Drifting slightly off topic, but still related. Windows folks may be interested in this:
>From my recent testing of all three of these IPS products (McAfee, Cisco, ISS), I would NOT recommend McAfee or Cisco. I am just some guy on a list, so take this with a grain of salt and test them yourself, but here's what I found. Our testing was fairly complex, but the kicker was this: an unpatched Windows 2000 (i.e. SP zero) laptop, no anti-virus (unfair? Maybe, but consider it worst-case. If it was patched, we may or may not need their product. And we really do have laptops in the field that we haven't seen in months (years) so their a/v is old enough that it might as well not even exist.) Plop the box outside the firewalls and any other protection on the T-3's (higher speed, but not unlike dial-up) Results: Cisco: Infected with Sasser worm in 6 minutes, did not propagate, but had a live worm sitting there ready to go if anything went wrong. System would reboot 'often', like every 30 minutes or so due to buffer overflows that were stopped but not recoverable. CSA has decent incident reporting, but doesn't see everything. McAfee: After many false starts and four different options to actually turn the *&$%ing thing on (six if you count the firewall) it finally survived on the internet for our 24 hour test period. Why would a "Security" product ship in a completely insecure state? And why is it so difficult to turn on?? McAfee's reporting is next to nothing, details are very scarce. For the record, here's what you need to select to enable the actual product: Host IPS - Enabled, Host IPS - Protect, Network IPS - Enabled, Network - IPS Protect, and optionally, Firewall - Enabled, Firewall - Protect, configure firewall rules. What happened to "On"? ISS: Survived, unbothered, no reboots, no infections, no popups, no muss, no fuss, for FIVE DAYS wide open on the internet, we figured that was sufficient since the others all puked in a matter of minutes. Default options, basically "setup - ok - ok - ok" ISS reporting is excellent and ranked from 'information' to 'serious' so you can filter out the noise. We are testing for internal use, so internet exposure is theoretically way more than the machines will ever see. -Nessus scans against CSA shows all the normal unpatched vulns, which is to be expected, but the machine stays up -Nessus scans against McAfee in 'warn' mode shows most of the normal vulns, but blue-screens the box. In protect mode it behaves like CSA. With the firewall enabled, it is fairly tight and gives up no real information. -Nessus scans against ISS show the normal open ports, but really make scans painful and slow, and the vulnerability list is short(er) than normal. Any check that uses the actual exploit will get hung up, where registry, file, etc. checks may show still vulnerable. The scan took so long I never let it finish properly, I suppose I should set one to go over the weekend and see what it comes up with. Brad All opinions expressed in this email are my own. My employer has no offical opinion on anything, as far as I can tell. Certainly not as far as computer security goes... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Reg Quinton Sent: Wednesday, September 01, 2004 12:23 PM To: DePriest, Jason R.; [EMAIL PROTECTED] Subject: Re: "Real-time" Vulnerability Assessment > ISS, McAfee, and Cisco are all selling or are about to start selling > products with "buffer overflow protection". _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
