Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Talisker (TaliskerNETWORKINTRUSION.CO.UK)
Date: Mon Mar 05 2001 - 11:55:39 CST
Thankyou very much for such a frank and honest reply, truly refreshing these
days. (with a few exceptions)
I was considering the virtues of Guard providing more defence in depth, ie
not replacing a firewall, but adding an element of protection and visibility
between trusted networks within the depths of the organisation. For the
reasons you mention a firewall isn't always feasible, but the insider threat
is real and needs to be addressed.
I apologise for not making myself clear regarding placement of the product.
----- Original Message -----
From: "Robert Graham" <robert_david_grahamyahoo.com>
To: "Talisker" <Taliskernetworkintrusion.co.uk>;
Sent: Sunday, March 04, 2001 11:41 PM
Subject: RE: BlackICE Guard
> The "Guard" version of BlackICE is not appropriate for most people. It is
> for customers where security is the SECOND priority; if security is your
> priority, then you shouldn't even consider it. Get a real firewall and use
> our "Sentry" version of BlackICE.
> I know it is rather shocking to security professionals, but for a lot of
> people, things like SLAs, performance, and uptime are their top
> While they want to make their networks secure, they dedicate more
> money/manpower to increasing uptime and performance. These are customers
> that don't have a firewall in place, or haven't dedicated enough time to
> configure their firewall well.
> I want to make this point clear because any security professional looking
> Guard will be unimpressed (they should just be looking at our traditional
> NIDS instead, which really IS cool).
> The two primary "features" of Guard is (a) it can forward packets with
> extremely low latency at full bandwidth and (b) when it fails (power loss,
> crash, hang), traffic continues to flow through it (unsecured).
> Any security professional will tell you that point (b) is WRONG. If a
> firewall fails, its duty is to shutdown all traffic until the problem can
> fixed rather than allow an attacker to compromise the network. However, we
> have found that this (correct) philosophy is one of the reasons customers
> not purchase firewalls. Since their top priority is uptime, they want a
> device that behaves incorrectly from a security perspective.
> Therefore, our primary design goal for Guard is "How can we improve
> for those who care more about performance/uptime/SLAs?". We designed it so
> that even if it did nothing, people wouldn't be afraid of plugging it into
> their network. Because it "bridges" packets (rather than "routing" like
> firewalls), you don't have to reconfigure your network (i.e. it has no IP
> address). It has a hardware "shunt" that bypasses our box upon
> power-loss/crash/hang. It forwards packets with extremely low latency
> (measured in microseconds), and can handle absolutely anything a 100-mbps
> wire can throw at it. (~300,000 packets/second full-duplex).
> Therefore, the answers to your questions are:
> >How effective is it?
> From a security perspective, it isn't as effective as a firewall. From an
> uptime perspective, it is extraordinarily effective at not causing
> on your network.
> >What hardware have you put it on?
> We recommend the Dell 1550 or the Compaq DL360. These boxes have peer-PCI
> buses and dual-CPUs, both of which are needed in order to achieve the
> ~300-kpps bi-directional forwarding rate as well as doing full NIDS.
> >Any cheaper alternatives?
> >Any more effective alternatives, other than a firewall?
> Unless you fit the extremely narrow needs we've defined, pretty much
> anything is both a better and cheaper alternative.
> >Anything else that may dissuade me from "having a go"
> Well, since you ARE a security professional, I doubt that this will match
> your needs.
> Robert Graham
> CTO/Network ICE
> PS: Actually, most of our sales of Guard so far have been to security
> professionals who understand the limitations.
> PPS: Our marketing/sales people do not like me discussing Guard because of
> the way I try to dissuade people from buying it. They always want to pump
> the technology as curing everything from world hunger to the common cold;
> contrast, I want to be upfront about things.
> PPPS: The reality is that this is just another deployment option for our
> NIDS; it shouldn't even be thought of as a separate product. The NIDS part
> of the product are pretty strong, but the "blocking" features are weak. As
> mention above, it doesn't matter that the blocking is weak because you are
> getting better blocking than you had to begin with and it isn't causing
> -----Original Message-----
> From: Focus on Intrusion Detection Systems
> [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Talisker
> Sent: Saturday, March 03, 2001 4:31 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: BlackICE Guard
> BlackICE Guard
> At first sight this looks like quite an interesting tool, but what are the
> feelings of those of you out there that have "had a go"?
> It seems to fall somewhere between an IDS and a Firewall
> The information I have on it is
> BlackICE Guard is a high performance in-line intrusion protection tool. It
> sits in-line, inspecting all network traffic and filters out hostile
> in real-time. It gives a security administrator the ability to completely
> eliminate hostile traffic from a segment before it can damage a system.
> Guard can sit between a firewall and a router, between two switches, or in
> front of a mainframe. The benefit of Guard is that that it offers an
> alternative deployment solution to those security professionals who are
> unable install BlackICE Agents on critical servers, or for whom the
> functionality of Sentry is not a sufficient level of protection.
> The information I'm looking for is
> How effective is it?
> What problems have you encountered?
> What hardware have you put it on?
> Any cheaper alternatives?
> Any more effective alternatives, other than a firewall?
> Anything else that may dissuade me from "having a go"
> Thanks in advance for any time you can devote to this
> Take Care
> Talisker's Network Security Tools List
> Security Tools Notification
> Do You Yahoo!?
> Get your free yahoo.com address at http://mail.yahoo.com