August 18th, 2004 10:48 PM
Internet Security Systems?
"for example one of the IDS's we use is Real Secure by Internet Security Systems."
Called them for a quote, away from desk, waited the day for return call, didn't happen.
Are they still worth your recommend?
Do you know what it would cost per web server to protect it, can someone tell me please?
August 18th, 2004 10:51 PM
For what it's worth, I just dumped Real Secure in favor of snort. (Fedora & Snort are open source - free) Therefore all you have to pony up for is the box to install the system on.
August 18th, 2004 10:57 PM
ISS is well respected in the industry.... So much so people spend mucho dinero paying for their systems.
OTOH, if you understand your systems, the threat and are prepared to spend a little time with your head buried in some manuals/FAQ's/etc. you can have an equally effective system using Snort for less than $1000 including your time.
If you need Snort help there are plenty of resources out there, there are new rules being written daily and you will find some additional help here too....
ISS is _a_ solution.... There are others... all have costs.... What's your budget and what does you risk assessment indicate to be your potential loss? That's the primary question in issues like this.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
August 19th, 2004 05:35 AM
ISS is a less than ethical company and tries to make a big deal out of things. I guess in some messed up indirect manner it gives them the chance to launch new products and hopefully more sales?
I've been suspicious of ISS for a long time now.
August 19th, 2004 11:42 AM
I would look elsewhere for IDS. I know some folks who have a large ISS Realsecure implementation and support has gradually been in decline for the past year. Signatures are released late, and support is not exactly the best. It seems there are focusing more on their new line of IPS devices.
I`m not sure of the exact cost, but its expensive.
A better bet (as has already been mentioned) might be to use Snort as its free. IDS is somewhat of a suspect technology at present, not because of the technology itself (well, maybe a little) but more so because of the large amount of manpower required to support them. You need to spend considerable time bedding the system down and removing false positives, you then need to have monitoring in place to ensure that you can actually act on events as they happen (or as close to as you can). One route that has been taken by many companies is to outsource their IDS, which is you weight up the pros and cons isn`t such a bad option.
Back to realsecure, I`d stay away from it, there are many other commercail IDS solutions out there that have better support, and are more effective.
Quis custodiet ipsos custodes
August 19th, 2004 12:58 PM
If you've got a boss leary about using free software --and I've had a couple of those-- then you could look at SourceFire's implementation of snort. You still get the software, but you have someone there to give you support as well. Win/win if you don't have the resources available to dedicate to completely learning something on your own.
August 19th, 2004 03:02 PM
IMHO, whether or not you use ISS is more dependent on how large of a deployment you are talking about. I have used ISS, Snort (using Acid, Demarc, and Niksun), Niksun, and Cisco IDS solutions and ISS, despite their arrogance and extreme price, IMHO have the only worthy enterprise solution (> 50 sensors).
On the positive side, ISS has a very well thought out enterprise solution that allows the updating of all sensors with just a few clicks, centralized databases, integration of IDS and VA (and if you want to spend the big bucks on fusion, even correlation between the two), incorporation of third party logs (ie, checkpoint and pix firewall logs), customized signatures that follow the snort signature standard (TRONS). If you have a very large deployment, while snort is good (and many solutions for snort are decent), I haven't seen anything that compares to ISS (using the Site Protector solution). There are many companies that are making great strides towards this type of a solution and I expect ISS to start losing market share in the enterprise market (if they haven't already) in the near future.
On the negative side, ISS is very arrogant in their customer service and support. We had a very large deployment that used a non-windows platform for the IDS sensors, only to see in the news (note, not from our account manager, which should say something clearly) that they were dropping all support for Sun, HP-UX, SCO, Nokia platforms in the next month. No end-of-life, no we will support it for a couple of more years, just flat ass dropping support (they have sense wised up and are supporting the platforms for existing products, just no new development). ISS is also horridly expensive (and to get complete functionality with Site Protector you have to pay even more for the fusion module (by ip) for the third party module (by ip) and the other multitude of products. ISS is not for the small wallet. On the technical side, I have seen many instances where ISS still misses events under heavy network load, something they claimed to have fixed.
We are revaluating our association with ISS and will probably move on to another product in the next couple of years after our most recent problems with them. One thing that we have been fairly impressed with is Niksun Netdetectors; however, they are not for the small wallet either, though they have some rather fascinating capabilities. If you have some money to burn, they can burn it fast
We also looked at several other vendors that were very interesting, but their pricing is based on IP and with as many class B's as we have, there was just no way (and they wouldn't adjust their pricing). If memory serves, the one that impressed me the most was Intruvert, but I will have to go back and look at my notes.
Anyway, like most things these days, its a mixed bag.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)