OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: comparison of NFR vs RealSecure -reply
From: Mark.Teicherpredictive.com
Date: Mon Mar 13 2000 - 17:49:02 CST

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--------------------------------------------------------------------------- 

---
comments below

Thomas Nau <thomas.naurz.uni-ulm.de>
Sent by: owner-idsuow.edu.au
03/12/00 11:20 PM

 
        To:     idsuow.edu.au
        cc: 
        Subject:        IDS: comparison of NFR vs RealSecure

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------
---
Will someone please offer a comparison of NFR vs RealSecure with focus on
the following topics (we run the usual switched 100-1000Mbit network but
sniffing will only be done in several 100 segments)

- speed

- update frequency and reliability of attack signature
Each vendor ship out quarterly updates but usually is not just a simple 
install new updates a go, but usually requires a back of the custom rules 
and database to another directory, then re-install the application

- integration of FW-1 (means setup filter on the fly)
This function is currently not working in the ISS RealSecure version, 
maybe working in the Checkpoint RealSecure version. NFR does not currently 
have this ability.. But check www.nfr.net to verify

- multi-sensor single evaluation node environment
Don't know what you mean??

- available API (integrating own type of alerts, actions, ...)
NFR and ISS have this option available.  N-code is the language that is 
provided by NFR, and ISS RealSecure allows for custom connection events 
and allows for custom code to be integrated into the checks.

- last but not least cost and administrative overhead

Not sure what you mean, this is a question that has many more factors than 
just administrative issues.
Do you mean how much do you have to pay a monitor monkey to watch the 
consoles and actually do what the screen states to do??  Or do you mean 
how much do you have to pay a qualified security engineer to design a 
well-defined, well thought out security architecture with intrusion 
detection systems.?? 

Two different scales, and in reality you get what you pay for.  If you 
want Marcus Ranum-in-a-box, it will cost you lots and lots of money  ( I 
mean at least 10 or 12 wheel barrows full of unmarked nonsequential US 
Currency), and probably about two or three Rocky Carroll specially made 
cowboy boots to sweeten the deal.. :)
Other than that, roll the dice and figure it out..  You need at least 3 
people to maintain any security architecture, if you go with less, you 
will pay dearly at the end. 

/mark

Thanks,
Thomas

====== PGP fingerprint B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED 
======

        Thought you got rid of all year 2k bugs and problems?
        Here's a new one: Windows 2000