Checkpoint SmartDefense & interspect vs ISS Realsecure vs Snort

Discussion in 'Computer Security' started by jeff, Aug 6, 2004.

  1. jeff

    jeff Guest

    Hey everyone,

    I am doing some research on IDS for my company. I don't see too much info
    about Smartdefense and Interspect on the net. Can someone post their
    experience or test result.

    Here's some questions i have:
    *Do ISS and Snort cover a much wider range of attacks that CP products?

    *Speed - Which of these product works well in high-traffic environment?

    *Accuracy? - which one is more accurate?

    * how reliable are these solution?

    Thank you in advance, please feel free to put in other comments

    JEFF-R
    jeff, Aug 6, 2004
    #1
    1. Advertising

  2. jeff

    Rob Hughes Guest

    jeff is alleged to have said in comp.security.firewalls:

    > Hey everyone,
    >
    > I am doing some research on IDS for my company. I don't see too much info
    > about Smartdefense and Interspect on the net. Can someone post their
    > experience or test result.
    >
    > Here's some questions i have:
    > *Do ISS and Snort cover a much wider range of attacks that CP products?


    Yes, but in different ways. For example, Snort doesn't pick up on certain
    invalid/out of state TCP packets the way SD does. I use both in combination
    to get a more complete picture of network traffic. Also, if you're looking
    at SD, you should look at Interspect as well. It's a hybrid IDS/IPS based
    on SD, but with some extra goodies.

    > *Speed - Which of these product works well in high-traffic environment?


    I've pumped several hundred MBit/p/sec through a lowish-end SPLAT based
    firewall (P3 800/512 meg ram) with all SD features turned on.

    > *Accuracy? - which one is more accurate?


    See my first answer. They're different products with different focuses. It's
    like asking which is more purple, and orange or a peach?

    > * how reliable are these solution?


    I find Snort and SD both to be very reliable. I haven't messed with ISS, so
    color my answers appropriately.


    --
    Recursion: n. See Recursion.
    Rob Hughes, Aug 12, 2004
    #2
    1. Advertising

  3. SmartDefense, Interspect, ISS RealSecure, and Snort all have very
    different points of view.

    SmartDefense is designed as a lightweight intrusion-prevention engine
    that can run in the firewall's spare-cycles. This is a good choice if
    you already have a CheckPoint firewall in the network location you
    want to protect. The other major players here would be Cisco and
    Netscreen/Juniper.

    Interspect is sort of like SmartDefense without the firewall part -
    intended to be used at major internal network boundaries. This is a
    good choice if you're a CheckPoint shop and want to extend your
    existing SmartDefense program to the internal network. The other major
    player here would be Netscreen/Juniper.

    The ISS stuff is designed for more general intrusion-prevention (i.e.,
    you can install it anywhere, not just at network boundaries). This is
    a good choice if you want intrusion-prevention that covers key
    networks rather than key network boundaries. Some other players here
    would be Tipping Point and Top Layer.

    Snort is for intrusion-detection, not intrusion-prevention. Though you
    can turn it into an at-the-network-boundary intrusion-prevention
    system with snort-inline or hogwash. This is a good choice if you want
    to spend less money and are willing to give up ease-of-setup and have
    the necessary skills and time to roll your own solution. Although,
    there is a commercial version available from Sourcefire that is sort
    of in between rolling your own and the full-on network-toaster
    approach of ISS and Checkpoint's Interspect.

    As for your direct questions:
    o I'm guessing that ISS and Snort cover more attacks than the CP
    products as a) SmartDefense is not designed for wide coverage, but
    rather for oportunistic coverage for free, and b) InterSpect just
    hasn't been around as long as the ISS stuff or Snort, though CP seems
    to be putting resources into it so I expect it won't lag by much or
    for long.
    o Don't know about speed, your best bet is to get a box in house and
    see if it handles your traffic loads.
    o Accuracy is probably related more to how you do tuning and the
    tradeoffs you're willing to make than it's related to the (relatively)
    minor differences in these different solutions. That said, the
    CheckPoints are probably going to have the lowest false-positives out
    of the box since they're coming from the firewall world where people
    get dinged for breaking things, rather than Snort and ISS which both
    have an Intrusion Detection heritage where false positives aren't
    considered as damaging as in the firewall world.
    o These solutions are all pretty reliable as all of them are
    essentiall going to be Linux or *BSD running on an OEM'ed Dell box
    (even if you roll your own you're likely to come up with something
    pretty much along these lines).

