I came across another opportunity with CheckPoint's InterSpect (NGX version) as an IPS solution. I was wondering how much experience does the forum have with this product, pros, cons, price etc'. Also - how does it compare to other better known products in terms of protection, performance, managability ?
Thanks in advance, Arkon. > Andrew Plato wrote: > > > > >> I see a lot of discussion on this list to be about > > larger, more > > > > >> established IDS/IPS solutions. I'm just wondering > > if anyone has > > > > > >> experience with smaller commercial IDS devices like > > the Symantec 7100 > > > > > >> series? If so, what did you think? > >> What were you comparing it to? > > >> > > > > > I think there are a lot of lower-cost IPSs. Some are > > > good, some are > > > > fair, many are lame. Symantec isn't one that comes > > to mind. It actually > > > > > is pretty expensive. My personal favorite is > > Fortinet. It's a UTM > > > > > (all-in-one) box. We sell A LOT of Fortinet and as a > > whole, customers > > > > have been very pleased with its performance. And its > > > IPS is based on > > > > Snort, incidentally. Fortinet has the plus of having > > firewall, > > > > anti-virus, VPN, and lots of other goodies as well. > > > > I have heard good things about SecureWorks. However, > > > they are a purely > > > > managed IPS. I have one customer with Astaro, who > > says good things about > > > > > their product. > > > > > > > >> Many of my clients are too small to afford the more > > expensive IDS > > > > > >> > > > offerings. > > > > > >> > And, the perception can be (correct or not is > > irrelevant) that SNORT > > > > >> > > > > simply > > > > > >> shifts the up-front costs to the management phase. > > > I guess, if you > > > > >> > > > > feel > > > > > >> this is incorrect, I'd be interested in your > > thoughts on this, too. > > > > >> > > > > > > Snort is resource intensive. It's a good IDS/IPS > > that requires a lot of > > > > expertise and management to make it work > > > effectively. Most small to > > > > medium businesses lack such resources, as you have > > discovered. As such, > > > > > lower cost commercial IPSs like SecureWorks or > > Fortinet (both > > > > > Snort-based IPSes), give those customers the value > > of Snort as a > > > > technology without requiring a lot of personnel > > > resources. > > > > > > _____________________________________ > > > Andrew Plato, CISSP > > President / Principal Consultant > > ANITIAN ENTERPRISE SECURITY > > > > > Your Expert Partner for Security & Networking > > > > 3800 SW Cedar Hills Blvd, Suite 280 > > > Beaverton, OR 97005 > > 503-644-5656 Office > > 503-214-8069 Fax > > > 503-201-0821 Mobile > > www.anitian.com > > _____________________________________ > > > > > PGP/GPG public key available at: > > > http://www.anitian.com/corp/keys.htm > > > > _________________________________________________ > > NOTICE: > > > This email may contain confidential information, > > and is for the sole use of the intended recipient. > > > If you are not the intended recipient, please reply > > to the message and inform the sender of the error > > and delete the email and any attachments from > > > your computer. > > _________________________________________________ > > > > > > > > > ------------------------------------------------------------------------ > > > > Test Your IDS > > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > > with real-world attacks from CORE IMPACT. > > Go to > > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > > > > to learn more. > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > In my opinion the Symantec 7100 series is actually a > > pretty nice > IDS/IPS. I have pretty extensive experience with it > and other IDSs and > have found very little that I ask of it that it cannot > do. I am not sure > that I would call SNOT (Symantec Network Observation > > Technology) > formerly known as ManHunt a low cost IDS. At one point > the cost of the > software version of it to observe a 1gb pipe in > passive mode (IDS, not > IPS) was $125k MSRP and did not include the E240 that > > they recommended > for it. It is actually very well suited for monitoring > multiple segments > and boxes from a central location as it does its own > correlation and > aggregation independently of SSMS (Symantec's SESA > > nightmare). The > nicest part of it being that the vast majority of new > exploits/worms/etc > breach RFC standards in some way, shape or form, or > you are not always > chasing down new signatures. Things such as code red, > > nimda, slammer, > and others were seen out of the box as shipped without > racing to get a > signature plugged into it. If need be you can right > your own signatures > for it and pick/choose which appliances and interfaces > > you want the > policies to apply to, I would not call this a SOHO > IDS/IPS though. It is > well suited for extremely large networks, just not > tier 1 ISPs, but then > again, most tier 1 ISPs are not attempting to do any > > real IDS/IPS for > their millions of botnet subscribers. > disclaimer - I am not a Symborg employee or customer > > -dogten, CĀ²ISSP > _________________ > Fight the power and the power will fight back > Your only as good as the system you hack > > If you become a problem you will be replaced > Banned, shut down, erased ! > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
