RE: Cisco vs. Snort

["David stout" <d.stout () solvesolutions co uk>]

This is what I have learnt in my time.

You might be able to do a double system with a spare server running
Snort (which will be free) and another product bought from your prefered
vendor. As far as I can see ... There are a number of people who run
Snort alongside another IDS product which not only gives you 2 views of
the network, but also provides some redundancy.

Now with regards to the Cisco IDS, I will only say that there are better
options out there. 

You might want to consider looking at both the freeware Snort and the
commercial versions (http://www.sourcefire.com) which would provide an
easier learning curve.

There is also the RealSecure option from ISS which is one of the more
expensive options, but produces nice reports. Here you have to ask
yourself many questions.

Do some research on the various IDS products and compare the results.
Don't be fooled by sales hype about how many attacks the product can
detect. Also ask questions about frequency of updates (here snort is
your best friend) and anomaly detection. Also consider sensor placement,
management, remote monitoring and hardware/software solutions.

If you want an answer to the Cisco Vs Snort question I would say Snort
everytime based on performance, flexability, reliability and results. If
you really have to go for a Cisco IDS ... I'd say get both products
running. I'll but you that a well looked after Snort system will give
you far better results.

http://www.networkintrusion.co.uk/ will also help you make up your mind.

(Sorry to any Cisco salesmen, but it's only the IDS I feel is poor ...
Not Cisco kit in general)

David Stout
CCSP, CCNA, CRCP, INFOSEC
Solve Solutions
E-Mail: d.stout () solvesolutions co uk
Web Site: www.solvesolutions.co.uk


-----Original Message-----
From: Nicholas Diotte [mailto:xphox () xphox net] 
Sent: 02 September 2003 17:19
To: security-basics () securityfocus com
Subject: Cisco vs. Snort




Good day,



Recently I've been asked to impliment an IDS system within our corporate


network.  I've been given a more then reasonable budget, so I'm not 

looking for a cheap/freebie solution.  What if any are the advantages of


going Cisco vs. building a Snort system.



What I'm thinking is Snort would be much more of a headake as you need
to 

write/obtain rules, whereas Cisco that is not the case.



Has anyone had a chance to examin the two devices, and any pointers
before 

I proceed with such an order?  Most of our products on our network are 

Cisco based, including all FW, routers, and soon switches.



Reason why I'm asking is that I've been asked to do a presentation for
our 

Board of Directors, and as you can see the person in charge before me, 

implimented nothing but Cisco products.



Thanks,

Nick

------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----





---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------