SourceFire

Bl8ckr0uter

Anyone here ever deployed any SourceFire gear?

Bl8ckr0uter

Guess I should be more specific. Does anyone have any experience with SourceFire 3DS systems? I am doing a price survey of popular IDS/IPS systems and I hope it falls within our budget. I may try to talk to sales tomorrow.

higherho

I did not deploy the Sourcefire at my previous job but I can get you information on it. We have a whole security team devoted to IDS/ IPS systems and sourcefire is used across DISA. From what I know and operate with it I can tell you it will do everything you want it to Though it can be pricy.

Bl8ckr0uter

We are probably going to go to lower end gear and scale up at sensors. I am looking at a better solution compared to IPS modules in our ASAs.

higherho

Yea we have a Sourcefice IDS / Sensor at the prim router to our external circuit connection. I know they want to implement some Sensors that are very capable of handling LARGE data streams / bandwidth. But since you said your ASA's are handling it then you probably do not need those crazy models. If you could tell me your requirements I could get your some information within the next few days (most likely by Friday).


I was curious if you thought of having a software based IPS / IDS like HBSS from Macafee E policy orchestrator? Also deploys Rouge Sensors Agents too.

Bl8ckr0uter

Meh. I did think of that. I kind of want dedicated appliances. This is strictly NIPS. If I were looking for HIPS I would probably look for something like that. If I remember correctly, Sourcefire is in the top of the Gartner Magic Quadrant.

higherho

Bl8ckr0uter wrote: »

Meh. I did think of that. I kind of want dedicated appliances. This is strictly NIPS. If I were looking for HIPS I would probably look for something like that. If I remember correctly, Sourcefire is in the top of the Gartner Magic Quadrant.

O I agree, I would suggest HBSS only after you have a dedicated appliance. Security gets increased 10 fold with HBSS (on servers / workstations) especially if you STIG it and follow seucrity guidance .

Sourcefire is the way to go and you will not be disappointed (one reason why its big in the govt world). I will supply you with some information tomorrow via PM.

Bl8ckr0uter

Thanks, I look forward to it.

As far as HIPS, I have used Mcafee in the past but I am thinking about using tripwire or an opensource solution for budget reasons.

docrice

I've heard from a couple of shops that Tripwire is prone to a lot of falsing. This might have been more of a past issue, but other file integrity monitoring solutions to consider would be OSSEC, Solidcore, etc..

In general, I have not heard stellar things about Cisco's IPS gear, although it's convenient if you've bought into ASAs that can receive the IPS modules (or if you want the stand-alone appliances and be part of the whole Cisco ecosystem).

That said, in my view it seems like most IPS conversations comes down to either Sourcefire or HP TippingPoint. I'd be very interested to hear from folks who have experience with both, especially with the latest generation of appliances.

Bl8ckr0uter

I've been meaning to checkout ossec. Never heard of Solidcore.

We are deploying a few new asas and I am wanting to see if the source fire sensors cost less than ips modules. We are looking to improve out ids throughput and the other admin has had terrible luck with the modules on the Asas. I don't think they are going to be down with using an FOSS solution for our IDS otherwise I'd say lets buy a badass box and run snort.

docrice

My impression based on hearsay is that the Cisco IPS modules are not speed demons. If you have a lot of traffic running through the ASAs and you need to maintain a given service level, they're probably not a good choice. It's more ideal to use a platform which use dedicated ASICs and FPGAs to really keep the latency to a minimum. Of course, that's where the high price factors in with IPS appliances from vendors who specialize in that space.

In my opinion, if you're looking at a bump in the wire / inline solution, commercial support is kind of a big necessity. Unless I was budget-starved, I probably wouldn't implement Snort inline as a solution. For an IDS-only setup, however, I might be comfortable using Snort (or Suricata or Bro or whatever) as long as I had good horsepower, memory, and interfaces that can handle the traffic rate it sees.

Bl8ckr0uter

That's exactly what I am looking for. Arrggg.

I just hope the sourcefire gear isn't two pricey.

Zartanasaurus

docrice wrote: »

My impression based on hearsay is that the Cisco IPS modules are not speed demons. If you have a lot of traffic running through the ASAs and you need to maintain a given service level, they're probably not a good choice.

This is absolutely true.

Zartanasaurus

Bl8ckr0uter wrote: »

That's exactly what I am looking for. Arrggg.

I just hope the sourcefire gear isn't two pricey.

I will be on a WebEx demo with them tomorrow. I'm hoping the same thing. I might be able to give you insight here, since I have some recent quotes from Tipping Point for the new data center we are building.

On the lower end, you can get a 1.5 Gbps IPS for ~60K. On the higher end, with 10Gb SFP ports, high 1gb port density with redundant devices, you'd be looking to pay around $300K.

