There are other several other issue not discussed in this thread. Some of the easier to deploy products may not produce user-friendly, pointy haired management type reports as compared to the commercial products. But again, some commercial products miss the boat on reporting on concentrate mostly on speed or number of signatures it is in the product, whether speed or number of signatures in an organization's mind is the checkbox why the bought the particular flavor of IDS/IPS. Speed and number of signatures does not necessarily mean that the particular flavor of IDS/IPS will catch the new fangled vulnerability that has just been released to the wild or trigger on a Sun-RPC port mapper.
-----Original Message----- >From: Andrew Plato <[EMAIL PROTECTED]> >Sent: Apr 11, 2006 11:53 AM >To: Eric Hines <[EMAIL PROTECTED]> >Cc: [email protected] >Subject: RE: IDS vs. IPS deployment feedback > >As I said to Alan: we all sell what we know. > >I sell what I know. You sell what you know. Commercial, open source, >closed, open, lost, found, black, white - whatever. Organizations should >pick the best solution for their environment. > >That much said, I realize it is pretty much high treason to speak badly >of an open source product on the Internet. I have angered the Gods of >Open Source before. This time is no different. > >An unanalyzed IDS/IPS isn't very useful. That is the core problem. >Without analytical capability, the value and effectiveness of any >security product is reduced. > >Many organizations have scant IT resources. As such, any technology that >has significant resource requirements is usually passed over for those >that can simplify security while extending the capability of a small IT >staff. Nobody is arguing the technical merits of Snort, but its an >established fact that it tends to be more resource intensive than its >commercial partners. This is true of all open source products. They tend >to be more "raw." > >That is why there are COMMERCIAL companies, like yours Eric and like >SourceFire that have made Snort more palatable to enterprises. In this >sense, you are no different than 3com, McAfee, ISS, etc. You're simply >making a technology easier to use. > >Eric, you and Alan are no different than me. You're just hawking a >different product. Doesn't matter if the sensor is Snort or Proventia. >You sell what you know, I sell what I know. > >Furthermore, the "I can see a signature so its better" argument just >doesn't fly at a lot of businesses. Again, most IT people do not have >the time to analyze and write signatures. Just as companies outsource >their PC manufacturing, phone centers, and Internet connection - they >outsource their security protections. They trust a commercial vendor to >handle this problem. I can't see that the jet fuel Delta puts in a >plane, but I trust Delta to use real jet fuel. So, I can trust Delta >with my life, but I can't trust ISS or McAfee to write a IPS signature? > >Yeah. Whatever. > >If you feel better seeing the signatures and their content, then by all >means - get thee to a Snort box. But, for many IT groups, this just >isn't a significant selling point. Ease of use, timeliness of new >signatures and reliability are typically more important factors. > >___________________________________ >Andrew Plato, CISSP >President/Principal Consultant >Anitian Enterprise Security > > > >-----Original Message----- >From: Eric Hines [mailto:[EMAIL PROTECTED] >Sent: Monday, April 10, 2006 3:13 PM >To: Alan Shimel >Cc: Andrew Plato; 'Will Metcalf'; [email protected]; Applied >Watch Development; [EMAIL PROTECTED] >Subject: Re: IDS vs. IPS deployment feedback > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I agree with Alan here. > >Andrew, I've watched several of your posts now over the past months and >on several occasions bit my tongue, but I do have to step up here. You >represent several COTS (Commercial off-the-shelf) IPS vendors and have >admitted to, so please be careful when posturing them against open >source tools such as Snort -- know what you're talking about when it >comes to Snort's capabilities if you are going to make claims as to what >its unable to do when compared to COTS solutions. >_________________________________________________ >NOTICE: >This email may contain confidential information, >and is for the sole use of the intended recipient. >If you are not the intended recipient, please reply >to the message and inform the sender of the error >and delete the email and any attachments from >your computer. >_________________________________________________ > > >------------------------------------------------------------------------ >Test Your IDS > >Is your IDS deployed correctly? >Find out quickly and easily by testing it >with real-world attacks from CORE IMPACT. >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >to learn more. >------------------------------------------------------------------------ > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
