Re: all-in-one vs one-on-each (feat. Comercial vs FOSS)

["Mike Hale" <eyeronic.design () gmail com>]

One additional thing you need to look at is the ongoing cost.  Sure,
the snort software is free with an additional charge for the
subscription, if you need it.  But you also need ot factor in the cost
of the Snort admin.  Snort can generate a lot of alerts, and it
wouldn't hurt to write custom rules based on your environment.  How
much is your time worth?

I like using different programs/devices for different things.  It
keeps things clearer and cleaner in my network.  I'd say get a good
quality enterprise firewall, and invest in the training to configure
it properly.  After the firewall, set up a snort sensor, and again,
invest the time and money to do it properly.  An IPS can be a powerful
tool, but I'd get the firewall and IDS first.

You may also want to consider scattering a few snort sensors
throughout the network.  That way, Snort can catch traffic that never
passes through your external routers.

On 5/25/08, Alex <alex.tsr () gmail com> wrote:
> -----Original Message-----
> From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
> To: security-basics () securityfocus com
> Subject: Re: all-in-one vs one-on-each (feat. Comercial vs FOSS)
> Date: Sat, 24 May 2008 17:38:12 +0200
>
> On 2008-05-24 Alex wrote:
> > I would like some opinions, again.
> > For a fixed budget would you go for
> >  * an all-in-one "Firewall" ( FW+IPS+VPN+...) ie. Checkpoint,
> >  * a dedicated, known and expensive firewall/gateway with the company of
> > an Open Source solution for IPS, URL filtering etc?
> >  * a full Open Source solution (iptables,snort,ossec,squid etc) and
> > spend the money elsewhere :)
> >
> > The things that concern me are,
> >
> > Redundancy. I can live without IPS for a while but not without Internet
> > ( and by "I" I mean "The Company")
> > Scalability. Not only performance-wise but cost-wise too. I think that
> > having to pay for every "extra feature" is going to lead to Open Source
> > anyway...
> > Complexity. Better to manage one than more, right?...
>
> The answer to your question depends heavily on the actual requirements,
> your network topology, your admins' expertise, and what kind of "fixed
> budget" you have.
>
> Regards
> Ansgar Wiechers
>
>
> Lets say that,
>  the admins expertise is not a concern,
>  the network is a simple one, several internal vLANS and a DMZ with a
> dual-ISP internet connection,
>  the budget is $10k
>
> To make things clearer I'm not necessarily looking for the cheapest
> solution. I want to know where would you put more weight (money). Is it
> better to buy a $10k firewall + Snort, a $5k firewall + $5k IPS, a $10k
> all-in-one solution.
> i.e. would a commercial IPS justify its $5k against Snort?
>
> Thanx again.


-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0