> >For instance, Haystack Labs has a really nice ids > >product called stalker which installs on Sun's and HP's, but not SGI's. > >More disturbing was a comment I got from a developer there. He said > >(and I am summerizing) that they have no plans to port to SGI's because > >most SGI customers only buy the Unix systems for the graphics capability > >and are not willing to take the performance hit. > > Maybe they've never seen a Challenge? Some supercomputer centers are going > to move entirely to Challenge and PowerChallenge arrays due to cost reasons > I've heard. I think they are taking a very short sighted view. > > >This is unfortunate because > >I was quite impressed with their Stalker product. > > Any more details on it? What exactly does it do? >From what I know, there are only two current commercial IDS available on the market. Both use forms of audit trail reduction, but use different mechanisms internally to do the analysis. The two are Stalker from Haystack Labs, and CMDS from SAIC. Of the two, I've heard better things about Stalker from people in the government who have evaluated both. I have no direct experience with either (yet). If I recall correctly, Stalker does not need to run on SGIs directly -- you can run it on a Sun workstation and feed it the SGI audit trail. In some cases, this may be the preferred mode of operation as you sometimes don't want your IDS running on a machine you are monitoring. You can get full details on the system by contacting <smaha@sli.com>. They have some literature they can send out. Unfortunately, there is no ftp or www info site for them. (The SAIC product is described at <http://www.saic.com/products/cmds/>). One reason Stalker may not yet be supported on SGI machines is that Haystack is a small company, and Stalker is a new product. They are undoubtedly producing it first for the machines most commonly used in government and industries like financial services -- likely customers. SGI machines are not (yet, if ever) common in those environments, so I doubt they are a high priority. I'm pretty sure as time goes on, if it appears that security-conscious firms are interested in buying SGI equipment and paying for security, then more such tools will be available for them. The above is purely my opinion, shaped in part by hearing several presentations by Steve Smaha at various security research meetings, and reading some of their literature. Parts of it may well be wrong. I'm cc'ing Steve directly so he can correct or amplify my remarks. --spaf