Subject: Re: IDS: Hybrid IDS
From: Talisker (Talisker
networkintrusion.co.uk)
Date: Sat Sep 09 2000 - 05:40:03 CDT
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
nmcbss
IMHO whilst ZoneAlarm is great for the domestic market, primarily because it
is free, as an enterprise solution I would prefer something that feeds
information to a central point.
My questions are:
Do you wish to roll out ZoneAlarm to your Internet banking customers?
Or is it for use on your corporate desktops?
Costs - whilst ZoneAlarm is free for personal use, you have to pay to use it
for business use, therefore are you better paying a little more and getting
BlackIce defender?
If it is strictly for corporate use in order to get the centralized
reporting and transparent installation BlackIce Agent may be a better
option.
I use ZoneAlarm at home
But something else at work
Andy
http://www.networkintrusion.co.uk/ Listing all known commercial IDS
'''
(0 0)
----oOO----(_)----------
| The geek shall |
| Inherit the earth |
-----------------oOO----
|__|__|
|| ||
ooO Ooo
The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.
---- Original Message -----
From: "nmcbss" <nmcbssbtinternet.com>
To: "Martins, Fernando (Lisbon)" <FMartinspt.imshealth.com>;
<idsuow.edu.au>
Sent: Friday, September 08, 2000 8:01 PM
Subject: Re: IDS: Hybrid IDS
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------------------
---
> I am a current user of zone labs Zonealarm evaluating it for a individual
PC
> protection plan to be run at a leading UK bank. Is free really good enough
> and what would you recommend instead?
> ----- Original Message -----
> From: "Martins, Fernando (Lisbon)" <FMartinspt.imshealth.com>
> To: <idsuow.edu.au>
> Sent: Friday, September 08, 2000 5:04 PM
> Subject: RE: IDS: Hybrid IDS
>
>
> > Archive: http://msgs.securepoint.com/ids
> > FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> > IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > HELP: Having problems... email questions to ids-owneruow.edu.au
> > NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> > SPAM: DO NOT send unsolicted mail to this list.
> > UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
>
> --------------------------------------------------------------------------
> ---
> > Hi2all
> >
> > Copied and pasted from the provided link:
> > "Zone Labs has revolutionized personal Internet security with ZoneAlarm,
> > which is free for personal and non-profit use"
> > Also you can take a look at ...
> > http://www.zonelabs.com/zafreedownload.htm
> >
> > And also i beleave this will take you to your free copy:
> >
>
http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/downloading.html?Disp
> >
>
Category=Internet&DispSubcategory=Internet+Tools&DispTitle=ZoneAlarm&refresh
> >
>
_url=ftp%3A%2F%2Fzdftp%2Ezdnet%2Ecom%2Fpub%2Fprivate%2FsWlIB%2Finternet%2Fin
> >
>
ternet%5Ftools%2Fzonalarm%2Eexe&Fcode=0015P7&Category=internet&Subcategory=i
> > nternet%5Ftools&b=zonealarm
> >
> > What is not free is the new ZoneAlarm Pro, not the ZoneAlarm 2.1 witch
is
> > still free for personal and non-profit use.
> >
> > Kind Regards,
> >
> > Fernando Martins
> >
> > > -----Original Message-----
> > > From: mhtclark.net [SMTP:mhtclark.net]
> > > Sent: Friday, September 08, 2000 4:39 PM
> > > To: Martins, Fernando (Lisbon); idsuow.edu.au
> > > Subject: RE: IDS: Hybrid IDS
> > >
> > > Actually ZoneLabs is no longer free..
> > >
> > > Please see http://www.zonelabs.com/pressvpsales.htm
> > >
> > > At 11:02 AM 9/8/00 +0200, Martins, Fernando (Lisbon) wrote:
> > > >Archive: http://msgs.securepoint.com/ids
> > > >FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> > > >IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > > >HELP: Having problems... email questions to ids-owneruow.edu.au
> > > >NOTE: Remove this section from reply msgs otherwise the msg will
> bounce.
> > > >SPAM: DO NOT send unsolicted mail to this list.
