IDS mailing list archives
Re: Less well-known commercial IDS
From: "arkon ra" <arkonr () gmail com>
Date: Fri, 21 Apr 2006 07:53:09 +0200
I came across another opportunity with CheckPoint's InterSpect (NGX version) as an IPS solution. I was wondering how much experience does the forum have with this product, pros, cons, price etc'. Also - how does it compare to other better known products in terms of protection, performance, managability ? Thanks in advance, Arkon.
Andrew Plato wrote:I see a lot of discussion on this list to be aboutlarger, moreestablished IDS/IPS solutions. I'm just wonderingif anyone hasexperience with smaller commercial IDS devices likethe Symantec 7100series? If so, what did you think? What were you comparing it to?I think there are a lot of lower-cost IPSs. Some aregood, some arefair, many are lame. Symantec isn't one that comesto mind. It actuallyis pretty expensive. My personal favorite isFortinet. It's a UTM(all-in-one) box. We sell A LOT of Fortinet and as awhole, customershave been very pleased with its performance. And itsIPS is based onSnort, incidentally. Fortinet has the plus of havingfirewall,anti-virus, VPN, and lots of other goodies as well. I have heard good things about SecureWorks. However,they are a purelymanaged IPS. I have one customer with Astaro, whosays good things abouttheir product.>> Many of my clients are too small to afford the more expensive IDSofferings.And, the perception can be (correct or not is irrelevant) that SNORTsimplyshifts the up-front costs to the management phase.I guess, if youfeelthis is incorrect, I'd be interested in yourthoughts on this, too.Snort is resource intensive. It's a good IDS/IPSthat requires a lot ofexpertise and management to make it workeffectively. Most small tomedium businesses lack such resources, as you havediscovered. As such,lower cost commercial IPSs like SecureWorks orFortinet (bothSnort-based IPSes), give those customers the valueof Snort as atechnology without requiring a lot of personnelresources._____________________________________Andrew Plato, CISSP President / Principal Consultant ANITIAN ENTERPRISE SECURITYYour Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax503-201-0821 Mobile www.anitian.com _____________________________________PGP/GPG public key available at:http://www.anitian.com/corp/keys.htm_________________________________________________ NOTICE:This email may contain confidential information, and is for the sole use of the intended recipient.If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments fromyour computer. _________________________________________________------------------------------------------------------------------------Test Your IDSIs your IDS deployed correctly? Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go tohttp://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.------------------------------------------------------------------------In my opinion the Symantec 7100 series is actually a pretty nice IDS/IPS. I have pretty extensive experience with it and other IDSs and have found very little that I ask of it that it cannot do. I am not sure that I would call SNOT (Symantec Network Observation Technology) formerly known as ManHunt a low cost IDS. At one point the cost of the software version of it to observe a 1gb pipe in passive mode (IDS, not IPS) was $125k MSRP and did not include the E240 that they recommended for it. It is actually very well suited for monitoring multiple segments and boxes from a central location as it does its own correlation and aggregation independently of SSMS (Symantec's SESA nightmare). The nicest part of it being that the vast majority of new exploits/worms/etc breach RFC standards in some way, shape or form, or you are not always chasing down new signatures. Things such as code red, nimda, slammer, and others were seen out of the box as shipped without racing to get a signature plugged into it. If need be you can right your own signatures for it and pick/choose which appliances and interfaces you want the policies to apply to, I would not call this a SOHO IDS/IPS though. It is well suited for extremely large networks, just not tier 1 ISPs, but then again, most tier 1 ISPs are not attempting to do any real IDS/IPS for their millions of botnet subscribers. disclaimer - I am not a Symborg employee or customer -dogten, CĀ²ISSP _________________ Fight the power and the power will fight back Your only as good as the system you hack If you become a problem you will be replaced Banned, shut down, erased ! ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Less well-known commercial IDS James Harless (Apr 18)
- RE: Less well-known commercial IDS Alan Shimel (Apr 19)
- Re: Less well-known commercial IDS Eric Hines (Apr 19)
- Re: Less well-known commercial IDS Kevin Wetzel (Apr 26)
- <Possible follow-ups>
- RE: Less well-known commercial IDS Andrew Plato (Apr 19)
- Re: Less well-known commercial IDS Dogten (Apr 20)
- Re: Less well-known commercial IDS Arturas Zalenekas (Apr 21)
- Re: Less well-known commercial IDS Nick Black (Apr 24)
- Re: Less well-known commercial IDS Dogten (Apr 20)
- Re: Less well-known commercial IDS arkon ra (Apr 21)