ISP Planet - Technology - Managed IDS Table

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• ISP-Planet Blog
• Letters
• Site Map
• Technology Jobs

ISP Resources

ISP-Lists
ISP Glossary
ISP News
The List
ISPCON Events
Free Newsletters

internet.com

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

Managed Security Services

Managed IDS Table

by Lisa Phifer
VP Core Competence, Inc.
[December 28, 2004]

Managed IDS Service Provider	IDS Platform(s)	Approach & Depth	Analysis & Response	Reporting	Additional Comments
ClearPath Intrusion Detection and Prevention Service	ClearPath's SNAP VPN Appliance	In-line inspection of IP stream, application headers and payload, based on signatures and state. Combines deterministic Intrusion Prevention with deep packet stateful inspection.	Packets can be silently dropped or TCP connections reset when applicable.	Logs and reports accessed through SNAP View, a central Web portal.	Available only with other services. Protects networks from over 2,200 known attack signatures and new "zero day" attacks. Includes 24x7 availability and performance monitoring of IDS, automatic signature updates, change management, and reporting capabilities.
Globix Network Defender	Top Layer, Attack Mitigator 5500	Passive TCP stream and application header inspection, based on signatures, and DDoS protection	Automated connection reset, IP blocking, quarantine. Malicious attempts are then reviewed and action plans enacted.	Alert logs are shared with customers through Web portal.	Available alone or firewall option. Dynamic rerouting of traffic is an option.
ISS Managed IDS for Networks (.pdf)	ISS Proventia A/G/M Appliances,ISS RealSecure Network Sensor,Cisco IDS	In-line or passive algorithmic vulnerability analysis, protocol anomaly, and signature detection, depending on platform. Proventia sensors interpret activity and detect attacks at all layers, including application. Cisco IDS focuses more on traffic patterns and signatures.	Automated intrusion blocking when deployed inline. TCP resets available in passive deployments. Security Analysts follow stringent Escalation Procedures for incident response to control security breaches and mitigate risk of further damage.	Per incident, daily, weekly, and monthly reports available via MSS Customer Portal, including Daily Threat Assessment, X-Force Intelligence, Live Raw Event Data, Worm Tracking, Monthly Exec. Summary, Security Incidents, and other Reports.	Available as standalone service or firewall option. Device Management is included in the monthly service fee but is optional. Unique features include Virtual Patch Protection and X-Force Global Security Intelligence. MSSP covers all facets of incident response, including planning, forensic analysis, preservation of evidence and data recovery, as well preparation for future attacks.
ISS Managed IPS for Networks and Servers	ISS Proventia Intrusion Prevention and Integrated Security Appliances,ISS RealSecure Server Sensor	Managed Protection Service (MPS) or Server Agent monitors and protects, based on comprehensive, predefined list of threats and vulnerabilities, tailored to customer's network. Provides in-line algorithmic vulnerability analysis, 7-layer protocol anomaly, and signature-based detection.	Automated IP blocking, reset, drop, and dynamic responses that can block attacker for predetermined period to prevent worm propagation or stop intruder in his tracks. Security Analysts follow stringent Escalation Procedures (see above).	Per incident, daily, weekly, and monthly reports available via MSS Customer Portal (see above).	Available as standalone service. Depending on service level, bundled options may include Security Assessment, Penetration Testing, Basic Emergency Response, Reporting, X-Force Global Security Intelligence, and X-Force Threat Analysis Services. ISS' Security Incidents Prevention Guarantee prevents or stops all X-Force Certified Attack List Security Incidents on networksegments protected and monitored by an ISS MPS Agent.
LURHQ Managed Intrusion Detection	Cisco IDS, Tipping Point, McAfee, Netscreen, Snort, Sourcefire	In-line or passive detection, using methods and depth based on selected solution	No automated response. GIAC Certified Intrusion Analysts or Incident Handlers escalate according to defined process and work with customer until issue resolved.	Logs and reports available via secure, real-time, Web-based Sherlock Enterprise Security Portal.	Available as standalone service, with total lifecycle management or just monitoring. Includes unlimited consultation time, co-managed/unlimited changes.
LURHQ Managed Intrusion Prevention	Cisco IDS, Tipping Point, McAfee, Netscreen, Snort, Sourcefire	In-line or passive detection, using methods and depth based on selected solution	Delivers automated intrusion prevention; type of response is vendor-dependent.	Sherlock Enterprise Security Portal (above).	Available as standalone service, with total lifecycle management or just monitoring. Includes unlimited consultation time, co-managed/unlimited changes.
MCI Managed IDS	Cisco	Passive stateful pattern recognition, protocol analysis, traffic and protocol anomaly detection	Event correlation, root cause analysis.	Secure Web Portal	Available as standalone custom service, offered in conjunction with MCI's Managed WAN Services.
MCI Managed IPS	ISS Proventia, Netscreen	In-line stateful pattern recognition, protocol analysis, traffic and protocol anomaly detection.	Event correlation, root cause analysis, optional intrusion blocking, and other customer-defined responses.	Secure Web Portal	Available as standalone custom service, offered in conjunction with MCI's Managed WAN Services.
PresiNET Managed IDS	vDeadbolt Appliances	In-line TCP stream, application header, and payload inspection. Signature, Behavior, and Anomaly-based, with DDoS protection.	Automated IP blocking and human alert analysis.	Secure Web interface and e-mail/pager alerts	Available only as a firewall option.
RedSiren Managed IDS (IPS)	Cisco Secure IDS, ISS RealSecure, NFR, Enterasys Host, McAfee IntruShield, Cisco Security Agent, Snort	In-line or passive inspection, varies by technology, but extends to entire packet. Uses signatures, anomaly detection, heuristic analysis, and behavioral statistics.	Event correlation, root cause analysis, intrusion blocking (automated for high certainty events), vendor-specific methods, and MSSP incident investigation.	Secure Web Portal	Available now as a standalone service, or with firewall in 2005. Server / Host / Desktop options. Includes tuning to customer environment, correlation across customer's infrastructure, scanning service, 24x7 SOC coverage, and post-incident analysis.