    "jeff" <> wrote in message news:<EISQc.347385$>...
    > Hey everyone,
    >
    > I am doing some research on IDS for my company. I don't see too much info
    > about Smartdefense and Interspect on the net. Can someone post their
    > experience or test result.
    >
    > Here's some questions i have:
    > *Do ISS and Snort cover a much wider range of attacks that CP products?
    >
    > *Speed - Which of these product works well in high-traffic environment?
    >
    > *Accuracy? - which one is more accurate?
    >
    > * how reliable are these solution?
    >
    > Thank you in advance, please feel free to put in other comments
    >
    > JEFF-R
    Chris Calabrese, Aug 13, 2004
    #3
  4. jeff

    Ipeefreely Guest

    Have you looked into Secure Computing's Sidewinder G2 Firewall?

    On 12 Aug 2004 21:10:05 -0700, (Chris
    Calabrese) wrote:

    >SmartDefense, Interspect, ISS RealSecure, and Snort all have very
    >different points of view.
    >
    >SmartDefense is designed as a lightweight intrusion-prevention engine
    >that can run in the firewall's spare-cycles. This is a good choice if
    >you already have a CheckPoint firewall in the network location you
    >want to protect. The other major players here would be Cisco and
    >Netscreen/Juniper.
    >
    >Interspect is sort of like SmartDefense without the firewall part -
    >intended to be used at major internal network boundaries. This is a
    >good choice if you're a CheckPoint shop and want to extend your
    >existing SmartDefense program to the internal network. The other major
    >player here would be Netscreen/Juniper.
    >
    >The ISS stuff is designed for more general intrusion-prevention (i.e.,
    >you can install it anywhere, not just at network boundaries). This is
    >a good choice if you want intrusion-prevention that covers key
    >networks rather than key network boundaries. Some other players here
    >would be Tipping Point and Top Layer.
    >
    >Snort is for intrusion-detection, not intrusion-prevention. Though you
    >can turn it into an at-the-network-boundary intrusion-prevention
    >system with snort-inline or hogwash. This is a good choice if you want
    >to spend less money and are willing to give up ease-of-setup and have
    >the necessary skills and time to roll your own solution. Although,
    >there is a commercial version available from Sourcefire that is sort
    >of in between rolling your own and the full-on network-toaster
    >approach of ISS and Checkpoint's Interspect.
    >
    >As for your direct questions:
    >o I'm guessing that ISS and Snort cover more attacks than the CP
    >products as a) SmartDefense is not designed for wide coverage, but
    >rather for oportunistic coverage for free, and b) InterSpect just
    >hasn't been around as long as the ISS stuff or Snort, though CP seems
    >to be putting resources into it so I expect it won't lag by much or
    >for long.
    >o Don't know about speed, your best bet is to get a box in house and
    >see if it handles your traffic loads.
    >o Accuracy is probably related more to how you do tuning and the
    >tradeoffs you're willing to make than it's related to the (relatively)
    >minor differences in these different solutions. That said, the
    >CheckPoints are probably going to have the lowest false-positives out
    >of the box since they're coming from the firewall world where people
    >get dinged for breaking things, rather than Snort and ISS which both
    >have an Intrusion Detection heritage where false positives aren't
    >considered as damaging as in the firewall world.
    >o These solutions are all pretty reliable as all of them are
    >essentiall going to be Linux or *BSD running on an OEM'ed Dell box
    >(even if you roll your own you're likely to come up with something
    >pretty much along these lines).
    >
    >"jeff" <> wrote in message news:<EISQc.347385$>...
    >> Hey everyone,
    >>
    >> I am doing some research on IDS for my company. I don't see too much info
    >> about Smartdefense and Interspect on the net. Can someone post their
    >> experience or test result.
    >>
    >> Here's some questions i have:
    >> *Do ISS and Snort cover a much wider range of attacks that CP products?
    >>
    >> *Speed - Which of these product works well in high-traffic environment?
    >>
    >> *Accuracy? - which one is more accurate?
    >>
    >> * how reliable are these solution?
    >>
    >> Thank you in advance, please feel free to put in other comments
    >>
    >> JEFF-R
    Ipeefreely, Oct 7, 2005
    #4
  5. jeff

    Imhotep Guest

    Ipeefreely <> wrote:

