Re: "Free" IDS

From: Brandon Gillespie (gillespie@iomega.com)
Date: 09/17/02


Date: Tue, 17 Sep 2002 08:27:01 -0600
From: Brandon Gillespie <gillespie@iomega.com>
To: focus-ids@securityfocus.com

Andrew Plato wrote:
>>Snort = Free
>>Prelude = Free
>>NFR = $$$$$
>>Real Secure = $$$$$
>>Cisco Secure = $$$$$
>>Dragon = $$$$$$$$$
>
>
> Running Snort in an enterprise is hardly "free". Snort has to be run on system(s) and that costs money (even if its a junker sitting around, it still has value.) Moreover, if your company is paying somebody to install, manage, and maintain, a Snort box, that's a cost. And it could be argued that Snort boxes have a considerably higher administration hit since there is no standard rule set and enterprise-wide deployment is very difficult. Then there is the training of the people using that tool. That usually means attending a SANS course - that's $4500 a pop when you add in hotel, flights, rental car, and mini-bar costs (unless you're lucky and have a SANS course come to your town).
>
> Granted, any commercial IDS is going probably cost a bit more over an open source product, but you also get economies of scale. For example, most commercial IDS products have inexpensive training seminars or even web-based seminars that can help teach users. This gets you a massive economy of scale on training. Support costs (and times) can be cut down since there is a centralized support mechanism for these products.
>
> Its easy to analyze cost in a techno-vacuum. But any serious analysis of the cost of ANY technology and especially IDS must consider the related expenses of management, maintenance, training, and support.
>

While I agree on the 'not really free' aspect, frankly the overhead
costs are in reality (and in my experience) roughly equal across
different vendors, including open source. The way I've banked
open-source vs commercial to upper management is that we save on the
_purchase_ price, but what we'd normally dump into maintenance goes into
paying our own people to do upkeep and management, so we don't save
maintenance costs. As for training etc, that washes out in my
experience. You also have to have a higher grade (thus higher salary)
of administrator if you are going to have open source, because they have
to be technically savvy enough to be able to dig into the source code at
times. The Microsoft way of boiler-plate training admins does NOT work
for open source, at all. Knowing which buttons to push works great when
they give you nice buttons, and you have a simple turn-key ignition.
Open source expects you to hot-wire the system just to get it running :)

-Brandon Gillespie

(We use a mix of open-source and commercial products. We did drop NFR a
year or so back for snort and I dont resent the decision one bit)

--
Senior Systems Administrator
Iomega Corporation
gillespie@iomega.com



Relevant Pages

  • Re: a general question (was: Re: GRUB and boot.b)
    ... > There's this bunch of folks who write linux software. ... > The first group wants the second group to use their stuff. ... One thing to keep in mind is that "open source" doesn't necessarily ... and it didn't cost me anything to do so (since ...
    (alt.os.linux.redhat)
  • Re: a general question (was: Re: GRUB and boot.b)
    ... > There's this bunch of folks who write linux software. ... > The first group wants the second group to use their stuff. ... One thing to keep in mind is that "open source" doesn't necessarily ... and it didn't cost me anything to do so (since ...
    (comp.os.linux.setup)
  • Re: STM32 ARM toolset advice?
    ... over runs of effort or timescale cost money ... But yes I pay a yearly maintenance contract for it. ... and then diving into the innards of open source software to fix a compiler ...
    (comp.arch.embedded)
  • Re: Why are SS/Medicare cards so crappy?
    ... or airplane pilots and those industries get huge subsidies. ... Microsoft adds $200-300 to the cost of every work station ... Google advertising doesn't change the price of bread. ... I know a lot about open source but I was also in the computer industry ...
    (rec.boats)
  • Re: R: Re: flet vars
    ... the cost of these versions, ... I think changes have to go through ANSI.. ... different from 1-implementation language like SLDJ. ... and the rest being open source projects. ...
    (comp.lang.lisp)