Normally we like to keep that a secret..
It's not fair to say because so many variables play in hand. Network size, nodes, throughput and even the balance on your books. Yes asset size plays a roll in a lot of licensing negotiations. In addition this is just "talk", meaning - what is a ballpark figure. Oh and your attitude. knowledge, salesmanship and experience even come into play.
Taking all that into consideration, a particular vender in a particular moment in space time said to me off record, around 30K. That is extremely significant, given the size of my business and it's monthly income. Definitely priced OUT of the typical SOHO market.
Sniffing the security air.
I plan on toughly testing snort. So thanks for more ammo in my pocket to get that up and running. In addition I am implementing Tiger_Shark’s recomendations in another thread:
http://www.antionline.com/showthread...hreadid=245311
The temptation for me is - this thing is like a filter. It is a doorway with no ip address between the network and the internet. It’s not just hanging of the network; it’s in line with it. And it only allows packets that meet certain rules through. Like a firewall, except most exploits are coming over open standard ports anyway and the firewall I have is powerless to stop those. ALL the solutions I have seen so far or retro-active. Meaning an event happening now, may be discovered 3 hours from now, or 3 days, or 3 weeks. All dependants on the time, discipline and expertise of the operator. Because the real issue we all face, and especially me because of my workload is this: I do not have the knowledge, the expertise and the time to set at my console and peer into the matrix and see everything that is happening in an instant. I am not Nemo. Some of you are... that I know, but I am not. I am amateur at best. (humble). And my god, to keep up on every exploit is increasingly difficult. I don't have the time to gather 4gb of logs, glance it over and say AH HAH! That looks suspicious. ;) Although I really try to accomplish as much as possible and like most of you I take any defect in my own systems PERSONALY! That’s what makes us good!
So, the idea that another group I trust (SANS.ORG) can almost instantaneously apply signatures to propagating threats is enticing. We all trust our virus signature writers, don’t we? And when they catch a virus before inspection we feel GOOD. Also enticing are Snort and Snare and all the host of other products out there.
Currently I DO have an IDS that CAN control and shut down ports being attacked on vendor specific routers and firewalls. But I don't trust it to stop attacks against ports that are already open, at least in real time. I don't think anyone here has used one yet. The price is way to expensive now, but it’s on my radar perimeter and if it proves to be a reliable technology and they get the price to around a normal IDS cost, would I try it? Hell yes. For now, I am going the Snort/Script/Syslog server route and HOPING I can keep up with it all.
Thanks for all the info guys, I still hope someone out there has tried one of these things and can give us the real scoop on it.
Re: Sniffing the security air.
Quote:
Originally posted here by RoadClosed
I plan on toughly testing snort. For now, I am going the Snort/Script/Syslog server route and HOPING I can keep up with it all.
Thanks for all the info guys, I still hope someone out there has tried one of these things and can give us the real scoop on it.
I'm glad to hear this. It would save your company a trememdous amount of money for you to use open-source technologies. Your sure to get that bonus when you show your company you can flex your skills in such a cost effective, method. Grab a good linux book and start soaking up everything you can.
Linux comes with some pretty powerful firewalls. There will no longer be a reason for you to discover that disallowed traffic has passed from days ago, cause now, with linux, you can set rules that if it's not explicitly allowed, it's automatically disallowed. That's just better security.
Remember, it doesn't matter what setup you decide to implement, your gonna have to spend some good amount of time review logs, but there are free ( open-source ) solutions, that can notify you in real time when there is something you should give your immediate attention.
I'm sure you'll be ok, there's hope for you yet.
--PuRe www.pureescape.net