> > > >UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> > >
> >-------------------------------------------------------------------------
> > > ----
> > > >Hi2all,
> > > >
> > > >John, if 148k packets/second are not enough, try 300k ... this is a
> kind
> > > of
> > > >test that i wonder why somebody must said at Defcon "hit me, i can
> handle
> > > it
> > > >...", or something like it. Or Defcon is not what i think it is, or
> > > people
> > > >motivation for tests are too low ... but i never been at Defcon so
may
> be
> > > >i'm wrong.
> > > >
> > > >Mark, if you want to test your IDS without even have to go to Defcon,
> > > pick a
> > > >big IRC network, create a # for your IDS support on-line, and tell to
#
> > > >operators to go to some nasty other #'s, and say 'hit me, i can
handle
> it
> > > >...", or something like it.
> > > >
> > > >While i was trying to help Signal9 at Undernet in same kind of tests
> for
> > > >their ConSeal Firewall, i had not ever the need for challenging
nobody,
> > > >since 'challengers' were allways around, and i was there almost 24/7
> for
> > > >their amusement. And beleave me ... one day, if 300k were not enough,
> > > >somebody will use more then that and 'something' will crash ... just
a
> > > >guess, but with luck you can get an 'hybrid' crash eheheh (i luv
> English
> > > >classes here!!).
> > > >
> > > >I was betatesting BlackICE, but during the trial period i didn't have
> the
> > > >time for real tests. Also, i wonder why it stops working before the
> trial
> > > >period was over ... Without time and without the trial version i had
> stop
> > > >what i probably not even started, at least for real. I have not the
> time
> > > as
> > > >i use to, for this kind of things (like working for free while others
> > > >getting the money), but i can give a try if Xmas arrive in September
> this
> > > >year and i got a BlackICE copy for free =;o)
> > > >
> > > >And Mark, about Zonelabs market place, yours will never be the same,
> > > since
> > > >Zonelabs have other commercial politic for home users, it's free,
> > > remember?
> > > >
> > > >Kind Regards,
> > > >Fernando Martins
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: John S Flowers [SMTP:jflowershiverworld.com]
> > > > > Sent: Friday, September 08, 2000 12:29 AM
> > > > > To: mark.teichernetworkice.com
> > > > > Cc: FOCUS-IDSsecurityfocus.com; idsuow.edu.au
> > > > > Subject: Re: IDS: Hybrid IDS
> > > > >
> > > > > Archive: http://msgs.securepoint.com/ids
> > > > > FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> > > > > IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > > > > HELP: Having problems... email questions to ids-owneruow.edu.au
> > > > > NOTE: Remove this section from reply msgs otherwise the msg will
> > > bounce.
> > > > > SPAM: DO NOT send unsolicted mail to this list.
> > > > > UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> > > > >
> >
>
> --------------------------------------------------------------------------
> > > > > ---
> > > > > Mark,
> > > > >
> > > > > I've had a message into Robert Graham and cc'd other persons for
the
> > > > > last 2 weeks or so. I've sent numerous messages commenting on the
> > > > > challenge and even replied to the document entitled "jolt2" that
was
> > > > > sent by Robert to myself and others.
> > > > >
> > > > > In reference to the document -
> http://www.robertgraham.com/op-ed/jolt2
> > > > > -- On August 24th I said, "I like what you've written (jolt2) and
> > > think
> > > > > you should publish it."
> > > > >
> > > > > I believe that the claims made by Robert Graham are so outrageous
> that
> > > > > there's no real need to even validate them (see the link above, if
> > > it's
> > > > > even active). I'm sure that everyone will see this to be the case
> if
> > > > > this document actually makes it to the public.
> > > > >
> > > > > Otherwise, I'm more than happy to actually run a real test against
> > > your
> > > > > IDS and see if it can sustain 148,800 packets per second and
provide
> > > > > alerting/counting on the attack.
