Robert

Thankyou very much for such a frank and honest reply, truly refreshing these
days. (with a few exceptions)
I was considering the virtues of Guard providing more defence in depth, ie
not replacing a firewall, but adding an element of protection and visibility
between trusted networks within the depths of the organisation. For the
reasons you mention a firewall isn't always feasible, but the insider threat
is real and needs to be addressed.

I apologise for not making myself clear regarding placement of the product.

Thanks Again
Andy

----- Original Message -----
From: "Robert Graham" <robert_david_grahamyahoo.com>
To: "Talisker" <Taliskernetworkintrusion.co.uk>;
<FOCUS-IDSSECURITYFOCUS.COM>
Sent: Sunday, March 04, 2001 11:41 PM
Subject: RE: BlackICE Guard

> The "Guard" version of BlackICE is not appropriate for most people. It is
> for customers where security is the SECOND priority; if security is your
TOP
> priority, then you shouldn't even consider it. Get a real firewall and use
> our "Sentry" version of BlackICE.
>
> I know it is rather shocking to security professionals, but for a lot of
> people, things like SLAs, performance, and uptime are their top
priorities.
> While they want to make their networks secure, they dedicate more
> money/manpower to increasing uptime and performance. These are customers
> that don't have a firewall in place, or haven't dedicated enough time to
> configure their firewall well.
>
> I want to make this point clear because any security professional looking
at
> Guard will be unimpressed (they should just be looking at our traditional
> NIDS instead, which really IS cool).
>
> The two primary "features" of Guard is (a) it can forward packets with
> extremely low latency at full bandwidth and (b) when it fails (power loss,
> crash, hang), traffic continues to flow through it (unsecured).
>
> Any security professional will tell you that point (b) is WRONG. If a
> firewall fails, its duty is to shutdown all traffic until the problem can
be
> fixed rather than allow an attacker to compromise the network. However, we
> have found that this (correct) philosophy is one of the reasons customers
do
> not purchase firewalls. Since their top priority is uptime, they want a
> device that behaves incorrectly from a security perspective.
>
> Therefore, our primary design goal for Guard is "How can we improve
security
> for those who care more about performance/uptime/SLAs?". We designed it so
> that even if it did nothing, people wouldn't be afraid of plugging it into
> their network. Because it "bridges" packets (rather than "routing" like
most
> firewalls), you don't have to reconfigure your network (i.e. it has no IP
> address). It has a hardware "shunt" that bypasses our box upon
> power-loss/crash/hang. It forwards packets with extremely low latency
> (measured in microseconds), and can handle absolutely anything a 100-mbps
> wire can throw at it. (~300,000 packets/second full-duplex).
>
> Therefore, the answers to your questions are:
> >How effective is it?
> From a security perspective, it isn't as effective as a firewall. From an
> uptime perspective, it is extraordinarily effective at not causing
problems
> on your network.
>
> >What hardware have you put it on?
> We recommend the Dell 1550 or the Compaq DL360. These boxes have peer-PCI
> buses and dual-CPUs, both of which are needed in order to achieve the
> ~300-kpps bi-directional forwarding rate as well as doing full NIDS.
>
> >Any cheaper alternatives?
> >Any more effective alternatives, other than a firewall?
> Unless you fit the extremely narrow needs we've defined, pretty much
> anything is both a better and cheaper alternative.
>
> >Anything else that may dissuade me from "having a go"
> Well, since you ARE a security professional, I doubt that this will match
> your needs.
>
> Robert Graham
> CTO/Network ICE
>
> PS: Actually, most of our sales of Guard so far have been to security
> professionals who understand the limitations.
>
> PPS: Our marketing/sales people do not like me discussing Guard because of
> the way I try to dissuade people from buying it. They always want to pump
> the technology as curing everything from world hunger to the common cold;
in
> contrast, I want to be upfront about things.
>
> PPPS: The reality is that this is just another deployment option for our
> NIDS; it shouldn't even be thought of as a separate product. The NIDS part
> of the product are pretty strong, but the "blocking" features are weak. As
I
> mention above, it doesn't matter that the blocking is weak because you are
> getting better blocking than you had to begin with and it isn't causing
SLA
> concerns.
>
> -----Original Message-----
> From: Focus on Intrusion Detection Systems
> [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Talisker
> Sent: Saturday, March 03, 2001 4:31 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: BlackICE Guard
>
>
> Hi
> BlackICE Guard
> At first sight this looks like quite an interesting tool, but what are the
> feelings of those of you out there that have "had a go"?
> It seems to fall somewhere between an IDS and a Firewall
> The information I have on it is
> <snip>
> BlackICE Guard is a high performance in-line intrusion protection tool. It
> sits in-line, inspecting all network traffic and filters out hostile
packets
> in real-time. It gives a security administrator the ability to completely
> eliminate hostile traffic from a segment before it can damage a system.
> Guard can sit between a firewall and a router, between two switches, or in
> front of a mainframe. The benefit of Guard is that that it offers an
> alternative deployment solution to those security professionals who are
> unable install BlackICE Agents on critical servers, or for whom the
alerting
> functionality of Sentry is not a sufficient level of protection.
> </snip>
> The information I'm looking for is
> How effective is it?
> What problems have you encountered?
> What hardware have you put it on?
> Any cheaper alternatives?
> Any more effective alternatives, other than a firewall?
> Anything else that may dissuade me from "having a go"
>
> Thanks in advance for any time you can devote to this
>
> Take Care
> Andy
> http://www.networkintrusion.co.uk
> Talisker's Network Security Tools List
>
> Security Tools Notification
> http://groups.yahoo.com/group/security-tools/join
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free yahoo.com address at http://mail.yahoo.com
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]