[Snort-users] Snort Vs Cisco

Nick Rogness nick at ...176...
Tue Oct 10 09:50:29 EDT 2000


On Fri, 6 Oct 2000, Erik Engberg wrote:

> I must admit I haven´t even looked at a CiscoSecure in about 6 months or so,
> but I have worked with them and I´m certified (when it was still NetRanger).
> There may have been developments in CiscoSecure that I´m not aware of.


	Which part of CiscoSecure does IDS?  It's not ACS or GRS.

        Erik's points below are the best answers I've seen yet on why
        companies should use snort instead of a Commercial IDS like Cisco.
	I find most of them believable just from working with Cisco on
	other issues.

	Does snort have a comparison like this to other IDS's?  Link
	anyone?  If not, might be an interesting experiment to run...

> 
> Some good points:
> 
> 1) Cisco costs about 3 times more than any other IDS if you count in the
> solaris and openview licenses and the sparc machines you need. Costs are
> huuuuuge. Snort is free.
> 
> 2) Cisco uses HP openview (if they haven´t moved the IDS into their ACS yet)
> and it plain sucked to managed alarms. We fired up some automatic
> exploit/scanner scripts to generate a few thousand alarms and it
> "overflowed" the console with icons (one icon per alarm)
> 
> 3) Cisco has(had?) no reporting capabilities whatsoever besides the openview
> interface. There was a database, but you have to to all the mining yourself.
> 
> 4) Cisco is supposed to be fast because it´s an "appliance box". Thats a
> bunch of BS because its just a fast PC with a "modified" Solaris OS, but how
> much can they "modify" when they don´t have the source and I don´t think Sun
> gave out any sourcecode to Cisco. 
> I´d bet on Snort on an OpenBSD box any day.
> 
> 5) If you got 100Mbit or even Gigabit speeds both Snort and Cisco (as well
> as any IDS) should be able to be loadbalanced with a layer-7 switch (Top
> Layer or Alteon for instance). But imagine the cost of having 8-12
> CiscoSecure sensors, compared to as many Snort sensors.
> 
> 6) In snort, you have full control over signatures, maybe you don´t have
> regexp or some of the "really cool advanced analysis". But you have speed
> and you can always get/write your own preprocessor. With a Cisco you are
> stuck with the sigs that come with it (some 200 awful ones this spring) and
> you can do some regexp matching, although put in quite a few of those and it
> gets sloooow. 
> 
> 7) Support. Try and get helpful answers from knowledgeable people on Cisco.
> It costs you money and I bet you don´t get as fast responses or as much help
> as with snort.
> 
> 8) Ooops, something broke! A bug, a problem, anything. It´ll take Cisco (or
> any other commercial dinosaur) days if not weeks to fix. Open source
> communities in general and snorters in particular seem VERY fast and able at
> fixing problems well and fast.
> 
> 9) Cisco does have a plugin card for Catalyst switches (6000 series I think)
> that does IDS. It costs *a lot* though. I haven´t tried this, but I hope
> it´s not the same stripped down version as runs on IOS.
> 
> 10) There is a "limited" version of CiscoSecure that runs on IOS (i.e inside
> Cisco routers) but last time I checked it only had some 70 sigs and you are
> bound to get performance trouble with an IDS running on your router.
> 
> 11) Shunning. CiscoSecure can "telnet" to the router and change ACLs. I
> don´t think it would be too much trouble writing a script that lets snort do
> that as well.
> 
> 12) Communication. CiscoSecure sensors communicates via unencrypted UDP only
> (!). I hope they have changed this, or will in the not so distant future!
> The authentication mechanisms is laughable. You therefore must have separate
> secure networks.
> 
> 13) Cisco scales pretty good, you can have several sensors and chain them
> together in various configurations as well as having distribution in several
> layers. But really its nothing more than simple data management and you
> could build that up with snort using ODBC, SSH, syslog or whatever you want.
> You could get encryption as well ;)
> 
> 14) If you want easy Intrusion Detection without all the hassle of doing it
> yourself, consider inviting a managed security service that does it for you
> instead. It does not matter much if you go with Cisco or Snort, you´ll have
> to spend huge amounts of time running and analyzing the results anyway.
> 
> 15) Changing IDS. Try to convince someone to throw away a $100 000
> investment in software and hardware because you find out there are better
> stuff to be had (perhaps even free). If you choose Snort, you loose nothing
> more than the time spent, which may be written of as excellent education.
> And you can use the same hardware for some other IDS that you want to buy or
> use.
> 
> If people at work make too much trouble for you, I´d recommend looking
> somewhere else for work where you are more appreciated ;) Or get them fired!
> If they can´t do a good job, you don´t need them anyway >-)
> 
> Good luck!
> 
> /Erik
> 
> 
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: F.M. Taylor [mailto:root at ...28...]
> Sent: den 6 oktober 2000 17:49
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort Vs Cisco
> 
> 
> I am in need of some ammunition.  
> My network admin was born and raised by Cisco (or so it seems).  I want to
> install a box with snort at our border, he wants to install a cisco black
> box solution.  I need enough information to be able to shoot him down in
> flames.  I am tired of being nice about it.  I know a little about snort,
> since I am running it (with the ACID front end), and have been for a
> couple of months.  I know nothing about any of the cisco products (except
> they are spendy).  
> 
> <rant>
> This is the same guy who said we would never need a DNS server, and that
> TCP/IP and Ethernet  was just a fad and that IPX and Token Ring was the
> direction we should go. (lucky for us he was wrong on all points).
> Everytime I say the words Network Security, he hears "denial of service",
> "loss of control", "loss of POWER over others".
> 
> I am really starting to get tired of these people who have done nothing
> else but work at this university, the same place they went to school.
> They have never worked in corporate america, and basically have no clue
> how a real business should be run.  It makes me want to scream sometimes.
> </rant>
> ahhhh, that feels better...
> 
> If you have any information/statistics that could help me in my upcoming
> battle please send it over.  Maybe I will turn it into a powerpoint
> presentation, they seem to like that here.
> 
>  ---
> Mike Taylor
> Coordinator of Systems Administration and Network Security
> Indiana State University.               Rankin Hall Rm 039
> 210 N 7th St.                           Terre Haute, IN.
> Voice: 812-237-8843                                  47809
> ---
> "You have zero privacy anyway.  Get over it."
>            --Scott McNealy, Sun MicroSystems. 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 

Nick Rogness
- Drive defensively.  Buy a tank.





More information about the Snort-users mailing list