> > > > >
> > > > > This was the original claim made by Robert to the crowd at Defcon
> and
> > > to
> > > > > the IDS list a while ago (i.e. not the single packet against an
> > > invalid
> > > > > IP address that is mentioned in this document). This is the claim
> > > that
> > > > > I believe Robert should stick to, not the "jolt2 test" in the
> document
> > > > > at the link above.
> > > > >
> > > > > I've not yet received a copy of BlackICE for the purpose of this
> real
> > > > > world test and I haven't heard from Robert since Aug 24th (2 weeks
> > > ago).
> > > > >
> > > > > For the record -- I've been seriously busy, but I HAVE kept in
touch
> > > > > with Network ICE and Robert Graham since this claim was made. So
> the
> > > > > accusation that "no one has heard from Hiverworld since" is
> completely
> > > > > misleading.
> > > > >
> > > > > "Teicher, Mark" wrote:
> > > > > >
> > > > > > At 10:02 AM 9/7/00 -0400, Marcus J. Ranum wrote:
> > > > > >
> > > > > > >One place where the personall firewall / IDS hybrids present an
> > > > > > >interesting challenge to clarity is in performance marketing.
> > > > > > >Since they're operating at a packet level (sort of) an
> unscrupulous
> > > > > > >vendor (hi! you know who you are!) could claim their
performance
> > > > > > >figures in terms of packets processed/second. So the vendor
could
> > > > > > >say "in recent tests, our network IDS handled 10,000,000,000
> > > > > > >packets/second!!" without mentioning clearly that this was
> > > > > > >accomplished using a single host on a switch, but the host was
> > > > > > >only looking for attacks directed at itself... Such claims have
> > > > > > >already been made - clearly deceptive, but there you have it.
> > > > > >
> > > > > > Whoa, wait a minute here, Network ICE accepted the challenge
from
> > > > > > Hiverworld at DefCon, and Network ICE was ready, No one has
heard
> > > from
> > > > > > HiverWorld since.
> > > > > >
> > > > > > Ah yes, Marketing, blame NAI, Symantec and Zonelabs for
> re-defining
> > > the
> > > > > > market space or in other words segmenting a very infant market
> > > space.
> > > > > So
> > > > > > every vendor is attempting fit into as many market spaces as it
> can,
> > > in
> > > > > > order to get the largest customer base.
> > > > > >
> > > > > > >>Is there a clear cut definition out there somewhere?
> > > > > > >
> > > > > > >You're asking if marketing respects technical language?
<giggle>
> > > > > > >I wish... :( We went through the same kind of nonsense early
> > > > > > >on in the firewall days - proxy firewalls, stateful turbo
> > > > > > >multi-whomping packet examination, etc, etc. Eventually terms
> > > > > > >settle down when the marketing folks find a set of features
> > > > > > >they can tout that don't cause people to break out in belly
> > > > > > >laughter whenever they use it.n
> > > > > >
> > > > > > I tend to agree with MJR on this space, the marketing type firms
> out
> > > > > there
> > > > > > don't really understand the space or the techie geekie stuff
that
> > > some
> > > > > of
> > > > > > us utter to them. The tend to grab onto the first one or two
> blurbs
> > > of
> > > > > > techie talk and that what they stick with. You try to explain
> them
> > > the
> > > > > > different between packet grepping and protocol decode, they get
> all
> > > > > glossy
> > > > > > eyed and almost fall over from boredom. The marketing type
people
> > > > > layman
> > > > > > explanations that some of us can never get across to them
without
> > > > > bursting
> > > > > > out laughing.. :)
> > > > > >
> > > > > > /mark
> > > > > >
> > > > > > >mjr.
> > > > > > >-----
> > > > > > >Marcus J. Ranum
> > > > > > >Chief Technology Officer, Network Flight Recorder, Inc.
> > > > > > >Work: http://www.nfr.net
> > > > > > >Personal: http://www.ranum.com
> > > > >
> > > > > --
> > > > > John S Flowers <jflowershiverworld.com>
> > > > > Chief Scientist http://www.hiverworld.com
> > > > > 510.848.0740 x 724 [Office] 510.841.2447 [Fax]
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.189 / Virus Database: 90 - Release Date: 01/09/00
>
>
