Saturday, October 18, 2003

ISS Announces "Proventia" Products

Internet Security Systems launched a new product line this week, called the Proventia "all-in-one protection product." From the press release:

"Today Proventia unifies firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one engine, under one management system, to protect at the network and the gateway. In the future, Proventia will add application protection, content filtering and anti-spam functionality to the unified engine to extend protection across servers, desktops and laptops. Proventia’s simplified protection for every layer of business infrastructure eliminates the complexity associated with today’s legacy security products and greatly reduces the total cost of ownership for security – making protection affordable for enterprises."

ISS offers three Proventia products:

I looked at the produce demo site and made a few observations. Site Protector remains the overall management product. The Proventia M series offers "content blades" which can be enabled or disabled in software.

The Proventia A series IDS offers products like the A1204 which can monitor and make sense of redundant or load-balanced links.

ISS offers a newsletter called "Connect," with the October issue (.pdf) devoted to Proventia.

What's the competition for ISS' product? Symantec announced its Symantec Gateway Security 5400 Series last month. Cisco announced "integrated network solutions" in Feb 03, but they're not a "converged solution." You need a product finder to make sense of Enterasys's offerings. While I still believe Sourcefire has the superior detection solution, I can see the allure of these "single box" appliances.

Don't be fooled into thinking a single box can serve all of your security needs. While the ISS demos stress their products can complement firewalls, I don't trust putting prevention and detection functions into a single system. Almost by definition, the detection aspect will not detect some attacks, leaving no record of intrusion. Why? If the product could detect the attack, why didn't it prevent it? (That's what customers say they want, correct?) So, there needs to be an independent, network-audit product to evaulate how well the prevention product performs. That's network security monitoring my friends. NSM recognizes that prevention will always fail, and that when it does defenders need a way to quickly scope the extent and impact of a compromise.