SmartDefense, Interspect, ISS RealSecure, and Snort all have very
different points of view.
SmartDefense is designed as a lightweight intrusion-prevention engine
that can run in the firewall's spare-cycles. This is a good choice if
you already have a CheckPoint firewall in the network location you
want to protect. The other major players here would be Cisco and
Netscreen/Juniper.
Interspect is sort of like SmartDefense without the firewall part -
intended to be used at major internal network boundaries. This is a
good choice if you're a CheckPoint shop and want to extend your
existing SmartDefense program to the internal network. The other major
player here would be Netscreen/Juniper.
The ISS stuff is designed for more general intrusion-prevention (i.e.,
you can install it anywhere, not just at network boundaries). This is
a good choice if you want intrusion-prevention that covers key
networks rather than key network boundaries. Some other players here
would be Tipping Point and Top Layer.
Snort is for intrusion-detection, not intrusion-prevention. Though you
can turn it into an at-the-network-boundary intrusion-prevention
system with snort-inline or hogwash. This is a good choice if you want
to spend less money and are willing to give up ease-of-setup and have
the necessary skills and time to roll your own solution. Although,
there is a commercial version available from Sourcefire that is sort
of in between rolling your own and the full-on network-toaster
approach of ISS and Checkpoint's Interspect.
As for your direct questions:
o I'm guessing that ISS and Snort cover more attacks than the CP
products as a) SmartDefense is not designed for wide coverage, but
rather for oportunistic coverage for free, and b) InterSpect just
hasn't been around as long as the ISS stuff or Snort, though CP seems
to be putting resources into it so I expect it won't lag by much or
for long.
o Don't know about speed, your best bet is to get a box in house and
see if it handles your traffic loads.
o Accuracy is probably related more to how you do tuning and the
tradeoffs you're willing to make than it's related to the (relatively)
minor differences in these different solutions. That said, the
CheckPoints are probably going to have the lowest false-positives out
of the box since they're coming from the firewall world where people
get dinged for breaking things, rather than Snort and ISS which both
have an Intrusion Detection heritage where false positives aren't
considered as damaging as in the firewall world.
o These solutions are all pretty reliable as all of them are
essentiall going to be Linux or *BSD running on an OEM'ed Dell box
(even if you roll your own you're likely to come up with something
pretty much along these lines).
Post by jeffHey everyone,
I am doing some research on IDS for my company. I don't see too much info
about Smartdefense and Interspect on the net. Can someone post their
experience or test result.
*Do ISS and Snort cover a much wider range of attacks that CP products?
*Speed - Which of these product works well in high-traffic environment?
*Accuracy? - which one is more accurate?
* how reliable are these solution?
Thank you in advance, please feel free to put in other comments
JEFF-R