General discussion

  • Creator
  • #2188695

    Evaluating Intrusion Detection Systems


    by dkjames ·

    I am trying to throw together some information for a budget meeting – and once again I am going to beg for money for an Intrusion Detection System. I have looked at Cisco’s appliance – but am grossly uninformed. I have checked out SANS site regarding ID types, methods etc – but could really use some suggestions. What ID systems have been the most effective for the investment?

All Comments

  • Author
    • #3262662


      by jmgarvin ·

      In reply to Evaluating Intrusion Detection Systems

      If you don’t have a budget Linux with Snort and ACID work pretty well.

      If you do have a budget, the Cisco systems aren’t bad.

      It boils down to, what do you need it to do and what is it looking for? Is it a passive or active IDS? Do you need granular control or just general rules?

      • #3262814

        Looking at Cisco and Enterasys

        by dkjames ·

        In reply to Budget

        We have a small budget (very small) but I want to make sure I take us in the right direction. I think NIDS is probably the way to go for us – a small higher ed institution with both internal and external FW’s. We also have a very small staff. For example, I am the Network admin, but I also run helpdesk, staff development, web, and you know – basically everything from servers to PC’s so I need something intuitive and easy to learn. Thanks for the info. Is Cisco common place in alot of higher ed institutions?

        • #3261344


          by strauss ·

          In reply to Looking at Cisco and Enterasys

          I think you should go for IPS instead of NIDS. With IDS you will spending all your time on it.
          GO for Inline IPS. If your budget permits, go for ISS Proventia Appliances. Easy to manage, 99% protection out of the box. Good thing about it, Its end-to-end solution and scales.

        • #3097179

          ISS vs TippingPoint

          by mnauta9 ·

          In reply to IPS

          Don’t mean to hijack this thread, but afer researching several products I have to decide between IIS Provintia M30 and TrippingPoint X505. Does anyone have experience with either? any opinions are welcome. Thanks

        • #3261716

          Cisco Common in higher ed

          by jmgarvin ·

          In reply to Looking at Cisco and Enterasys

          IMHO it is. Every higher ed place I’ve been to or worked at has had at least SOME Cisco stuff. I’ve noticed that for the most part Cisco stuff is usually used for switching and routing. I have seen a Cisco packet shaper or two, but they don’t seem very common.

        • #3050751

          Reduce accountability

          by wally_z ·

          In reply to Looking at Cisco and Enterasys

          I?ve spent countless hours discussing the value of intrusion detection within the mid-sized University where I work. We are an all Cisco shop with about 3000 nodes and half a dozen remote offices/campuses. The cost of equipment for an agent on each network segment/VLAN is quite expensive. In addition most IDS systems require an enormous amount of man hours.

          We decided that IDS was on the bottom of our ?must have? list and would get better ?ROI? on network and server monitoring systems that automate security patch management ( and alert us when equipment is down.

          When we do IDS it will be outsourced to one of several companies specializing in firewall and IDS monitoring. Our feeling is if we spend the large amount of money to do this but don?t have the man power to properly execute and monitor then our risk of failure is very high. On the other hand having an outside expert limits our accountability and still fulfills our obligation to the end users and upper management?s demands.

          My 2 cents.

      • #3099760


        by mnauta9 ·

        In reply to Budget

        I just made a commendation to our organization to go with IIS Proventia M30. I’ll probably only use the IPS feature at first.

    • #3237261

      McAfee Intrushield Trumps Them All

      by techrep_route.20.crowem ·

      In reply to Evaluating Intrusion Detection Systems

      I am currently involved in a world-wide deployment of McAfee’s Intrushield product. In testing, we compared this to Symantec, Cisco SIDS, ISS Proventia. In fact, we exclusively fielded ISS for 3 years before moving to McAfee.

      In short, none of them held a candle to McAfee’s product. They have several different models for different sized networks. What kind of bandwith are you talking about? The 1200 allows inline IPS at 100Mbps, which is plenty for most networks. That one, with annual maintenance, would run you less than 7k.

      These days, you’re (generally) not going to be able to pick up a NIDS system that doesn’t perform Intrusion Prevention (IPS). In fact, most just call themselves IPS rather than IDS any more. The Intrushield also builds in Spyware Prevention, IM blocking, as well as a ton of other features on top of IPS.

      If you have more specific questions, ask away.

