Checkpoint SmartDefense & interspect vs ISS Realsecure vs Snort

Hey everyone,

I am doing some research on IDS for my company. I don't see too much info
about Smartdefense and Interspect on the net. Can someone post their
experience or test result.

Here's some questions i have:
*Do ISS and Snort cover a much wider range of attacks that CP products?

*Speed - Which of these product works well in high-traffic environment?

*Accuracy? - which one is more accurate?

* how reliable are these solution?

Thank you in advance, please feel free to put in other comments

JEFF-R

jeff

jeff is alleged to have said in comp.security.firewalls:

> Hey everyone,
>
> I am doing some research on IDS for my company. I don't see too much info
> about Smartdefense and Interspect on the net. Can someone post their
> experience or test result.
>
> Here's some questions i have:
> *Do ISS and Snort cover a much wider range of attacks that CP products?

Yes, but in different ways. For example, Snort doesn't pick up on certain
invalid/out of state TCP packets the way SD does. I use both in combination
to get a more complete picture of network traffic. Also, if you're looking
at SD, you should look at Interspect as well. It's a hybrid IDS/IPS based
on SD, but with some extra goodies.

> *Speed - Which of these product works well in high-traffic environment?

I've pumped several hundred MBit/p/sec through a lowish-end SPLAT based
firewall (P3 800/512 meg ram) with all SD features turned on.

> *Accuracy? - which one is more accurate?

See my first answer. They're different products with different focuses. It's
like asking which is more purple, and orange or a peach?

> * how reliable are these solution?

I find Snort and SD both to be very reliable. I haven't messed with ISS, so
color my answers appropriately.


--
Recursion: n. See Recursion.

Rob Hughes

SmartDefense, Interspect, ISS RealSecure, and Snort all have very
different points of view.

SmartDefense is designed as a lightweight intrusion-prevention engine
that can run in the firewall's spare-cycles. This is a good choice if
you already have a CheckPoint firewall in the network location you
want to protect. The other major players here would be Cisco and
Netscreen/Juniper.

Interspect is sort of like SmartDefense without the firewall part -
intended to be used at major internal network boundaries. This is a
good choice if you're a CheckPoint shop and want to extend your
existing SmartDefense program to the internal network. The other major
player here would be Netscreen/Juniper.

The ISS stuff is designed for more general intrusion-prevention (i.e.,
you can install it anywhere, not just at network boundaries). This is
a good choice if you want intrusion-prevention that covers key
networks rather than key network boundaries. Some other players here
would be Tipping Point and Top Layer.

Snort is for intrusion-detection, not intrusion-prevention. Though you
can turn it into an at-the-network-boundary intrusion-prevention
system with snort-inline or hogwash. This is a good choice if you want
to spend less money and are willing to give up ease-of-setup and have
the necessary skills and time to roll your own solution. Although,
there is a commercial version available from Sourcefire that is sort
of in between rolling your own and the full-on network-toaster
approach of ISS and Checkpoint's Interspect.

As for your direct questions:
o I'm guessing that ISS and Snort cover more attacks than the CP
products as a) SmartDefense is not designed for wide coverage, but
rather for oportunistic coverage for free, and b) InterSpect just
hasn't been around as long as the ISS stuff or Snort, though CP seems
to be putting resources into it so I expect it won't lag by much or
for long.
o Don't know about speed, your best bet is to get a box in house and
see if it handles your traffic loads.
o Accuracy is probably related more to how you do tuning and the
tradeoffs you're willing to make than it's related to the (relatively)
minor differences in these different solutions. That said, the
CheckPoints are probably going to have the lowest false-positives out
of the box since they're coming from the firewall world where people
get dinged for breaking things, rather than Snort and ISS which both
have an Intrusion Detection heritage where false positives aren't
considered as damaging as in the firewall world.
o These solutions are all pretty reliable as all of them are
essentiall going to be Linux or *BSD running on an OEM'ed Dell box
(even if you roll your own you're likely to come up with something
pretty much along these lines).

"jeff" <> wrote in message news:<EISQc.347385$ .cable.rogers.com>...
> Hey everyone,
>
> I am doing some research on IDS for my company. I don't see too much info
> about Smartdefense and Interspect on the net. Can someone post their
> experience or test result.
>
> Here's some questions i have:
> *Do ISS and Snort cover a much wider range of attacks that CP products?
>
> *Speed - Which of these product works well in high-traffic environment?
>
> *Accuracy? - which one is more accurate?
>
> * how reliable are these solution?
>
> Thank you in advance, please feel free to put in other comments
>
> JEFF-R

Chris Calabrese

Have you looked into Secure Computing's Sidewinder G2 Firewall?

On 12 Aug 2004 21:10:05 -0700, (Chris
Calabrese) wrote:

