IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Less well-known commercial IDS

From: "arkon ra" <arkonr () gmail com>
Date: Fri, 21 Apr 2006 07:53:09 +0200
I came across another opportunity with CheckPoint's
InterSpect (NGX version) as an IPS solution. I was wondering how much
experience does the forum have with this product, pros, cons, price etc'.
Also - how does it compare to other better known products in terms of
protection, performance, managability ?

Thanks in advance,

 Arkon.


Andrew Plato wrote:




I see a lot of discussion on this list to be about


 larger, more




established IDS/IPS solutions.  I'm just wondering


if anyone has





experience with smaller commercial IDS devices like


the Symantec 7100





series?  If so, what did you think?
What were you comparing it to?








I think there are a lot of lower-cost IPSs. Some are



good, some are



fair, many are lame. Symantec isn't one that comes


to mind. It actually




is pretty expensive. My personal favorite is


Fortinet. It's a UTM




(all-in-one) box. We sell A LOT of Fortinet and as a


whole, customers



have been very pleased with its performance. And its



IPS is based on



Snort, incidentally. Fortinet has the plus of having


firewall,



anti-virus, VPN, and lots of other goodies as well.

I have heard good things about SecureWorks. However,



they are a purely



managed IPS. I have one customer with Astaro, who


says good things about




their product.





 >> Many of my clients are too small to afford the more

expensive IDS









offerings.







And, the perception can be (correct or not is

irrelevant) that SNORT









simply





shifts the up-front costs to the management phase.



I guess, if you









feel





this is incorrect, I'd be interested in your


 thoughts on this, too.












Snort is resource intensive. It's a good IDS/IPS


that requires a lot of



expertise and management to make it work



effectively. Most small to



medium businesses lack such resources, as you have


discovered. As such,




lower cost commercial IPSs like SecureWorks or


Fortinet (both




Snort-based IPSes), give those customers the value


of Snort as a



technology without requiring a lot of personnel



resources.




_____________________________________



Andrew Plato, CISSP
President / Principal Consultant
ANITIAN ENTERPRISE SECURITY




Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280



Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax



503-201-0821 Mobile
www.anitian.com
_____________________________________




PGP/GPG public key available at:



http://www.anitian.com/corp/keys.htm



_________________________________________________
NOTICE:



This email may contain confidential information,
and is for the sole use of the intended recipient.



If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from



your computer.
_________________________________________________








------------------------------------------------------------------------



Test Your IDS




Is your IDS deployed correctly?
Find out quickly and easily by testing it


with real-world attacks from CORE IMPACT.

Go to



http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708




to learn more.



------------------------------------------------------------------------













In my opinion the Symantec 7100 series is actually a

pretty nice
IDS/IPS. I have pretty extensive experience with it
and other IDSs and
have found very little that I ask of it that it cannot
do. I am not sure
that I would call SNOT (Symantec Network Observation

Technology)
formerly known as ManHunt a low cost IDS. At one point
the cost of the
software version of it to observe a 1gb pipe in
passive mode (IDS, not
IPS) was $125k MSRP and did not include the E240 that

they recommended
for it. It is actually very well suited for monitoring
multiple segments
and boxes from a central location as it does its own
correlation and
aggregation independently of SSMS (Symantec's SESA

nightmare). The
nicest part of it being that the vast majority of new
exploits/worms/etc
breach RFC standards in some way, shape or form, or
you are not always
chasing down new signatures. Things such as code red,

nimda, slammer,
and others were seen out of the box as shipped without
racing to get a
signature plugged into it. If need be you can right
your own signatures
for it and pick/choose which appliances and interfaces

you want the
policies to apply to, I would not call this a SOHO
IDS/IPS though. It is
well suited for extremely large networks, just not
tier 1 ISPs, but then
again, most tier 1 ISPs are not attempting to do any

real IDS/IPS for
their millions of botnet subscribers.
disclaimer - I am not a Symborg employee or customer

-dogten, CĀ²ISSP
_________________
Fight the power and the power will fight back
Your only as good as the system you hack

If you become a problem you will be replaced
Banned, shut down, erased !


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.
------------------------------------------------------------------------





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: