Re: Cisco vs. Snort

[Stefan Marx <marx.s () gmx net>]

Hi,
...
> network.  I've been given a more then reasonable budget, so I'm not 
> looking for a cheap/freebie solution.  What if any are the advantages of 
> going Cisco vs. building a Snort system.
> What I'm thinking is Snort would be much more of a headake as you need to 
> write/obtain rules, whereas Cisco that is not the case.

There is a huge database with snort rules, you can find it on snort.org.
There is also a search engine and lots of documentation how to do a
proper setup.
I see it as an advantage to be able to write my own rules, if I have to.
Are you able to add custom rules to Cisco? And how often do you get
updated rulesets from Cisco?
The snort IDS is by far more flexible and customizable than anything
else I have seen in this area.

> Has anyone had a chance to examin the two devices, and any pointers before 
> I proceed with such an order?  Most of our products on our network are 
> Cisco based, including all FW, routers, and soon switches.

That is probably not a very good idea to have every security related
equipment from the same manufacturer. If there is a security hole in
IOS, for example (and there have been a lot), it is certainly at the
same time on all of your networking equipment...The attacker will be
very grateful ;-)
It is recommended to have different hardware, manufacturer and operating
system on routers and firewalls.

> Reason why I'm asking is that I've been asked to do a presentation for our 
> Board of Directors, and as you can see the person in charge before me, 
> implimented nothing but Cisco products.

The big issue with IDS is to figure out the right rules for your
purposes and to avoid too much false positives. You would not look for
UNIX exploits on a 100% Windows site, for example. You have to look at
an IDS not as a single box, but as a whole concept. You have to figure
out where to place sensors, what every sensor should look for and
finally you have to deal with maybe a huge amount of data, that has to
be analyzed.

Real intrusion detection is expensive, not by means of hard- or software
expenses, but on spending time or paying someone to do this for you.

Regards,

Stefan


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------