RE: Best IPS system?

["Andrew Plato" <andrew.plato () anitian com>]

That's a SUPER-loaded question. There is no easy answer. And I guarantee
you will get a wide array of answers and arguments. Questions like yours
evoke intense emotional responses from some people. 

There is no one "best" solution. Each solution can be effective
depending on the expertise of your staff, complexity of your network,
etc. For example, many people will howl that all you need is an open
source solution. That may be a good fit, if you have the in-house
expertise in open-source platforms and the time to manage and maintain
it. If you don't, then a commercial appliance would be better. 

Given your size, you might want to look toward a UTM (Unified Threat
Management) type appliance. They offer multiple capabilities in one
appliance. They typically will shine in one area and be mediocre in
others. Remember, no solution is best. All of them have weaknesses. 

That said, this is what I would recommend (I am sure it will deeply and
profoundly offend some people, it always does): 

For UTM:
Fortinet
WatchGuard
Juniper SSG

For stand alone IPS:
TippingPoint
Juniper
ISS 

I do a lot of work with Fortinet and have found them to be a very good
and robust all around UTM solution. A little easier to work with than
Juniper and the Cisco ASA. The IPS in Fortinet is okay. The new MR6 code
makes it a lot easier to work with the IPS. It is a very feature-rich
platform with very good performance. The Juniper SSGs are okay. Good
overall, the IPS is a little lacking. WatchGuard is a deeply messed up
company, but they got some new owners and seem to be turning around.
Their product is very easy to use. 

Another thing to keep in mind is the "best in class" problem. In an
ideal world, it is best to purchase the best solution in each class
(best firewall, best IPS, best mail filter, etc.) The problem with that
strategy is that it is very expensive to do that. This is why UTMs have
benefits. They allow you to collapse multiple applications on to a
single platform. There are, of course, drawbacks to that strategy. 

Best suggestion - get demos of 2 or 3 solutions, pick the one you like
and be happy. But remember that no matter what you pick, it will have
weaknesses and there will always be somebody who tells you it was a bad
choice. 

Good luck. 

___________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
Anitian Enterprise Security
www.anitian.com 

 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Shelly Beasley
> Sent: Wednesday, May 07, 2008 3:01 PM
> To: focus-ids () securityfocus com
> Subject: Best IPS system?
>
> Hello mailing list,
>
> I would like to buy the "best" system available to the IPS 
> network of my business. My company has only 200 users, all 
> share an Internet connection (10 m). We now use Sonicwall to 
> connect, but we are concerned about the hostile e-mails, 
> malware websites, and people in piracy. Who produces the best 
> job? Which is most capture hacker attempts? The product 
> should not interfere with operations on the network (all 
> connection is filled by the backup off-site at nite).
>
> Many thanks,
>
> SB
>
> --------------------------------------------------------------
> ----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world 
> attacks from CORE IMPACT.
> Go to 
> http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=intro_sfw
> to learn more.
> --------------------------------------------------------------
> ----------
_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------