What is your budget and what is "too pricey" to you? What are your requirements?

Bl8ckr0uter

Zartanasaurus wrote: »

On the lower end, you can get a 1.5 Gbps IPS for ~60K. On the higher end, with 10Gb SFP ports, high 1gb port density with redundant devices, you'd be looking to pay around $300K.

What is your budget and what is "too pricey" to you? What are your requirements?

Are those quotes from SourceFire or Tipping Point? EDIT: Sorry reread your post. Tipping point is that expensive?

I don't have a set budget but I'd like to keep the price in line with the ips modules for the ASAs (which are 3 grand a piece, for 6 ASAs).

Layer 7 awareness is kind of a big deal with us. If someone SSHs over port 443 we want to know (and be told). Other than that, we have typical needs (fail open, redudancy, etc). We also do alot of work with cellphone traffic so the ability to write custom rules will be important as well. As far as throughput, We technically need about 100mb but my boss will probably want much much more than that.

Zartanasaurus

Those are Tipping Point quotes. My potentially bad assumption is that SourceFire would be in that same ballpark for competitive reasons. I've looked at a lot of FW/IPS gear from the major vendors the last few months. The Tipping Point presentation was really impressive. So was the Palo Alto FW demo.

Definitely going to be more expensive than $18K.

Zartanasaurus

Overall impression I got after all these demos is that Cisco is way behind on the times when it comes to their security offerings.

Bl8ckr0uter

Zartanasaurus wrote: »

Those are Tipping Point quotes. My potentially bad assumption is that SourceFire would be in that same ballpark for competitive reasons.

Cuss that's alot of money (to me anyway). I think I might just give them a call to get a ball park (and see if its worth the time). It is a very real possibility that he may want to see some cisco 4200 series prices as well (which would be dope since I am tasked with going for the CCNP:S )

Besides effectiveness and throughput what other things should a good IDS/IPS be judged on? I mean I have never done this before, and I feel like I am not taking things into consideration. I have been reading magic quadrants for IDS/IPS gear and some NSS test reports and honestly I have been going based off of those. What other considerations did you think about when going for an IDS/IPS for an enterprise (if you don't mind me asking)?

I like Palo Altos man. The CLI is very easy to learn and the capabilities are just super dope. I really like the reporting. I deployed one on our wireless network in the morning and by the afternoon I found two torrenters, a couple dropboxes and a ton of facebook traffic. Excellent kit.

Zartanasaurus wrote: »

Overall impression I got after all these demos is that Cisco is way behind on the times when it comes to their security offerings.

That's my impression as well. Did you see that Palo Alto is one of the reasons ciscos security sells fell last quarter?

http://www.bradreese.com/blog/8-12-2011.htm

docrice

One of the bigger selling points of (HP) TippingPoint and Sourcefire is that they invest heavily in their vulnerability research teams. I don't know how other competitors in the space such as Cisco, Check Point, Juniper, Top Layer, etc. do in this regard.

Taking the SANS 503 course will help gain some insight into what to look for in an IDS / IPS. Chop chop.

Huge concerns for these kinds of prevention devices are 1) falsing, 2) tuning ability for profiles, configuration parameters, etc., 3) signature writing, 4) latency, 5) over-subscription of the interface and how the appliance behaves in those conditions, 6) reporting, and 7) the compliance checkbox. Granted, the last one most of us techies don't care about too much as that's more of a management requirement.

There's a Palo Alto show-and-tell next week in their Santa Clara office that I'll be attending. It should be interesting.

I'm also looking into various vendors at the moment for these kinds of devices and I have a feeling it'll come down to "the expensive brands."

Bl8ckr0uter

docrice wrote: »

One of the bigger selling points of (HP) TippingPoint and Sourcefire is that they invest heavily in their vulnerability research teams. I don't know how other competitors in the space such as Cisco, Check Point, Juniper, Top Layer, etc. do in this regard.

I know the SourceFire team is bad ass. I know very little abut the TippingPoint team.

docrice wrote: »

Taking the SANS 503 course will help gain some insight into what to look for in an IDS / IPS. Chop chop.

I want to so bad. But I am not a baller like you lol. Truthfully I might try to bring this up to my boss at some point. Maybe if we get those palo altos or sourcefirehe'll send us to training.

docrice wrote: »

Huge concerns for these kinds of prevention devices are 1) falsing, 2) tuning ability for profiles, configuration parameters, etc., 3) signature writing, 4) latency, 5) over-subscription of the interface and how the appliance behaves in those conditions, 6) reporting, and 7) the compliance checkbox. Granted, the last one most of us techies don't care about too much as that's more of a management requirement.

Thanks for the info. I honestly totally forgot about compliance.

docrice wrote: »

There's a Palo Alto show-and-tell next week in their Santa Clara office that I'll be attending. It should be interesting.

