So far my suggested areas of improvement are:
-
If you’re going to create, advertise, and sell a firewall feature, it would be great to create a firewall feature that allows proper configuration. I’m not going to repeat it, but I pretty much echo the comments of @PhilipGoddard.
-
A free/open source management console. I am using your product on my home Windows estate and find that it’s really useful/interesting at investigating bandwidth hogs, beaconing, and processes that are acting nefariously or insecurely. In order to do this, I have to log onto each device individually and manually check what’s going on. What would be really useful, especially as you progress as a company, would be a centralised web-based management, monitoring, and logging console. If you are to break into the corporate arena which, lets face it, is where the money is, this needs to be created ASAP.
-
Which brings me onto: A logging solution that is either stored plain-text or can be exported via syslog. I can see a real-world use for this product in many security environments. One of the benefits of it is that it gives a lot of information without blocking traffic; which is absolutely crucial to availability-critical applications. If this information could be put into a syslog format and formatted, or stored in an external flat-text file for collection by an agent, this data could be harvested directly into a SIEM and used to aggregate against other log files and help analysts create a much better picture. It may do this already, but I haven’t been able to find it. If it can, could someone kindly point me in the direction?
-
More difficult and probably too much of a step towards a HIDS solution, but implementation of “smart” rule sets. What would be really great is if the product could use the data that it presents and look for potential nefarious patterns. For instance, a Word/Excell document starting a Powershell script, or numerous packets of the same transport-layer protocol coming from the same source to different ports without establishing a session could be an indication of a port scan. If you could somehow create these alerts, AND push them into some form of centralised logging capability, this could be a really powerful tool for both the security community and enterprise alike.