      • #3177444

        Still no best in the IPS

        by jeff.jones ·

        In reply to McAfee Intrushield Trumps Them All

        Well after having most of the ones mentioned in the LAB, I really have to say I am not sure which route to go. Has anyone tried any other hardware IPS solution other than those mentioned..

        ISS Proventia
        McaFee Intrushield

        • #3183086

          ASA 5500

          by beads ·

          In reply to Still no best in the IPS

          Currently playing with a Cisco ASA 5500 for a private client. Seems to do well enough though I haven’t personally gotten by it there are people out there with more exotic techniques than I have at my disposal.

          The only real reason I have stayed Cisco is because it intergrates with Trend Micro and well, thats where my certs lie.

          Will check out the MacAffe (sp) piece as well.

          – beads

        • #3051451

          SonicWALL has IPS

          by knylen ·

          In reply to Still no best in the IPS


          Have you looked atthe SonicWALL generation 4 product line. It has Gateway AV, IPS, and Anti-Spam at the applience. It can be bundled together with content filtering and a reporting software.

        • #3051252

          What is the bottom line?

          by nick.turvey ·

          In reply to Still no best in the IPS

          All of the products have their advantages and disadvantages, I personally have used , and continue to use, Cisco. Their products are tried and true, their support and reliability is second to none however they do tend to be more costly. So what is the bottom line? Is it worth the extra cost for a definative solution, or is it better to cut the cost for a product that does not have the quality?

    • #3194371

      Have you tried Tripwire

      by ·

      In reply to Evaluating Intrusion Detection Systems


      Suggest you download tripwire, firstly it is free and open source and does a great job of checking file integrity. You may also want to experiment on asking your programmer to develop sample honeypots..

    • #3051393

      PLEASE READ…………….

      by makins ·

      In reply to Evaluating Intrusion Detection Systems

      You should check out a managed solution like This is a true plug and play IDS/IPS solution that requires no staff or appliance training. The ROI is good and it will save you thousands of dollars in up front costs. The price is extreamly resonable and is based off of the amount of user IP addresses. Please email me for a quote.

      • #3051390

        Protect Point has a free 30 day trial

        by makins ·

        In reply to PLEASE READ…………….

        I forgot to mention the free 30 day trial. If you want seamless IDS/IPS that is completly managed, this is for you. IDS/IPS usually requires engineer training and the device also requires training. If you do not have the staff for this then a managed solution is best. Put it in and forget about it. Protect Point will take care of all the notifications.

        • #3051203

          Know the differenece

          by rond7 ·

          In reply to Protect Point has a free 30 day trial

          First you need to really know the difference between IPS and IDS. Check out this link:

          You will find a link to the Intrusion Detection information as well. Decide which one you want, yes there are differences, and go from there.


        • #3051103

          Thanks for the info

          by dkjames ·

          In reply to Know the differenece

          From the variety of responses, I can tell this is a diverse topic with many “right” answers. I do think that an Intrusion Detection system is the best choice for me at this time. $$ is definitely a consideration – but efficacy is #1. Cisco is great quality, but may not be the best bang for buck solution for me.

    • #3051206

      SecureWorks and DataComm

      by bkrateku ·

      In reply to Evaluating Intrusion Detection Systems

      We have used SecureWorks and the auditors (external) recommend DataComm as well. Both seem to do well, but shouldn’t be a one stop shop. We use another company to monitor some of the functions that SecureWorks has as well as doing other things that SecureWorks also has products for. Mostly just so we don’t have all our eggs in one basket so to speak.

    • #3051808


      by hba ·

      In reply to Evaluating Intrusion Detection Systems

      FortiNet has a wide range of applances that do Firewall, IDS and IPS. Not perfect, but seem to have the best control over what Intrusion events are stopped and what are just logged (ala IDS) so you can tune between the two options.

      Disclaimer: I haven’t actualy used this yet. We’ve been evaluating several options and have decided to purchase a Fortigate 200A, but it’s not in yet. Other options we considered were Symantec 5420 and Watchguard X1000.

    • #3099791

      Avanton ReadyARM

      by rlknapp1 ·

      In reply to Evaluating Intrusion Detection Systems

      Plug and play appliance, with IDS, Vulnerability Assessment, Network Monitoring and integrated reporting.

      MSRP: $9995.

Viewing 6 reply threads