-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I personaly prefer only two commercial products ManHunt (Symantec) and Dragon (Enterasys) IDS/IPS. Free and in my opinion still the best IDS (and if would like also IPS) is SNORT. - From an analyst perspective I prefer more Dragon (commercial) and Snort (free).
Kind regards, Arturas Zalenekas Network Security Engineer and Analyst On Wed, April 19, 2006 23:35, Dogten wrote: > Andrew Plato wrote: >>> I see a lot of discussion on this list to be about larger, >>> more established IDS/IPS solutions. I'm just wondering if >>> anyone has experience with smaller commercial IDS devices >>> like the Symantec 7100 series? If so, what did you think? >>> What were you comparing it to? >>> >> >> I think there are a lot of lower-cost IPSs. Some are good, some are >> fair, many are lame. Symantec isn't one that comes to mind. It actually >> is pretty expensive. My personal favorite is Fortinet. It's a UTM >> (all-in-one) box. We sell A LOT of Fortinet and as a whole, customers >> have been very pleased with its performance. And its IPS is based on >> Snort, incidentally. Fortinet has the plus of having firewall, >> anti-virus, VPN, and lots of other goodies as well. >> >> I have heard good things about SecureWorks. However, they are a purely >> managed IPS. I have one customer with Astaro, who says good things about >> their product. >> >> >>> Many of my clients are too small to afford the more expensive IDS >>> >> offerings. >> >>> And, the perception can be (correct or not is irrelevant) that SNORT >>> >> simply >> >>> shifts the up-front costs to the management phase. I guess, if you >>> >> feel >> >>> this is incorrect, I'd be interested in your thoughts on this, too. >>> >> >> Snort is resource intensive. It's a good IDS/IPS that requires a lot of >> expertise and management to make it work effectively. Most small to >> medium businesses lack such resources, as you have discovered. As such, >> lower cost commercial IPSs like SecureWorks or Fortinet (both >> Snort-based IPSes), give those customers the value of Snort as a >> technology without requiring a lot of personnel resources. >> >> _____________________________________ >> Andrew Plato, CISSP >> President / Principal Consultant >> ANITIAN ENTERPRISE SECURITY >> >> Your Expert Partner for Security & Networking >> >> 3800 SW Cedar Hills Blvd, Suite 280 >> Beaverton, OR 97005 >> 503-644-5656 Office >> 503-214-8069 Fax >> 503-201-0821 Mobile >> www.anitian.com >> _____________________________________ >> >> PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm >> _________________________________________________ >> NOTICE: >> This email may contain confidential information, >> and is for the sole use of the intended recipient. >> If you are not the intended recipient, please reply >> to the message and inform the sender of the error >> and delete the email and any attachments from >> your computer. >> _________________________________________________ >> >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >> to learn more. >> ------------------------------------------------------------------------ >> >> >> >> >> > In my opinion the Symantec 7100 series is actually a pretty nice > IDS/IPS. I have pretty extensive experience with it and other IDSs and > have found very little that I ask of it that it cannot do. I am not sure > that I would call SNOT (Symantec Network Observation Technology) > formerly known as ManHunt a low cost IDS. At one point the cost of the > software version of it to observe a 1gb pipe in passive mode (IDS, not > IPS) was $125k MSRP and did not include the E240 that they recommended > for it. It is actually very well suited for monitoring multiple segments > and boxes from a central location as it does its own correlation and > aggregation independently of SSMS (Symantec's SESA nightmare). The > nicest part of it being that the vast majority of new exploits/worms/etc > breach RFC standards in some way, shape or form, or you are not always > chasing down new signatures. Things such as code red, nimda, slammer, > and others were seen out of the box as shipped without racing to get a > signature plugged into it. If need be you can right your own signatures > for it and pick/choose which appliances and interfaces you want the > policies to apply to, I would not call this a SOHO IDS/IPS though. It is > well suited for extremely large networks, just not tier 1 ISPs, but then > again, most tier 1 ISPs are not attempting to do any real IDS/IPS for > their millions of botnet subscribers. > disclaimer - I am not a Symborg employee or customer > > -dogten, CĀ²ISSP > _________________ > Fight the power and the power will fight back > Your only as good as the system you hack > If you become a problem you will be replaced > Banned, shut down, erased ! > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFER7u2gUFUTxjPDWIRAiqZAJ0bWA+VfSmE3pDIS0cl78n3JbfgEACgyv7Y aMNxHlNMOedJJit8YOha8Ys= =l8Ak -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
