tag:blogger.com,1999:blog-4088979.post116656135561277589..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Thoughts on Check Point Acquisition of NFRRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-4088979.post-9648076906730070012006-12-24T13:23:00.000-05:002006-12-24T13:23:00.000-05:00On Cisco IDS/IPS, hasn't it come some way though? ...On Cisco IDS/IPS, hasn't it come some way though? I do know that full content data (must be enabled) is collected w/ the AIP-SSM IPS modules. If you leave the add-ons out of the picture (RNA, MARS), then it seems to me that Cisco is pretty competitive w/ Sourcefire.<br /><br />Richard: Have you dealt at all w/ Cisco IDS/IPS products lately?Dustinhttps://www.blogger.com/profile/16977991069783462576noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-76079892413015690362006-12-24T03:51:00.000-05:002006-12-24T03:51:00.000-05:00Richard
I'm going to defend radware here.
Maybe ...Richard<br /><br />I'm going to defend radware here.<br /><br />Maybe you didn't see them deployed at your customers but I do think they are worth looking at.<br />Most vendors are still taking the signature approach (disregarding signature/vulnerability filter discussion here).<br />I do admit that radware is weak at doing<br />this, but their BDOS module actualy performs quite well wheras the anti-dos capabilities of the other vendors are mostly limited to nothing or to syn cookies.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-27043041520334600432006-12-23T14:36:00.000-05:002006-12-23T14:36:00.000-05:00If we can not speak of trust in absolutes, then th...If we can not speak of trust in absolutes, then that leaves relative trust. The moment one can make a statement about trustworthiness of host security that outweighs network security, then it should become incorportated into the network, even to supplement edge security.<br /><br />What is to say that you can trust independent network devices any more than a host based security model; each of them is a potential attack vector in its own right.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-41805890034727688072006-12-22T16:47:00.000-05:002006-12-22T16:47:00.000-05:00I would agree that in the enterprise environments ...I would agree that in the enterprise environments the switches are (for some time now by Cisco) being marketed as having "integrated security". It will be interesting to see how much integration they go after in the commercial SMB space, since up until now they have pretty much left Linksys alone to do its own thing and are pretty consistent about separating the "enterprise class" products (and features)from the SMB space. <br />I actually think one of the main drivers will be the management aspect - IDS/IDS implementations tend to be underutilized because of the difficulty in tuning / managing them, and Cisco has gone through several different approaches to IDS management. From the old days of CSPM to VMS and now CSM, it seems that it is still a challenge to present an interface that customers find intuitive or at least usable, and Cisco has always separated the configuration piece from the management piece (or at least the configuration and logging, i.e., IDM and IEV). Folding the security into the network fabric and this the security management into the network management products may be an issue. I think from a security management perspective several vendors are starting to move towards a more "solutions-oriented" approach - i.e., for Cisco shops the direction is to have everything security related report to MARS for correlation and CSM for the configuration/provisioning. I would welcome the addition of the sourcefire technology, but it is hard to say if they would view the benefits of the Sourcefire IDS technology as outweighing the issues of folding in the competitive Sourcefire SEM technology with the MARS product.Anonymoushttps://www.blogger.com/profile/11917928589828106054noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-27145931168007210302006-12-21T14:25:00.000-05:002006-12-21T14:25:00.000-05:00Ahh, sorry, I should read up on ipv6 more before b...Ahh, sorry, I should read up on ipv6 more before blurting things out. :) Thanks!Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-17570888331542586352006-12-21T14:18:00.000-05:002006-12-21T14:18:00.000-05:00Hi Rob,
You said "If those hosts are trusted rath...Hi Rob,<br /><br />You said "If those hosts are trusted rather than merely hardened though, they can't be compromised, so that would have to be a key influencing factor on choice of security model then?"<br /><br />I think you answered your own question. "Can't be compromised" is impossible. Also, trusted != trustworthy. Trusted means you have placed trust in the system. Trustworthy means placing trust is a wise choice decision.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36377944925991789382006-12-21T14:14:00.000-05:002006-12-21T14:14:00.000-05:00If those hosts are trusted rather than merely hard...If those hosts are trusted rather than merely hardened though, they can't be compromised, so that would have to be a key influencing factor on choice of security model then? And if those settings could be imposed (pushed) on all nodes to create trust channels to enforce security policies and user access to data inside the network, rather than just limited to the host, then we will certainly have arrived.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51543159996771020302006-12-21T12:23:00.000-05:002006-12-21T12:23:00.000-05:00Rob,
