Snort mailing list archives

Previous By Date Next
Previous By Thread Next

cost/benefit analysis of running Snort

From: "Tom Fulton" <tfulton9909 () comcast net>
Date: Fri, 23 Jan 2004 15:38:57 -0800

I'm trying to come up with a cost/benefit analysis of running Snort in a
network, in general terms?

Can you add anything that you see is missing or wrong?


A.      COSTS:
        I would guess costs are mostly in Human time (FTE) functions:

        -Installation, configuration
        -Locking down/securing the boxes' processes (i.e.: Bastille scripts,
etc)
        -Patching 
        -Monitoring snort logs to determine legitimate alerts
        -Adding, changing fine tuning filter rules
        -Ideally a 24/7 operation requiring HOW MANY FTEs per shift?  What
does the number of FTEs depend upon?
        -What is the "cost" of having only one shift covered?


        But also hardware and software costs:

        -Dedicated PCs (how many?)  
        -Operating system and Support agreements for the OS
        -Network bandwidth (how do you address questions of how much network
speed is affected by Snort boxes?)


# How do you scale? 
# The book: "Snort 2.0 Intrusion Detection" discusses different
architectures but doesn't give any kind of Rule of Thumb for number of boxes
per architecture.  Yes, I know it depends upon the processor, RAM and BUS
speed, etc.but beyond that, how do you define?
# Would it be safe to say that once you see that you are dropping packets
you need to add another box?  Is it just trial and error ONLY?


B.      BENEFITS:

        -They can alert you to the presence of attacks (internal and
external) the majority of attacks occur, knowingly or unknowingly, from
within the network)
        -Identifies vulnerabilities and weaknesses in the perimeter
protection devices: firewalls and routers
        -"What you don't know CAN hurt you"
        -Preventative knowledge: IDSs can alert you to reconnaissance
scanning in your network which can alert you to impending attacks
        -Helps enforce security policies
        -Great sources of forensic evidence
        -Inline IDSs can halt active attacks on your network
        -Rounds out an overall security model


Can you add anything or correct me?

Thanks,
Previous By Date Next
Previous By Thread Next

Current thread: