I have not used Cyberwall Plus so I cannot speak for its abilities, however I have extensive experience with Black Ice and will highlight it's strengths/weaknesses. I have been using Black Ice defender since long before it was owned by ISS (About 2.5 years). In my opinion, it is a top notch host based IDS product. As It provides active blocking of certain attacks (it only does it for certain ones because of the potential for an inadvertant DOS from one of your own machines). However if you edit the issuelist.csv file it is possible to alter the default behaviour of the product and change severity levels/blocking/response(TCP Resets). I am kinda dissapointed they have never provided an interface to do this from within the program, maybe that will be added in a future version (anyone at ISS on the list?). It provides blocking/trusting functionality by manually adding individual or ranges of IP addresses and/or ports. The duration can be changed from One hour, One Day, One Month, or forever. I have blocked several hundred hosts (forever) and it does not seem to impact performance. Average CPU utilization is around 1-3% on a PII450 (3% is under heavy network load). Typically I manually block Code Red/Nimda for a month, since they are usually cleaned by that time. It provides separate firewalling and Intrusion Detection Control (Based On IP Address). Which means you can choose to allow a host and still leave the IDS component active so if they attempt an attack it will still log and block (If appropiate). The Cost is $40 for workstation and $300 for Server. As far as I can tell the only difference is the server version contains more descriptive attack signatures for Web and related attacks. The workstation version will still block the same attacks, but it does not provide as much logging detail. In terms of weaknesses I already mentioned the problem with manipulating the default behaviour. It also does not provide any form of active notification (Email, Pager, WinPopup). It supports only three protocol designations, TCP, UDP, or IP (ALL). This may make it difficult to limit access to protocols such as ESP or AH if you are using IPSEC without granting full IP access. All in all it is a great product (not to sound like a salesman, I have no affiliation with the products owners just a very happy user). I have never seen it miss an attack so far, even before there were signatures in the product for Code Red, Nimda, and the like it still blocked the "Suspicious traffic". I also run Snort on the same box to validate Black Ice's logging. I have never used the IceCAP product but it is supposed to collate logs from many different Hosts, maybe someon else can highlits it strengths/weaknesses. YMMV, All statements are my own based on my experience, HTH.
Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: Mikael Olsson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 3:13 AM To: Mustapa Khan Cc: jacqueline hoe; [EMAIL PROTECTED] Subject: Re: cyberwall Plus/Host based Firewall Mustapa Khan wrote: > > [black ice defender...] is so cost effective and if anyone tell > you that it is not good at all, 47 servers in our data center in > Singapore and Malaysia is using that at the moment. Uh, wait. Notepad is also cost effective. All of our NT servers have it. When did this ever become a valid argument in and of itself in a security-related debate? (Note that I'm NOT saying "Black Ice Defender sucks". I don't know enough about it to say that, or the opposite, for that matter. I'm just saying that this argument alone is worth _very_ little to me.) Regards, /Mikael Olsson -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
