IDS - Snort for commercial purposes?

[isasir]

I work for a small company (~30 employees) which currently does not have IDS set up. I plan on looking into IDS to get something up and running, and of course the product I hear the most about is Snort.

Is Snort good for organizations? There is no real IT budget here, so the IDS product I look into would have to be cheap/free, but of course work fairly well.

 

[n0cmonkey]

Yeah, it's used in a lot of organizations even enterprises. It takes a lot of work (IDS in general), and you have to have people looking at it constantly or it isn't worth it.

I highly recommend it, unless you're expecting to use it on Windows. Then the magic 8-ball points to: DON'T DO IT! Or something like that.

 

[Boscoh]

Yeah it works pretty well.

 

[isasir]

Originally posted by: n0cmonkey
Yeah, it's used in a lot of organizations even enterprises. It takes a lot of work (IDS in general), and you have to have people looking at it constantly or it isn't worth it.

I highly recommend it, unless you're expecting to use it on Windows. Then the magic 8-ball points to: DON'T DO IT! Or something like that.

Hypothetically, if I were looking for Windows, is there an alternate program you'd recommend?

(at this point I'm still gathering information, but my strengths lie in Windows platforms, with minimal non-Windows experience)

 

[n0cmonkey]

Originally posted by: isasir

Originally posted by: n0cmonkey
Yeah, it's used in a lot of organizations even enterprises. It takes a lot of work (IDS in general), and you have to have people looking at it constantly or it isn't worth it.

I highly recommend it, unless you're expecting to use it on Windows. Then the magic 8-ball points to: DON'T DO IT! Or something like that.

Hypothetically, if I were looking for Windows, is there an alternate program you'd recommend?

Not quite so free. Issues with the windows version of snort pop up every so often on the snort-users mailing list. I've seen it recommended not to use that version. IDS (as well as firewalls) are not a place for Windows.

(at this point I'm still gathering information, but my strengths lie in Windows platforms, with minimal non-Windows experience)

This can only hurt you when monitoring an IDS. Unless of course the entire network is made up of Windows machine. Even then, I wake up at night in a cold sweat after nightmares of management mandating a switch to Windows IDSes everywhere...

 

[Yeormom]

Snort is as good as it is going to get unless your going to put some money out and get a TippingPoint or something of the likes.

 

[RebateMonger]

You may also want to take a peek at Microsoft's ISA Server 2004. Besides being a first-class application-level firewall, it does have some IDS features. It can also easily control and monitor user Internet access, create VPN links, and has good reporting and monitoring features. A real reason to use it would be that much of the setup is Wizard-based. If you don't have full-time IT people, you may find it easier to work with than Linux solutions.

http://microsoft.com/isa

 

[Nothinman]

If you don't have full-time IT people, you may find it easier to work with than Linux solutions.

Yes, but it also costs $2.5K just for just the software.

 

[RebateMonger]

Originally posted by: Nothinman

If you don't have full-time IT people, you may find it easier to work with than Linux solutions.

Yes, but it also costs $2.5K just for just the software.

Well, it's $1500. (Or, it's free with SBS 2003 Premium Edition @$1000 from Newegg.) Regardless, if it takes somebody a week to implement IDS, you've spent $2.5K. You can do it with ISA 2004 in a day. So, the cost depends on what your employee's time is worth, too. And. of course, everyone needs to consider ongoing support costs, which can make the initial software and installation costs look trivial. Anyone making software choices needs to look at the the long-term costs and effectiveness and decide from there.

 

[n0cmonkey]

Originally posted by: RebateMonger

Originally posted by: Nothinman

If you don't have full-time IT people, you may find it easier to work with than Linux solutions.

Yes, but it also costs $2.5K just for just the software.

Well, it's $1500. (Or, it's free with SBS 2003 Premium Edition @$1000 from Newegg.) Regardless, if it takes somebody a week to implement IDS, you've spent $2.5K. You can do it with ISA 2004 in a day. So, the cost depends on what your employee's time is worth, too. And. of course, everyone needs to consider ongoing support costs, which can make the initial software and installation costs look trivial. Anyone making software choices needs to look at the the long-term costs and effectiveness and decide from there.

It still needs to be monitored regularly (24/7/365 for IDS) and updated when necessary (unless it doesn't use signatures, in which case I'm not sure how much I'd trust it as my only IDS).

 

[spidey07]

while linux based systems are often better, management and security systems are worthless if no staff knows how to use them.

In the real world people slap management/security products out there trying to have best of breed.

then they wind up not using them. It's why a lot of companies outsource this stuff.

 

[Nothinman]

Well, it's $1500.

Plus another grand for Windows 2003.

Regardless, if it takes somebody a week to implement IDS, you've spent $2.5K. You can do it with ISA 2004 in a day. So, the cost depends on what your employee's time is worth, too. And. of course, everyone needs to consider ongoing support costs, which can make the initial software and installation costs look trivial. Anyone making software choices needs to look at the the long-term costs and effectiveness and decide from there.

But after that day of setting up ISA how much do you really know about it? Sure it's there and running, but who's going to make sure it's functioning properly and tune out the false positives? An IDS is worthless if you don't know how to run it or how to determine what's a valid threat. Spending an extra week or so learning how to setup and configure snort would be much more worthwhile if you actually learn how the software works. MS software usually has a lower upfront cost, you pay MS your $2.5K, walk through your wizards and in a day or so you're done. But the longterm maintenance usually sucks and ends up eating up a lot of time and then in another year or so you have to fork over some more money for the next revision of the software.

 

[n0cmonkey]

Originally posted by: spidey07
while linux based systems are often better, management and security systems are worthless if no staff knows how to use them.

In the real world people slap management/security products out there trying to have best of breed.

then they wind up not using them. It's why a lot of companies outsource this stuff.

That's true for any security product, especially IDS. If someone knowledgable is not watching the logs, it's useless. I haven't played with an IDS that just anyone can monitor without understanding what they are monitoring and be useful.

 

[RebateMonger]

Originally posted by: n0cmonkey
I haven't played with an IDS that just anyone can monitor without understanding what they are monitoring and be useful.

Which is why an IDS system for a 30-person company may not be practical, even if it's freeware.