I'm also looking into various vendors at the moment for these kinds of devices and I have a feeling it'll come down to "the expensive brands."

Jealous. Ask them for a PA-500 to play with lol

Forsaken_GA

Bl8ckr0uter wrote: »

Sourcefire is in the top of the Gartner Magic Quadrant.

Rule #1 when it comes to purchasing decisions - Gartner is a 4 letter word.

Take anything Gartner says with a grain of salt, their Magic Quadrant is very far away from an objective look at the industry.

Zartanasaurus

Forsaken_GA wrote: »

Rule #1 when it comes to purchasing decisions - Gartner is a 4 letter word.

Take anything Gartner says with a grain of salt, their Magic Quadrant is very far away from an objective look at the industry.

Who would you recommend, if anyone?

Bl8ckr0uter

Forsaken_GA wrote: »

Rule #1 when it comes to purchasing decisions - Gartner is a 4 letter word.

Take anything Gartner says with a grain of salt, their Magic Quadrant is very far away from an objective look at the industry.

Seriously? I thought Gartner and NSS were pretty good.

Forsaken_GA

Bl8ckr0uter wrote: »

Seriously? I thought Gartner and NSS were pretty good.

To answer both of you.... your peers. They don't have any stake in whether or not you buy a given product, so their experiences are more likely to be relevant.

Even Gartner admits that their magic quadrant is opinion based, not rooted in facts. You should probably ask yourself whether or not Gartner, which is not a non-profit organization, is willing to allow their opinions to be influenced by vendors, or if they truly are a neutral viewpoint.

it_consultant

Bl8ckr0uter wrote: »

Cuss that's alot of money (to me anyway). I think I might just give them a call to get a ball park (and see if its worth the time). It is a very real possibility that he may want to see some cisco 4200 series prices as well (which would be dope since I am tasked with going for the CCNP:S )

Besides effectiveness and throughput what other things should a good IDS/IPS be judged on? I mean I have never done this before, and I feel like I am not taking things into consideration. I have been reading magic quadrants for IDS/IPS gear and some NSS test reports and honestly I have been going based off of those. What other considerations did you think about when going for an IDS/IPS for an enterprise (if you don't mind me asking)?

I like Palo Altos man. The CLI is very easy to learn and the capabilities are just super dope. I really like the reporting. I deployed one on our wireless network in the morning and by the afternoon I found two torrenters, a couple dropboxes and a ton of facebook traffic. Excellent kit.



That's my impression as well. Did you see that Palo Alto is one of the reasons ciscos security sells fell last quarter?

Palo Alto Networks is the culprit behind Cisco's -8.4% FY11 security sales decline - Brad Reese

I love Palo Altos, their reporting is the best thing about them. Interestingly though, I deployed a Watchguard 510 with their "application control", which directly competes with the Palo Alto.

- torrents stopped
- itunes stopped
- facebook games (but not facebook) stopped
- Rapidshare (and assorted other download sites) stopped

Internet got wicked fast quickly. The reporting isn't as pretty though. Its also some $25,000 cheaper than the entry level Palo Alto.

NightShade03

Sorry I'm late to the game....

I just did a Sourcefire deployment last week actually. Personally I think that Sourcefire has the best product going in the IDS/IPS market at the moment that being said you get what you pay for and it can get quite expensive depending on your needs. Tipping point is pretty good, but their price point is almost the same as Sourcefire and in that case I would recommend Sourcefire.

Palo Alto has an amazing firewall and I haven't heard a single complaint from anyone using them. I can tell you though that their product will start to fall down when too many things get turned on. Their IPS is *decent* but still needs some work. Someone else mentioned research and vulnerability development...Sourcefire and Tipping Point most def have the advantage here.

If anyone is still looking for Sourcefire (or Tipping Point) pricing / deployment suggestions let me know and I can help you out with that.

Bl8ckr0uter

I am still looking. PM?

NightShade03

PM Sent

Zartanasaurus

Gonna send you a network diagram when I get a moment.

docrice

I am most interested in your comparisons of Sourcefire and TippingPoint. My primary IDS experience is Snort, but have worked in shops that used TippingPoint. Now that I'm in a position to directly evaluate these two vendors (and perhaps others), I'd very much appreciate your opinions about how these guys compare and what drove you to one over the other.

SephStorm

higherho wrote: »

I was curious if you thought of having a software based IPS / IDS like HBSS from Macafee E policy orchestrator? Also deploys Rouge Sensors Agents too.

ive had a thread on the mcafee forums searching for a review of MHIPS, no action. Apparently no one wants to review it on their forums . Just a bunch of threads about Uninstalling HIPS, HIPS not working...

Anyway, I would like to see one.