>SmartDefense, Interspect, ISS RealSecure, and Snort all have very
>different points of view.
>
>SmartDefense is designed as a lightweight intrusion-prevention engine
>that can run in the firewall's spare-cycles. This is a good choice if
>you already have a CheckPoint firewall in the network location you
>want to protect. The other major players here would be Cisco and
>Netscreen/Juniper.
>
>Interspect is sort of like SmartDefense without the firewall part -
>intended to be used at major internal network boundaries. This is a
>good choice if you're a CheckPoint shop and want to extend your
>existing SmartDefense program to the internal network. The other major
>player here would be Netscreen/Juniper.
>
>The ISS stuff is designed for more general intrusion-prevention (i.e.,
>you can install it anywhere, not just at network boundaries). This is
>a good choice if you want intrusion-prevention that covers key
>networks rather than key network boundaries. Some other players here
>would be Tipping Point and Top Layer.
>
>Snort is for intrusion-detection, not intrusion-prevention. Though you
>can turn it into an at-the-network-boundary intrusion-prevention
>system with snort-inline or hogwash. This is a good choice if you want
>to spend less money and are willing to give up ease-of-setup and have
>the necessary skills and time to roll your own solution. Although,
>there is a commercial version available from Sourcefire that is sort
>of in between rolling your own and the full-on network-toaster
>approach of ISS and Checkpoint's Interspect.
>
>As for your direct questions:
>o I'm guessing that ISS and Snort cover more attacks than the CP
>products as a) SmartDefense is not designed for wide coverage, but
>rather for oportunistic coverage for free, and b) InterSpect just
>hasn't been around as long as the ISS stuff or Snort, though CP seems
>to be putting resources into it so I expect it won't lag by much or
>for long.
>o Don't know about speed, your best bet is to get a box in house and
>see if it handles your traffic loads.
>o Accuracy is probably related more to how you do tuning and the
>tradeoffs you're willing to make than it's related to the (relatively)
>minor differences in these different solutions. That said, the
>CheckPoints are probably going to have the lowest false-positives out
>of the box since they're coming from the firewall world where people
>get dinged for breaking things, rather than Snort and ISS which both
>have an Intrusion Detection heritage where false positives aren't
>considered as damaging as in the firewall world.
>o These solutions are all pretty reliable as all of them are
>essentiall going to be Linux or *BSD running on an OEM'ed Dell box
>(even if you roll your own you're likely to come up with something
>pretty much along these lines).
>
>"jeff" <> wrote in message news:<EISQc.347385$ .cable.rogers.com>...
>> Hey everyone,
>>
>> I am doing some research on IDS for my company. I don't see too much info
>> about Smartdefense and Interspect on the net. Can someone post their
>> experience or test result.
>>
>> Here's some questions i have:
>> *Do ISS and Snort cover a much wider range of attacks that CP products?
>>
>> *Speed - Which of these product works well in high-traffic environment?
>>
>> *Accuracy? - which one is more accurate?
>>
>> * how reliable are these solution?
>>
>> Thank you in advance, please feel free to put in other comments
>>
>> JEFF-R

Ipeefreely

Ipeefreely <> wrote:

> Have you looked into Secure Computing's Sidewinder G2 Firewall?
>
> On 12 Aug 2004 21:10:05 -0700, (Chris
> Calabrese) wrote:
>
>>SmartDefense, Interspect, ISS RealSecure, and Snort all have very
>>different points of view.
>>
>>SmartDefense is designed as a lightweight intrusion-prevention engine
>>that can run in the firewall's spare-cycles. This is a good choice if
>>you already have a CheckPoint firewall in the network location you
>>want to protect. The other major players here would be Cisco and
>>Netscreen/Juniper.
>>
>>Interspect is sort of like SmartDefense without the firewall part -
>>intended to be used at major internal network boundaries. This is a
>>good choice if you're a CheckPoint shop and want to extend your
>>existing SmartDefense program to the internal network. The other major
>>player here would be Netscreen/Juniper.
>>
>>The ISS stuff is designed for more general intrusion-prevention (i.e.,
>>you can install it anywhere, not just at network boundaries). This is
>>a good choice if you want intrusion-prevention that covers key
>>networks rather than key network boundaries. Some other players here
>>would be Tipping Point and Top Layer.
>>
>>Snort is for intrusion-detection, not intrusion-prevention. Though you
>>can turn it into an at-the-network-boundary intrusion-prevention
>>system with snort-inline or hogwash. This is a good choice if you want
>>to spend less money and are willing to give up ease-of-setup and have
>>the necessary skills and time to roll your own solution. Although,
>>there is a commercial version available from Sourcefire that is sort
>>of in between rolling your own and the full-on network-toaster
>>approach of ISS and Checkpoint's Interspect.
>>
>>As for your direct questions:
>>o I'm guessing that ISS and Snort cover more attacks than the CP
>>products as a) SmartDefense is not designed for wide coverage, but
>>rather for oportunistic coverage for free, and b) InterSpect just
>>hasn't been around as long as the ISS stuff or Snort, though CP seems
>>to be putting resources into it so I expect it won't lag by much or
>>for long.
>>o Don't know about speed, your best bet is to get a box in house and
>>see if it handles your traffic loads.
>>o Accuracy is probably related more to how you do tuning and the
>>tradeoffs you're willing to make than it's related to the (relatively)
>>minor differences in these different solutions. That said, the
>>CheckPoints are probably going to have the lowest false-positives out
>>of the box since they're coming from the firewall world where people
>>get dinged for breaking things, rather than Snort and ISS which both
>>have an Intrusion Detection heritage where false positives aren't
>>considered as damaging as in the firewall world.
>>o These solutions are all pretty reliable as all of them are
>>essentiall going to be Linux or *BSD running on an OEM'ed Dell box
>>(even if you roll your own you're likely to come up with something
>>pretty much along these lines).
>>
>>"jeff" <> wrote in message
>>news:<EISQc.347385$ et.cable.rogers.com>...
>>> Hey everyone,
>>>
>>> I am doing some research on IDS for my company. I don't see too much
>>> info about Smartdefense and Interspect on the net. Can someone post
>>> their experience or test result.
>>>
>>> Here's some questions i have:
>>> *Do ISS and Snort cover a much wider range of attacks that CP products?
>>>
>>> *Speed - Which of these product works well in high-traffic environment?
>>>
>>> *Accuracy? - which one is more accurate?
>>>
>>> * how reliable are these solution?
>>>
>>> Thank you in advance, please feel free to put in other comments
>>>
>>> JEFF-R


I read today that Checkpoint bought the company that writes Snort....

Im

Imhotep