Security Basics mailing list archives
Re: Cisco vs. Snort
From: Stefan Marx <marx.s () gmx net>
Date: 04 Sep 2003 09:12:01 +0200
Hi, ...
network. I've been given a more then reasonable budget, so I'm not looking for a cheap/freebie solution. What if any are the advantages of going Cisco vs. building a Snort system. What I'm thinking is Snort would be much more of a headake as you need to write/obtain rules, whereas Cisco that is not the case.
There is a huge database with snort rules, you can find it on snort.org. There is also a search engine and lots of documentation how to do a proper setup. I see it as an advantage to be able to write my own rules, if I have to. Are you able to add custom rules to Cisco? And how often do you get updated rulesets from Cisco? The snort IDS is by far more flexible and customizable than anything else I have seen in this area.
Has anyone had a chance to examin the two devices, and any pointers before I proceed with such an order? Most of our products on our network are Cisco based, including all FW, routers, and soon switches.
That is probably not a very good idea to have every security related equipment from the same manufacturer. If there is a security hole in IOS, for example (and there have been a lot), it is certainly at the same time on all of your networking equipment...The attacker will be very grateful ;-) It is recommended to have different hardware, manufacturer and operating system on routers and firewalls.
Reason why I'm asking is that I've been asked to do a presentation for our Board of Directors, and as you can see the person in charge before me, implimented nothing but Cisco products.
The big issue with IDS is to figure out the right rules for your purposes and to avoid too much false positives. You would not look for UNIX exploits on a 100% Windows site, for example. You have to look at an IDS not as a single box, but as a whole concept. You have to figure out where to place sensors, what every sensor should look for and finally you have to deal with maybe a huge amount of data, that has to be analyzed. Real intrusion detection is expensive, not by means of hard- or software expenses, but on spending time or paying someone to do this for you. Regards, Stefan --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Cisco vs. Snort Nicholas Diotte (Sep 02)
- RE: Cisco vs. Snort David stout (Sep 03)
- Re: Cisco vs. Snort Jude Naidoo (Sep 03)
- Re: Cisco vs. Snort Stefan Marx (Sep 04)
- Re: Cisco vs. Snort Stefan Marx (Sep 04)
- RE: Cisco vs. Snort Ethan (Sep 04)
- Re: Cisco vs. Snort Jorge Claudio (Sep 04)
- Re: Cisco vs. Snort Sebastian Schneider (Sep 10)
- <Possible follow-ups>
- RE: Cisco vs. Snort McGill, Lachlan (Sep 03)
- RE: Cisco vs. Snort William Bradd (Sep 04)
- RE: Cisco vs. Snort Brian Austin (Sep 04)
- Re: Cisco vs. Snort Nicholas Diotte (Sep 04)