I'm not discounting host-centric security. ...Rob,<br /><br />I'm not discounting host-centric security. However, compromised hosts cannot contain themselves. Independent devices can contain compromised hosts, at least to some degree. Also, some activities are better implemented by the network because they can be uniformly imposed on all nodes, whether the nodes want to cooperate or not.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-67946781972714381082006-12-21T08:51:00.000-05:002006-12-21T08:51:00.000-05:00The idea that core data can be protected at the sw...The idea that core data can be protected at the switch has limitations, in my books. Network security is not data assurance, and never will be.<br /><br />A better model would be one that starts at the host and fans out to network clients and switches.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-3014781724109635482006-12-20T19:25:00.000-05:002006-12-20T19:25:00.000-05:00I am not going to pick at your list of IPS vendors...I am not going to pick at your list of IPS vendors, but I did want to relay something I heard from a former Enterasys engineer. <br /><br />He said Enterasys never really committed to Dragon and is now looking for a way to sell it off. He estimates there are maybe 5 developers left to do minor revisions, but no major development.<br /><br />That would explain why Enterasys disappeared from view a few years ago.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-38186552823348748342006-12-20T18:16:00.000-05:002006-12-20T18:16:00.000-05:00"Countless?" By definition, false. Radware is a ..."Countless?" By definition, false. Radware is a company you see at trade shows but I have never seen the product fielded. Do I not get out enough? Maybe. Do I hear people using the "major" vendors I listed earlier? All the time. Of course YMMV.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-22293928209202598502006-12-20T17:08:00.000-05:002006-12-20T17:08:00.000-05:00By "major" IDS/IPS vendor, would customers such as...By "major" IDS/IPS vendor, would customers such as eBay, Lycos, Akamai, and countless others be included as major accounts for Radware or would you simply discount it because the Air Force didn't include them in their evaluation because it's an Israeli company?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166634734169205812006-12-20T12:12:00.000-05:002006-12-20T12:12:00.000-05:00dre, TopLayer is probably worth mentioning, but ju...dre, TopLayer is probably worth mentioning, but just barely. Radware? Forget it. Maybe I should have said "MAJOR" IDS/IPS vendors.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166634377109057482006-12-20T12:06:00.000-05:002006-12-20T12:06:00.000-05:00put me down for TopLayer and Radware in your categ...put me down for TopLayer and Radware in your category of "Richard forgot ...".<BR/><BR/>what a bad blog posting dayAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166634208343180172006-12-20T12:03:00.000-05:002006-12-20T12:03:00.000-05:00No one can buy Bro.No one can buy Bro.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166634105650303132006-12-20T12:01:00.000-05:002006-12-20T12:01:00.000-05:00To be fair, you're also leaving out bro .SethTo be fair, you're also leaving out <A HREF="http://www.bro-ids.org/" REL="nofollow">bro</A><BR/><BR/> .SethAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166622457520136792006-12-20T08:47:00.000-05:002006-12-20T08:47:00.000-05:00Stonesoft -- irrelevant. Never heard a single cli...Stonesoft -- irrelevant. Never heard a single client or student ever mention them.<BR/><BR/>Fortinet -- a "UTM" appliance. I didn't want to mention the UTM space, but there's an example of another set of functions that will end up in the switch. I bet Fortinet's new marketing guy would agree since he invented the "Secure Network Fabric" term.<BR/><BR/>I got a Google blog alert telling me Matasano said I forgot Intrusion. Their blog is unreachable so I can't read the details right now. I consider Intrusion another side player. They've been around forever but never seemed to amount to anything. The last time I dealt with them, the Air Force was trying to recover from the junk they shipped to us.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166620992723676022006-12-20T08:23:00.000-05:002006-12-20T08:23:00.000-05:00Fortinet....?Fortinet....?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166609415685179132006-12-20T05:10:00.000-05:002006-12-20T05:10:00.000-05:00Hello,You did forgot at least one Finnish vendor, ...Hello,<BR/><BR/>You did forgot at least one Finnish vendor, <A HREF="http://www.stonesoft.com" REL="nofollow">Stonesoft</A>.<BR/><BR/>And no, Stonesoft does not repackage Snort.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166584320391988632006-12-19T22:12:00.000-05:002006-12-19T22:12:00.000-05:00Hi Chris,Microsoft was legally declared a monopoly...Hi Chris,<BR/><BR/>Microsoft was legally declared a monopoly and what happened? Nothing. No one is going to be able to stop this evolution, and maybe no one really should.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166584005043782692006-12-19T22:06:00.000-05:002006-12-19T22:06:00.000-05:00Richard. I always read your posts and value your o...Richard. I always read your posts and value your opinion but I disagree with you on the MS point. I can already see the anti-trust lawsuit against MS if they were to attempt to shut out Symantec/Macafee by trying to collapse all security features into the OS, even if this is where the industry, technically, is headed. <BR/><BR/>The focus on security services and not hardware is fine for some, but those clients are typically large organizations. All these large security companies abandoning their security appliances leaves the small/medium business hanging, which is where the vendors you didnt mention will clean up.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166580865780130002006-12-19T21:14:00.000-05:002006-12-19T21:14:00.000-05:00I already listed Enterasys and Dragon.I already listed Enterasys and Dragon.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166578701887961862006-12-19T20:38:00.000-05:002006-12-19T20:38:00.000-05:00A vendor missing above that's still around: Entera...A vendor missing above that's still around: Enterasys (Dragon).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166574174376096372006-12-19T19:22:00.000-05:002006-12-19T19:22:00.000-05:00LonerVamp,IPv6 does not use IPSec by default. IPv...LonerVamp,<BR/><BR/>IPv6 does not use IPSec by default. IPv6 is no more secure than IPv4 -- maybe less so. IPv6 stacks must be IPSec-capable, but they do not need to use it. IPv4 stacks do not need to be IPSec-capable; that is the difference.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1166571957464365382006-12-19T18:45:00.000-05:002006-12-19T18:45:00.000-05:00I agree with your assertions. Microsoft is not go...I agree with your assertions. Microsoft is not going to allow us to forget that Vista is the cure for all host-related security issues (yeah, right...)<BR/><BR/>Where would Fortinet fit into the IDS/IPS mix? <BR/>Would you categorize their devices as "repackaging Snort"? Just curious.<BR/><BR/>Thanks - again, nice thoughts.Anonymousnoreply@blogger.com