    > Have you looked into Secure Computing's Sidewinder G2 Firewall?
    >
    > On 12 Aug 2004 21:10:05 -0700, (Chris
    > Calabrese) wrote:
    >
    >>SmartDefense, Interspect, ISS RealSecure, and Snort all have very
    >>different points of view.
    >>
    >>SmartDefense is designed as a lightweight intrusion-prevention engine
    >>that can run in the firewall's spare-cycles. This is a good choice if
    >>you already have a CheckPoint firewall in the network location you
    >>want to protect. The other major players here would be Cisco and
    >>Netscreen/Juniper.
    >>
    >>Interspect is sort of like SmartDefense without the firewall part -
    >>intended to be used at major internal network boundaries. This is a
    >>good choice if you're a CheckPoint shop and want to extend your
    >>existing SmartDefense program to the internal network. The other major
    >>player here would be Netscreen/Juniper.
    >>
    >>The ISS stuff is designed for more general intrusion-prevention (i.e.,
    >>you can install it anywhere, not just at network boundaries). This is
    >>a good choice if you want intrusion-prevention that covers key
    >>networks rather than key network boundaries. Some other players here
    >>would be Tipping Point and Top Layer.
    >>
    >>Snort is for intrusion-detection, not intrusion-prevention. Though you
    >>can turn it into an at-the-network-boundary intrusion-prevention
    >>system with snort-inline or hogwash. This is a good choice if you want
    >>to spend less money and are willing to give up ease-of-setup and have
    >>the necessary skills and time to roll your own solution. Although,
    >>there is a commercial version available from Sourcefire that is sort
    >>of in between rolling your own and the full-on network-toaster
    >>approach of ISS and Checkpoint's Interspect.
    >>
    >>As for your direct questions:
    >>o I'm guessing that ISS and Snort cover more attacks than the CP
    >>products as a) SmartDefense is not designed for wide coverage, but
    >>rather for oportunistic coverage for free, and b) InterSpect just
    >>hasn't been around as long as the ISS stuff or Snort, though CP seems
    >>to be putting resources into it so I expect it won't lag by much or
    >>for long.
    >>o Don't know about speed, your best bet is to get a box in house and
    >>see if it handles your traffic loads.
    >>o Accuracy is probably related more to how you do tuning and the
    >>tradeoffs you're willing to make than it's related to the (relatively)
    >>minor differences in these different solutions. That said, the
    >>CheckPoints are probably going to have the lowest false-positives out
    >>of the box since they're coming from the firewall world where people
    >>get dinged for breaking things, rather than Snort and ISS which both
    >>have an Intrusion Detection heritage where false positives aren't
    >>considered as damaging as in the firewall world.
    >>o These solutions are all pretty reliable as all of them are
    >>essentiall going to be Linux or *BSD running on an OEM'ed Dell box
    >>(even if you roll your own you're likely to come up with something
    >>pretty much along these lines).
    >>
    >>"jeff" <> wrote in message
    >>news:<EISQc.347385$>...
    >>> Hey everyone,
    >>>
    >>> I am doing some research on IDS for my company. I don't see too much
    >>> info about Smartdefense and Interspect on the net. Can someone post
    >>> their experience or test result.
    >>>
    >>> Here's some questions i have:
    >>> *Do ISS and Snort cover a much wider range of attacks that CP products?
    >>>
    >>> *Speed - Which of these product works well in high-traffic environment?
    >>>
    >>> *Accuracy? - which one is more accurate?
    >>>
    >>> * how reliable are these solution?
    >>>
    >>> Thank you in advance, please feel free to put in other comments
    >>>
    >>> JEFF-R



    I read today that Checkpoint bought the company that writes Snort....

    Im
    Imhotep, Oct 8, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank E Relaxx

    Configure Cisco switch for Snort

    Frank E Relaxx, Sep 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    1,107
    Walter Roberson
    Sep 13, 2004
  2. Iris

    Cisco 2950 and Snort

    Iris, Mar 21, 2005, in forum: Cisco
    Replies:
    0
    Views:
    460
  3. Lord Shaolin
    Replies:
    2
    Views:
    1,079
    Lord Shaolin
    Aug 12, 2003
  4. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Intrusion Detection with Snort", Jack Koziol

    Rob Slade, doting grandpa of Ryan and Trevor, Oct 7, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    628
    Rob Slade, doting grandpa of Ryan and Trevor
    Oct 7, 2003
  5. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Intrusion Detection with Snort", Rafeeq Ur Rehman

    Rob Slade, doting grandpa of Ryan and Trevor, Oct 13, 2003, in forum: Computer Security
    Replies:
    1
    Views:
    614
    Tommy
    Oct 13, 2003
Loading...

Share This Page