RE: Recommending an IDS system

• Previous message: David Turnage: "wlan-ng on Redhat Fedora Core 1"
• Maybe in reply to: Reza Kordi: "RE: Recommending an IDS system"
• Next in thread: Bob Radvanovsky: "Re: Recommending an IDS system"
• Reply: Bob Radvanovsky: "Re: Recommending an IDS system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'JGrimshaw@ASAP.com'" <JGrimshaw@ASAP.com>
Date: Wed, 10 Mar 2004 09:33:55 -0800

I did an evaluation with Sourcefire and I have to say that I really liked
it. We are doing evals on other appliances before committing to anything.

Sourcefire has three architectures to choose from; IBM, Intel, and Solaris
(IIRC -- they might not have a solaris product but I believe they do). We
went with the Intel 22mb arch since it was the least expensive and our
infrastructure doesn't require much hardware-wise to watch whats going on.
Each architecture also has a speed associated with it which for higher
speeds you'd pay more for the product. The speeds were (again, IIRC) 22mb,
45mb, 100mb, and 1gb. These speeds were the amount of throughput that the
snort engine was tuned to be able to watch without dropping packets as well
as hardware for the gigE interface, I believe. They have a configuration
management machine that is capable of monitoring all of the sensors on your
network allowing administrators to view all goings-on from one central
location. That machine is a flat $17K. It is not a sensor. You can't eval
that machine either so it is difficult to say how well the product will do
its job. However, judging on the appliance and its abilities the config
mgmt box is probably decent.

We started the evaluation using the older 2.7 interface. The 3.0 interface
went prod while we were eval'ing the unit so I upgraded the machine from 2.7
to 3.0 which was an extremely simple process. I found the 3.0 interface to
be 100x's better than the 2.7 interface. Out of the box the configuration
of the product was simple. Tuning is the same as any other IDS. It was
basically plug-n-play, though. You can update the snort rules, which come
from Sourefire, from the web interface. You also get full admin access to
the console of the machine should you decide to mess with things or want to
view logs or whatnot. It was not necessary to ever really use the CLI,
though.

Overall, I really liked the product. We are evaluating the Still Secure IPS
product now.

------------------------------------
Jim Conner | Systems Administrator
310.209.5487 | http://www.lrn.com
LRN -- The Legal Knowledge Network

-----Original Message-----
From: JGrimshaw@ASAP.com [mailto:JGrimshaw@ASAP.com]
Sent: Tuesday, March 09, 2004 7:00 AM
Cc: security-basics@securityfocus.com
Subject: RE: Recommending an IDS system

Does anyone have any insight into the Sourcefire products? They are Linux
appliances based on the Snort system.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: David Turnage: "wlan-ng on Redhat Fedora Core 1"
• Maybe in reply to: Reza Kordi: "RE: Recommending an IDS system"
• Next in thread: Bob Radvanovsky: "Re: Recommending an IDS system"
• Reply: Bob Radvanovsky: "Re: Recommending an IDS system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]