General discussion


Evaluating Intrusion Detection Systems

By djames ·
I am trying to throw together some information for a budget meeting - and once again I am going to beg for money for an Intrusion Detection System. I have looked at Cisco's appliance - but am grossly uninformed. I have checked out SANS site regarding ID types, methods etc - but could really use some suggestions. What ID systems have been the most effective for the investment?

This conversation is currently closed to new comments.

20 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -


by jmgarvin In reply to Evaluating Intrusion Dete ...

If you don't have a budget Linux with Snort and ACID work pretty well.

If you do have a budget, the Cisco systems aren't bad.

It boils down to, what do you need it to do and what is it looking for? Is it a passive or active IDS? Do you need granular control or just general rules?

Collapse -

Looking at Cisco and Enterasys

by djames In reply to Budget

We have a small budget (very small) but I want to make sure I take us in the right direction. I think NIDS is probably the way to go for us - a small higher ed institution with both internal and external FW's. We also have a very small staff. For example, I am the Network admin, but I also run helpdesk, staff development, web, and you know - basically everything from servers to PC's so I need something intuitive and easy to learn. Thanks for the info. Is Cisco common place in alot of higher ed institutions?

Collapse -


by Strauss In reply to Looking at Cisco and Ente ...

I think you should go for IPS instead of NIDS. With IDS you will spending all your time on it.
GO for Inline IPS. If your budget permits, go for ISS Proventia Appliances. Easy to manage, 99% protection out of the box. Good thing about it, Its end-to-end solution and scales.

Collapse -

ISS vs TippingPoint

by mnauta In reply to IPS

Don't mean to hijack this thread, but afer researching several products I have to decide between IIS Provintia M30 and TrippingPoint X505. Does anyone have experience with either? any opinions are welcome. Thanks

Collapse -

Cisco Common in higher ed

by jmgarvin In reply to Looking at Cisco and Ente ...

IMHO it is. Every higher ed place I've been to or worked at has had at least SOME Cisco stuff. I've noticed that for the most part Cisco stuff is usually used for switching and routing. I have seen a Cisco packet shaper or two, but they don't seem very common.

Collapse -

Reduce accountability

by Wally_Z In reply to Looking at Cisco and Ente ...

I?ve spent countless hours discussing the value of intrusion detection within the mid-sized University where I work. We are an all Cisco shop with about 3000 nodes and half a dozen remote offices/campuses. The cost of equipment for an agent on each network segment/VLAN is quite expensive. In addition most IDS systems require an enormous amount of man hours.

We decided that IDS was on the bottom of our ?must have? list and would get better ?ROI? on network and server monitoring systems that automate security patch management ( and alert us when equipment is down.

When we do IDS it will be outsourced to one of several companies specializing in firewall and IDS monitoring. Our feeling is if we spend the large amount of money to do this but don?t have the man power to properly execute and monitor then our risk of failure is very high. On the other hand having an outside expert limits our accountability and still fulfills our obligation to the end users and upper management?s demands.

My 2 cents.

Collapse -


by mnauta In reply to Budget

I just made a commendation to our organization to go with IIS Proventia M30. I'll probably only use the IPS feature at first.

Collapse -

McAfee Intrushield Trumps Them All

I am currently involved in a world-wide deployment of McAfee's Intrushield product. In testing, we compared this to Symantec, Cisco SIDS, ISS Proventia. In fact, we exclusively fielded ISS for 3 years before moving to McAfee.

In short, none of them held a candle to McAfee's product. They have several different models for different sized networks. What kind of bandwith are you talking about? The 1200 allows inline IPS at 100Mbps, which is plenty for most networks. That one, with annual maintenance, would run you less than 7k.

These days, you're (generally) not going to be able to pick up a NIDS system that doesn't perform Intrusion Prevention (IPS). In fact, most just call themselves IPS rather than IDS any more. The Intrushield also builds in Spyware Prevention, IM blocking, as well as a ton of other features on top of IPS.

If you have more specific questions, ask away.

Collapse -

Still no best in the IPS

by jeff.jones In reply to McAfee Intrushield Trumps ...

Well after having most of the ones mentioned in the LAB, I really have to say I am not sure which route to go. Has anyone tried any other hardware IPS solution other than those mentioned..

ISS Proventia
McaFee Intrushield

Collapse -

ASA 5500

by beads In reply to Still no best in the IPS

Currently playing with a Cisco ASA 5500 for a private client. Seems to do well enough though I haven't personally gotten by it there are people out there with more exotic techniques than I have at my disposal.

The only real reason I have stayed Cisco is because it intergrates with Trend Micro and well, thats where my certs lie.

Will check out the MacAffe (sp) piece as well.

- beads

Back to Security Forum
20 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums