Allow me to speak from another perspective. It all depends on $$, and the network you have and how much leverage the security team has.
Usually, the security team does not have as much leverage and needs to play catch up. Understand this - no matter which solution you choose, IDS/IPS/opensource/commercial, *someone* has to dedicate time to watching the logs and alerts, or you might as well not do it. When we implemented ours, my IPS guy spent half a year analyzing the traffic, working out with each team on documenting every single traffic pattern. Once that is done, we flipped the switch and turned the monitoring into prevention mode. And unless you have a huge security team, I'll take every bit of help I can take - I used to be against IPS (preferring IDS instead), but after living with it for 3 years, I'll take IPS to knock off some of the crap. Just don't get ISS crap. Also, snort is good, but you must know what you're doing. Our snort box, running on an old throw away box, and only capturing/analyzing 10 minutes of every hour, is giving us *MORE* useful data than half a mil worth of ISS crap. And the commercial version, sourcefire, is even better. My ex-coworkers at another place just had a shoot out of 10G devices, and sourcefire came out heads and shoulders against everyone else. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
