Re: Less well-known commercial IDS

[Dogten <dogten () d3fcon org>]

Andrew Plato wrote:
> > I see a lot of discussion on this list to be about larger, 
> > more established IDS/IPS solutions.  I'm just wondering if 
> > anyone has experience with smaller commercial IDS devices 
> > like the Symantec 7100 series?  If so, what did you think?  
> > What were you comparing it to?
> >     
>
> I think there are a lot of lower-cost IPSs. Some are good, some are
> fair, many are lame. Symantec isn't one that comes to mind. It actually
> is pretty expensive. My personal favorite is Fortinet. It's a UTM
> (all-in-one) box. We sell A LOT of Fortinet and as a whole, customers
> have been very pleased with its performance. And its IPS is based on
> Snort, incidentally. Fortinet has the plus of having firewall,
> anti-virus, VPN, and lots of other goodies as well. 
>
> I have heard good things about SecureWorks. However, they are a purely
> managed IPS. I have one customer with Astaro, who says good things about
> their product. 
>
>   
> > Many of my clients are too small to afford the more expensive IDS
> >     
> offerings.
>   
> > And, the perception can be (correct or not is irrelevant) that SNORT
> >     
> simply 
>   
> > shifts the up-front costs to the management phase.  I guess, if you
> >     
> feel 
>   
> > this is incorrect, I'd be interested in your thoughts on this, too.
> >     
>
> Snort is resource intensive. It's a good IDS/IPS that requires a lot of
> expertise and management to make it work effectively. Most small to
> medium businesses lack such resources, as you have discovered. As such,
> lower cost commercial IPSs like SecureWorks or Fortinet (both
> Snort-based IPSes), give those customers the value of Snort as a
> technology without requiring a lot of personnel resources. 
>
> _____________________________________
> Andrew Plato, CISSP
> President / Principal Consultant
> ANITIAN ENTERPRISE SECURITY
>
> Your Expert Partner for Security & Networking
>
> 3800 SW Cedar Hills Blvd, Suite 280
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> _____________________________________
>
> PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm 
> _________________________________________________
> NOTICE:
> This email may contain confidential information, 
> and is for the sole use of the intended recipient.  
> If you are not the intended recipient, please reply 
> to the message and inform the sender of the error 
> and delete the email and any attachments from 
> your computer. 
> _________________________________________________
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ------------------------------------------------------------------------
>
>
>
>
>   
In my opinion the Symantec 7100 series is actually a pretty nice 
IDS/IPS. I have pretty extensive experience with it and other IDSs and 
have found very little that I ask of it that it cannot do. I am not sure 
that I would call SNOT (Symantec Network Observation Technology) 
formerly known as ManHunt a low cost IDS. At one point the cost of the 
software version of it to observe a 1gb pipe in passive mode (IDS, not 
IPS) was $125k MSRP and did not include the E240 that they recommended 
for it. It is actually very well suited for monitoring multiple segments 
and boxes from a central location as it does its own correlation and 
aggregation independently of SSMS (Symantec's SESA nightmare). The 
nicest part of it being that the vast majority of new exploits/worms/etc 
breach RFC standards in some way, shape or form, or you are not always 
chasing down new signatures. Things such as code red, nimda, slammer, 
and others were seen out of the box as shipped without racing to get a 
signature plugged into it. If need be you can right your own signatures 
for it and pick/choose which appliances and interfaces you want the 
policies to apply to, I would not call this a SOHO IDS/IPS though. It is 
well suited for extremely large networks, just not tier 1 ISPs, but then 
again, most tier 1 ISPs are not attempting to do any real IDS/IPS for 
their millions of botnet subscribers.
disclaimer - I am not a Symborg employee or customer

-dogten, C²ISSP
_________________
Fight the power and the power will fight back
Your only as good as the system you hack
If you become a problem you will be replaced
Banned, shut down, erased !


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------