Discussion:
Checkpoint SmartDefense & interspect vs ISS Realsecure vs Snort
(too old to reply)
jeff
2004-08-06 21:27:00 UTC
Permalink
Hey everyone,

I am doing some research on IDS for my company. I don't see too much info
about Smartdefense and Interspect on the net. Can someone post their
experience or test result.

Here's some questions i have:
*Do ISS and Snort cover a much wider range of attacks that CP products?

*Speed - Which of these product works well in high-traffic environment?

*Accuracy? - which one is more accurate?

* how reliable are these solution?

Thank you in advance, please feel free to put in other comments

JEFF-R
Rob Hughes
2004-08-12 20:47:28 UTC
Permalink
Post by jeff
Hey everyone,
I am doing some research on IDS for my company. I don't see too much info
about Smartdefense and Interspect on the net. Can someone post their
experience or test result.
*Do ISS and Snort cover a much wider range of attacks that CP products?
Yes, but in different ways. For example, Snort doesn't pick up on certain
invalid/out of state TCP packets the way SD does. I use both in combination
to get a more complete picture of network traffic. Also, if you're looking
at SD, you should look at Interspect as well. It's a hybrid IDS/IPS based
on SD, but with some extra goodies.
Post by jeff
*Speed - Which of these product works well in high-traffic environment?
I've pumped several hundred MBit/p/sec through a lowish-end SPLAT based
firewall (P3 800/512 meg ram) with all SD features turned on.
Post by jeff
*Accuracy? - which one is more accurate?
See my first answer. They're different products with different focuses. It's
like asking which is more purple, and orange or a peach?
Post by jeff
* how reliable are these solution?
I find Snort and SD both to be very reliable. I haven't messed with ISS, so
color my answers appropriately.
--
Recursion: n. See Recursion.
Chris Calabrese
2004-08-13 04:10:05 UTC
Permalink
SmartDefense, Interspect, ISS RealSecure, and Snort all have very
different points of view.

SmartDefense is designed as a lightweight intrusion-prevention engine
that can run in the firewall's spare-cycles. This is a good choice if
you already have a CheckPoint firewall in the network location you
want to protect. The other major players here would be Cisco and
Netscreen/Juniper.

Interspect is sort of like SmartDefense without the firewall part -
intended to be used at major internal network boundaries. This is a
good choice if you're a CheckPoint shop and want to extend your
existing SmartDefense program to the internal network. The other major
player here would be Netscreen/Juniper.

The ISS stuff is designed for more general intrusion-prevention (i.e.,
you can install it anywhere, not just at network boundaries). This is
a good choice if you want intrusion-prevention that covers key
networks rather than key network boundaries. Some other players here
would be Tipping Point and Top Layer.

Snort is for intrusion-detection, not intrusion-prevention. Though you
can turn it into an at-the-network-boundary intrusion-prevention
system with snort-inline or hogwash. This is a good choice if you want
to spend less money and are willing to give up ease-of-setup and have
the necessary skills and time to roll your own solution. Although,
there is a commercial version available from Sourcefire that is sort
of in between rolling your own and the full-on network-toaster
approach of ISS and Checkpoint's Interspect.

