RE: Snort and Cisco Pix

From: Branden Han*** (Branden.Han***@exodus.net)
Date: 10/23/01 

Message-ID: <ED2C5D356D84D4119D0300508B5A164F02E060E9@SCL4MLBX10>
From: Branden Han*** <Branden.Han***@exodus.net>
To: "'Jeremy'" <prrthd@myrealbox.com>
Subject: RE: Snort and Cisco Pix
Date: Mon, 22 Oct 2001 15:30:07 -0700

Greetings Jeremy,

I thought I would weigh in on this issue as I've extensive experience with
the Cat6500 IDS Module (IDSM).

Firstly, if you're looking for a cost effective solution, then I would have
to recommend using a 4200 Series standalone sensor if you're committed to a
Cisco (NetRanger) solution. The Cat IDSM is quite pricey, as well as it
occupies a useful slot in an expensive chassis. Additionally, if you
actually play with the unit, you'll realize that this blade is actually an
Intel PC running Windows NT 4. Though one does not have to interact with
windows during the operation of the device, you should know this.

For reference the 4200 Series sensors are based on the Solaris platform.

On the management side, you have two options for managing and monitoring the
system. Cisco Secure Policy Manager on Windows NT SP 6a, or The NetRanger
Management software with HP OpenView on Solaris (Requires a separate
OpenView License). There are pros and cons to both.

Bottom line, I'd suggest that you spend plenty of time evaluating this
solution to see if it is right for you. If you plan to deploy many sensors
enterprise wide, then Cisco has a compelling offering, but for one or two
sensors, my personal preference is toward Snort.

Branden Han***, CISSP
Security Account Manager
Managed and Professional Services
Exodus Communications, Inc.

**ANY COMMENTS OR OPINIONS CONTAINED HEREIN SHALL NOT BE CONSTRUED AS AN
OFFICIAL ENDORSEMENT OR REVIEW BY EXODUS COMMUNICATIONS INC.**

> -----Original Message-----
> From: Jeremy [mailto:prrthd@myrealbox.com]
> Sent: Monday, October 22, 2001 2:43 PM
> To: focus-ids@securityfocus.com
> Subject: Snort and Cisco Pix
>
>
> Hello all,
>
> We were looking at the new Cisco IDS card that goes into
> their 6500's and our cisco guy said that when it matches a
> signature it could update the pix access lists to block
> traffic from that ip. We are currently running several snort
> boxes and I was wondering if there was anything like that for
> snort. Also, is there anything in snort now other than
> flex-resp that takes an active role in stopping packets that
> match a certain signature?
> Sure would like to save our company $40K from having to buy
> 2 of those cisco ids cards.
>
> Thanks,
> Jeremy
>

Quantcast