[Snort-users] Snort Vs Cisco
Erik.Engberg at ...511...
Fri Oct 6 14:01:05 EDT 2000
I must admit I haven´t even looked at a CiscoSecure in about 6 months or so,
but I have worked with them and I´m certified (when it was still NetRanger).
There may have been developments in CiscoSecure that I´m not aware of.
Some good points:
1) Cisco costs about 3 times more than any other IDS if you count in the
solaris and openview licenses and the sparc machines you need. Costs are
huuuuuge. Snort is free.
2) Cisco uses HP openview (if they haven´t moved the IDS into their ACS yet)
and it plain sucked to managed alarms. We fired up some automatic
exploit/scanner scripts to generate a few thousand alarms and it
"overflowed" the console with icons (one icon per alarm)
3) Cisco has(had?) no reporting capabilities whatsoever besides the openview
interface. There was a database, but you have to to all the mining yourself.
4) Cisco is supposed to be fast because it´s an "appliance box". Thats a
bunch of BS because its just a fast PC with a "modified" Solaris OS, but how
much can they "modify" when they don´t have the source and I don´t think Sun
gave out any sourcecode to Cisco.
I´d bet on Snort on an OpenBSD box any day.
5) If you got 100Mbit or even Gigabit speeds both Snort and Cisco (as well
as any IDS) should be able to be loadbalanced with a layer-7 switch (Top
Layer or Alteon for instance). But imagine the cost of having 8-12
CiscoSecure sensors, compared to as many Snort sensors.
6) In snort, you have full control over signatures, maybe you don´t have
regexp or some of the "really cool advanced analysis". But you have speed
and you can always get/write your own preprocessor. With a Cisco you are
stuck with the sigs that come with it (some 200 awful ones this spring) and
you can do some regexp matching, although put in quite a few of those and it
7) Support. Try and get helpful answers from knowledgeable people on Cisco.
It costs you money and I bet you don´t get as fast responses or as much help
as with snort.
8) Ooops, something broke! A bug, a problem, anything. It´ll take Cisco (or
any other commercial dinosaur) days if not weeks to fix. Open source
communities in general and snorters in particular seem VERY fast and able at
fixing problems well and fast.
9) Cisco does have a plugin card for Catalyst switches (6000 series I think)
that does IDS. It costs *a lot* though. I haven´t tried this, but I hope
it´s not the same stripped down version as runs on IOS.
10) There is a "limited" version of CiscoSecure that runs on IOS (i.e inside
Cisco routers) but last time I checked it only had some 70 sigs and you are
bound to get performance trouble with an IDS running on your router.
11) Shunning. CiscoSecure can "telnet" to the router and change ACLs. I
don´t think it would be too much trouble writing a script that lets snort do
that as well.
12) Communication. CiscoSecure sensors communicates via unencrypted UDP only
(!). I hope they have changed this, or will in the not so distant future!
The authentication mechanisms is laughable. You therefore must have separate
13) Cisco scales pretty good, you can have several sensors and chain them
together in various configurations as well as having distribution in several
layers. But really its nothing more than simple data management and you
could build that up with snort using ODBC, SSH, syslog or whatever you want.
You could get encryption as well ;)
14) If you want easy Intrusion Detection without all the hassle of doing it
yourself, consider inviting a managed security service that does it for you
instead. It does not matter much if you go with Cisco or Snort, you´ll have
to spend huge amounts of time running and analyzing the results anyway.
15) Changing IDS. Try to convince someone to throw away a $100 000
investment in software and hardware because you find out there are better
stuff to be had (perhaps even free). If you choose Snort, you loose nothing
more than the time spent, which may be written of as excellent education.
And you can use the same hardware for some other IDS that you want to buy or
If people at work make too much trouble for you, I´d recommend looking
somewhere else for work where you are more appreciated ;) Or get them fired!
If they can´t do a good job, you don´t need them anyway >-)
From: F.M. Taylor [mailto:root at ...28...]
Sent: den 6 oktober 2000 17:49
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Vs Cisco
I am in need of some ammunition.
My network admin was born and raised by Cisco (or so it seems). I want to
install a box with snort at our border, he wants to install a cisco black
box solution. I need enough information to be able to shoot him down in
flames. I am tired of being nice about it. I know a little about snort,
since I am running it (with the ACID front end), and have been for a
couple of months. I know nothing about any of the cisco products (except
they are spendy).
This is the same guy who said we would never need a DNS server, and that
TCP/IP and Ethernet was just a fad and that IPX and Token Ring was the
direction we should go. (lucky for us he was wrong on all points).
Everytime I say the words Network Security, he hears "denial of service",
"loss of control", "loss of POWER over others".
I am really starting to get tired of these people who have done nothing
else but work at this university, the same place they went to school.
They have never worked in corporate america, and basically have no clue
how a real business should be run. It makes me want to scream sometimes.
ahhhh, that feels better...
If you have any information/statistics that could help me in my upcoming
battle please send it over. Maybe I will turn it into a powerpoint
presentation, they seem to like that here.
Coordinator of Systems Administration and Network Security
Indiana State University. Rankin Hall Rm 039
210 N 7th St. Terre Haute, IN.
Voice: 812-237-8843 47809
"You have zero privacy anyway. Get over it."
--Scott McNealy, Sun MicroSystems.
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users