On Wed, 17 Feb 2010 22:59 -0500, "Jason Beaudoin" <jasonbeaud...@gmail.com> wrote: > Hi There, > > As I often have greater respect for a much larger portion of this list > than the rest of the internet, I am curious what is thought about > current IDS/IPS hardware from vendors like Trustwave, Checkpoint, > Alert Logic, mod_security, even snort.. etc, and in particular, the > sensibility and effectiveness of using them in high-security > environments.
I use Snort in IDS mode on OpenBSD and am very satisfied with it. It's hard to justify spending 10's or 100's of thousands of dollars for commercial solutions that have the same issues as Snort (false positives, requires tuning and constant monitoring). I have used large IBM/ISS Proventia systems in the past. Some of the commercial offerings will not even give you a terminal so you can use tcpdump... can you believe that? You have the perfect spot on the network and the perfect hardware, but you can only use it in a very limited fashion. Very frustrating. General purpose OpenBSD boxes with big beefy network interfaces cost a lot less and does more. I use FreeBSD to run BASE as the analysis frontend. The OpenBSD Snort sensors ship their alerts to it. I would use OpenBSD for the frontend as well, but BASE is not currently in ports and I have not had time to work on porting it and prefer not to go outside of ports. Also, I would stay away from IPS mode. There are enough network problems as is without something randomly deciding to drop packets. There's no better way to make a network engineer mad than to send them on a wild goose chase trying to figure out why packets are not getting delivered only to find out that the IPS is dropping them because certain SSL traffic looks like a buffer overflow or something. That has been my experience. Brad > From a compliance perspective, I don't have much choice. From the > costs, infrastructure, and administrative perspectives, I am currently > evaluating whether or not I should be leaning towards and IDS or IPS > solution, and of course which system/vendor. My understanding is that > something like snort requires a fair bit of maintenance and > IT-attention, the trade-off being cost, so I am leaning away from > this. Between detection and prevention, preventing break-ins seems a > bit sillier than trying to actively monitor what's going on and to > then look for threats, so this pushes me more towards IDS over IPS. > > Thoughts, suggestions, flames, are all welcome. > > Thanks. > > ~Jason