Securalis Managed IDS	ISS RealSecure,Snort	Passive signature-based inspection.	No automated blocking. Critical events are escalated via phone and e-mail. Non-critical events are notified by e-mail.	Reports and logs delivered as online reports for Snort and via monthly phone reviews.	Available as standalone service.
Secure Designs Firelan Managed IDS	Netscreen, SonicWALL, WatchGuard, Cisco	In-line or passive TCP stream, application header, and payload inspection. Signature, Behavior, and Anomaly-based, with DDoS protection.	Automated blocking by connection reset, IP blocking, quarantine.	FTP, Web, e-mail	Available alone or as firewall option. Automated policy reconfiguration option.
SecurePipe ActiveIDS	ActiveIDS	Passive TCP stream, application header, and payload inspection, using Signature and Anomaly detection.	Alerts are investigated and responded to by security engineers, based on customer's Incident Response and Escalation Policy. Response may include firewall ruleset change, customer contact, and incident report filing.	Customer is notified by chosen method (phone, e-mail, fax, page) of issues that require immediate action. Otherwise, customer is able to view reports via Security Console which describe the alert, packet payload, and MSSP's analysis and response.	Available as standalone service. See Managed Firewall table for firewall service with built-in IPS (an in-line service with automated blocking).
SecureWorks Network-Based Intrusion Prevention	SecureWorks iSensor	Inspects the entire packet from flags and headers to packet payload. In-line signature, behavior, anomaly, and protocol validation.	Automated blocking and human alert analysis.	Secure Web access via SecureHUB, daily/monthly e-mailed reports	Available as standalone service @ two levels, differentiated by customer's response time requirement.
SecureWorks Host-Based Intrusion Prevention	Cisco Security Agent	Behavior-based detection.	Automated blocking and human alert analysis.	SecureHUB (above)	Available as standalone service @ two levels, differentiated by customer's response time requirement.
Unisys Managed Security Services	Cisco, Enterasys, ISS, Fortinet, Netscreen	In-line or passive, depending on customer need. Depth varies from session header to application payload, depending on vendor. Detection based on signatures, anomalies, and protocol adherence.	Automated blocking (when deployed in-line) and human alert analysis.	Secure Web Page	Available alone or as firewall option, with network and host IDS options.
VeriSign Managed IDS	Cisco, ISS, Enterasys, Snort, SourceFire	Passive layer 7 inspection methods, depending on product, including signature matching and protocol and traffic anomaly detection.	No automated blocking. When alert passes through correlation engine, MSSP performs further analysis to confirm alert and provide context info to customer, including comparison with firewall and host logs and other IDS sensors.	Logs and reports available via Customer Resource Portal, providing detailed view of managed devices, variety of reports, and ad hoc query engine to analyze security events across multiple platforms and locations. Secured by token authentication and SSL encryption.	Available alone or as firewall option, with host IDS or IPS, logfile monitoring, and vulnerability scan options. MSSP can deliver intra-enterprise, inter-enterprise, and Internet-wide security intelligence.
VeriSign Managed IPS	Netscreen IDP, ISS Proventia	IPS devices can be placed in-line or listen-only passive mode, depending on customer preference. Methods depend on product, including signature matching and protocol and traffic anomaly detection.	When malicious traffic passes through IPS device, packets that triggered event are dropped, or connection is dropped, based on configured rules. MSSP monitors IPS devices for health events and security violations resulting from attacks originating inside and outside the network.	Customer Resource Portal (see above). Two types of reports are available: a device configuration report and a security event report.	Available alone or in combination with any other security service. MSSP tests all vendor-released signatures prior to placing them on devices under management. MSSP also works with each customer to place appropriate priority and action on each signature, based on their environment and needs.
VigilantMinds NetXone	Cisco, ISS, SourceFire, McAfee, Snort, other "best of breed" solutions	Monitors any network access point (e.g., firewalls, Web servers, VPNs, routers) using passive or in-line TCP stream, application header/payload, port/IP inspection, based on signatures and proprietary Statistical Network Anomaly Reporting Engine.	Automated responses include IP blocking, IP port shutdown. SOC alerts customer via chosen method (e-mail, phone, etc).	SecureXone Security Portal provides integrated managed security info, delivered in real time, spanning intrusion events, wireless and wired networks, and any commercial security device with a log. Monthly face to face meetings and reports.	Available alone or in combination with other services. Options include Server/Host IDS/IPS, Security Alert Service, and Weekly Vulnerability Scanning.
VigilantMinds BufferXone	"in the cloud" IPS is MSSP-hosted service that requires no CPE hardware, software, or installation	Gives customer a new, protected IP address that serves as an intrusion buffer because MSSP screens all traffic to/from customer's real IP address.	Only BufferXone-validated traffic reaches customer's CPE firewall. Blocks intrusions, worms, DDoS attacks.	See NetXone.	See NetXone.
VigilantMinds AirXone	Cisco, ISS, SourceFire, McAfee, Snort, other "best of breed" solutions	Wireless network security solution that supplies full 7-layer intrusion detection and prevention.	See NetXone.	See NetXone.	See NetXone.

NB: This survey is not intended to be an exhaustive list. It is an example snapshot of offerings available from participating providers, as of December 2004. Service offerings do change frequently, so please consult provider web sites for updates or further information. Additional providers who would like to be invited to participate next year should mail me at lisa (at) corecom.com

Online Resource:

Intrusion Detection Systems Directory

< Back to article