The "Guard" version of BlackICE is not appropriate for most people. It is
for customers where security is the SECOND priority; if security is your TOP
priority, then you shouldn't even consider it. Get a real firewall and use
our "Sentry" version of BlackICE.

I know it is rather shocking to security professionals, but for a lot of
people, things like SLAs, performance, and uptime are their top priorities.
While they want to make their networks secure, they dedicate more
money/manpower to increasing uptime and performance. These are customers
that don't have a firewall in place, or haven't dedicated enough time to
configure their firewall well.

I want to make this point clear because any security professional looking at
Guard will be unimpressed (they should just be looking at our traditional
NIDS instead, which really IS cool).

The two primary "features" of Guard is (a) it can forward packets with
extremely low latency at full bandwidth and (b) when it fails (power loss,
crash, hang), traffic continues to flow through it (unsecured).

Any security professional will tell you that point (b) is WRONG. If a
firewall fails, its duty is to shutdown all traffic until the problem can be
fixed rather than allow an attacker to compromise the network. However, we
have found that this (correct) philosophy is one of the reasons customers do
not purchase firewalls. Since their top priority is uptime, they want a
device that behaves incorrectly from a security perspective.

Therefore, our primary design goal for Guard is "How can we improve security
for those who care more about performance/uptime/SLAs?". We designed it so
that even if it did nothing, people wouldn't be afraid of plugging it into
their network. Because it "bridges" packets (rather than "routing" like most
firewalls), you don't have to reconfigure your network (i.e. it has no IP
address). It has a hardware "shunt" that bypasses our box upon
power-loss/crash/hang. It forwards packets with extremely low latency
(measured in microseconds), and can handle absolutely anything a 100-mbps
wire can throw at it. (~300,000 packets/second full-duplex).

Therefore, the answers to your questions are:
>How effective is it?
From a security perspective, it isn't as effective as a firewall. From an
uptime perspective, it is extraordinarily effective at not causing problems
on your network.

>What hardware have you put it on?
We recommend the Dell 1550 or the Compaq DL360. These boxes have peer-PCI
buses and dual-CPUs, both of which are needed in order to achieve the
~300-kpps bi-directional forwarding rate as well as doing full NIDS.

>Any cheaper alternatives?
>Any more effective alternatives, other than a firewall?
Unless you fit the extremely narrow needs we've defined, pretty much
anything is both a better and cheaper alternative.

>Anything else that may dissuade me from "having a go"
Well, since you ARE a security professional, I doubt that this will match
your needs.

Robert Graham
CTO/Network ICE

PS: Actually, most of our sales of Guard so far have been to security
professionals who understand the limitations.

PPS: Our marketing/sales people do not like me discussing Guard because of
the way I try to dissuade people from buying it. They always want to pump
the technology as curing everything from world hunger to the common cold; in
contrast, I want to be upfront about things.

PPPS: The reality is that this is just another deployment option for our
NIDS; it shouldn't even be thought of as a separate product. The NIDS part
of the product are pretty strong, but the "blocking" features are weak. As I
mention above, it doesn't matter that the blocking is weak because you are
getting better blocking than you had to begin with and it isn't causing SLA
concerns.

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Talisker
Sent: Saturday, March 03, 2001 4:31 AM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: BlackICE Guard

Hi
BlackICE Guard
At first sight this looks like quite an interesting tool, but what are the
feelings of those of you out there that have "had a go"?
It seems to fall somewhere between an IDS and a Firewall
The information I have on it is
<snip>
BlackICE Guard is a high performance in-line intrusion protection tool. It
sits in-line, inspecting all network traffic and filters out hostile packets
in real-time. It gives a security administrator the ability to completely
eliminate hostile traffic from a segment before it can damage a system.
Guard can sit between a firewall and a router, between two switches, or in
front of a mainframe. The benefit of Guard is that that it offers an
alternative deployment solution to those security professionals who are
unable install BlackICE Agents on critical servers, or for whom the alerting
functionality of Sentry is not a sufficient level of protection.
</snip>
The information I'm looking for is
    How effective is it?
    What problems have you encountered?
    What hardware have you put it on?
    Any cheaper alternatives?
    Any more effective alternatives, other than a firewall?
    Anything else that may dissuade me from "having a go"

Thanks in advance for any time you can devote to this

Take Care
Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List

Security Tools Notification
http://groups.yahoo.com/group/security-tools/join

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]