As for your direct questions:
o I'm guessing that ISS and Snort cover more attacks than the CP
products as a) SmartDefense is not designed for wide coverage, but
rather for oportunistic coverage for free, and b) InterSpect just
hasn't been around as long as the ISS stuff or Snort, though CP seems
to be putting resources into it so I expect it won't lag by much or
for long.
o Don't know about speed, your best bet is to get a box in house and
see if it handles your traffic loads.
o Accuracy is probably related more to how you do tuning and the
tradeoffs you're willing to make than it's related to the (relatively)
minor differences in these different solutions. That said, the
CheckPoints are probably going to have the lowest false-positives out
of the box since they're coming from the firewall world where people
get dinged for breaking things, rather than Snort and ISS which both
have an Intrusion Detection heritage where false positives aren't
considered as damaging as in the firewall world.
o These solutions are all pretty reliable as all of them are
essentiall going to be Linux or *BSD running on an OEM'ed Dell box
(even if you roll your own you're likely to come up with something
pretty much along these lines).
Post by jeff
Hey everyone,
I am doing some research on IDS for my company. I don't see too much info
about Smartdefense and Interspect on the net. Can someone post their
experience or test result.
*Do ISS and Snort cover a much wider range of attacks that CP products?
*Speed - Which of these product works well in high-traffic environment?
*Accuracy? - which one is more accurate?
* how reliable are these solution?
Thank you in advance, please feel free to put in other comments
JEFF-R
unknown
2005-10-07 22:05:59 UTC
Permalink
Have you looked into Secure Computing's Sidewinder G2 Firewall?
Post by Chris Calabrese
SmartDefense, Interspect, ISS RealSecure, and Snort all have very
different points of view.
SmartDefense is designed as a lightweight intrusion-prevention engine
that can run in the firewall's spare-cycles. This is a good choice if
you already have a CheckPoint firewall in the network location you
want to protect. The other major players here would be Cisco and
Netscreen/Juniper.
Interspect is sort of like SmartDefense without the firewall part -
intended to be used at major internal network boundaries. This is a
good choice if you're a CheckPoint shop and want to extend your
existing SmartDefense program to the internal network. The other major
player here would be Netscreen/Juniper.
The ISS stuff is designed for more general intrusion-prevention (i.e.,
you can install it anywhere, not just at network boundaries). This is
a good choice if you want intrusion-prevention that covers key
networks rather than key network boundaries. Some other players here
would be Tipping Point and Top Layer.
Snort is for intrusion-detection, not intrusion-prevention. Though you
can turn it into an at-the-network-boundary intrusion-prevention
system with snort-inline or hogwash. This is a good choice if you want
to spend less money and are willing to give up ease-of-setup and have
the necessary skills and time to roll your own solution. Although,
there is a commercial version available from Sourcefire that is sort
of in between rolling your own and the full-on network-toaster
approach of ISS and Checkpoint's Interspect.
o I'm guessing that ISS and Snort cover more attacks than the CP
products as a) SmartDefense is not designed for wide coverage, but
rather for oportunistic coverage for free, and b) InterSpect just
hasn't been around as long as the ISS stuff or Snort, though CP seems
to be putting resources into it so I expect it won't lag by much or
for long.
o Don't know about speed, your best bet is to get a box in house and
see if it handles your traffic loads.
o Accuracy is probably related more to how you do tuning and the
tradeoffs you're willing to make than it's related to the (relatively)
minor differences in these different solutions. That said, the
CheckPoints are probably going to have the lowest false-positives out
of the box since they're coming from the firewall world where people
get dinged for breaking things, rather than Snort and ISS which both
have an Intrusion Detection heritage where false positives aren't
considered as damaging as in the firewall world.
o These solutions are all pretty reliable as all of them are
essentiall going to be Linux or *BSD running on an OEM'ed Dell box
(even if you roll your own you're likely to come up with something
pretty much along these lines).
Post by jeff
Hey everyone,
I am doing some research on IDS for my company. I don't see too much info
about Smartdefense and Interspect on the net. Can someone post their
experience or test result.
*Do ISS and Snort cover a much wider range of attacks that CP products?
*Speed - Which of these product works well in high-traffic environment?
*Accuracy? - which one is more accurate?
* how reliable are these solution?
Thank you in advance, please feel free to put in other comments
JEFF-R
Imhotep
2005-10-07 23:34:16 UTC
Permalink
Post by unknown
Have you looked into Secure Computing's Sidewinder G2 Firewall?
Post by Chris Calabrese
SmartDefense, Interspect, ISS RealSecure, and Snort all have very
different points of view.
SmartDefense is designed as a lightweight intrusion-prevention engine
that can run in the firewall's spare-cycles. This is a good choice if
you already have a CheckPoint firewall in the network location you
want to protect. The other major players here would be Cisco and
Netscreen/Juniper.
Interspect is sort of like SmartDefense without the firewall part -
intended to be used at major internal network boundaries. This is a
good choice if you're a CheckPoint shop and want to extend your
existing SmartDefense program to the internal network. The other major
player here would be Netscreen/Juniper.
The ISS stuff is designed for more general intrusion-prevention (i.e.,
you can install it anywhere, not just at network boundaries). This is
a good choice if you want intrusion-prevention that covers key
networks rather than key network boundaries. Some other players here
would be Tipping Point and Top Layer.
Snort is for intrusion-detection, not intrusion-prevention. Though you
can turn it into an at-the-network-boundary intrusion-prevention
system with snort-inline or hogwash. This is a good choice if you want
to spend less money and are willing to give up ease-of-setup and have
the necessary skills and time to roll your own solution. Although,
there is a commercial version available from Sourcefire that is sort
of in between rolling your own and the full-on network-toaster
approach of ISS and Checkpoint's Interspect.
o I'm guessing that ISS and Snort cover more attacks than the CP
products as a) SmartDefense is not designed for wide coverage, but
rather for oportunistic coverage for free, and b) InterSpect just
hasn't been around as long as the ISS stuff or Snort, though CP seems
to be putting resources into it so I expect it won't lag by much or
for long.
o Don't know about speed, your best bet is to get a box in house and
see if it handles your traffic loads.
o Accuracy is probably related more to how you do tuning and the
tradeoffs you're willing to make than it's related to the (relatively)
minor differences in these different solutions. That said, the
CheckPoints are probably going to have the lowest false-positives out
of the box since they're coming from the firewall world where people
get dinged for breaking things, rather than Snort and ISS which both
have an Intrusion Detection heritage where false positives aren't
considered as damaging as in the firewall world.
o These solutions are all pretty reliable as all of them are
essentiall going to be Linux or *BSD running on an OEM'ed Dell box
(even if you roll your own you're likely to come up with something
pretty much along these lines).
Post by jeff
Hey everyone,
I am doing some research on IDS for my company. I don't see too much
info about Smartdefense and Interspect on the net. Can someone post
their experience or test result.
*Do ISS and Snort cover a much wider range of attacks that CP products?
*Speed - Which of these product works well in high-traffic environment?
*Accuracy? - which one is more accurate?
* how reliable are these solution?
Thank you in advance, please feel free to put in other comments
JEFF-R
I read today that Checkpoint bought the company that writes Snort....

Im

Loading...