as opposed to host based > network intrusion > > detection (NIDS vs NNIDS). Server Sensor is OS Sensor + NNIDS > functionality, > > if that helps any. > > > > http://documents.iss.net/literature/RealSecure/rs_ps.pdf > has an overview > of > > the ids products. > > > > > > > > -----Original Message----- > > From: Hihsam Kotry [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 17, 2001 1:43 PM > > To: [EMAIL PROTECTED] > > Subject: Regarding NNIDSs > > > > > > > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of > your message > to > > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any > > problems! > > > -------------------------------------------------------------- > ------------ > -- > > > > First of all I would like to thank everyone whom > > replied to my previous post, > > > > Now, from a link I got - > > http://www.networkintrusion.co.uk/firepers.htm#RealSecure > > Server Sensor - this link states that RealSecure > > Server Sensor could be used as a NNIDS, but after > > contacting ISS customer support, I was told that > > RealSecure doesn't run as a NNIDS, any help on whats > > going on?? > > > > __________________________________________________ > > Do You Yahoo!? > > Make a great connection at Yahoo! Personals. > > http://personals.yahoo.com > > > > > > > > > > > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
