Need Intrustion Detection/Protection aplliance and monitoring need suggestions!
We have a PIX firewall that does stateful inspection. We also run Kaspersky on all machines which has built in IPS.
A new client is requesting information on our front door IPS. We have none.
I am looking for a good, cost effective provider. We need a hardware appliance in front of our network. We also need 24/7 noc monitoring of the IPS/IDS. I have seen prices as low as $6000. Since I have never purchased this, I would like any feedback, comments or recommendations for EE users.
Any relavant answer that helps me will get points. If you provide me a 100% solution in one answer, you get all 500 points!
A new client is requesting information on our front door IPS. We have none.
I am looking for a good, cost effective provider. We need a hardware appliance in front of our network. We also need 24/7 noc monitoring of the IPS/IDS. I have seen prices as low as $6000. Since I have never purchased this, I would like any feedback, comments or recommendations for EE users.
Any relavant answer that helps me will get points. If you provide me a 100% solution in one answer, you get all 500 points!
http://www.snort.org/
not sure the budget you are working with but the 4200 series of appliances from Cisco will do the trick and you can drop this right behind your PIX
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html
ASKER
My budget is unknown. We have to have this, but we are only 250 users with a small network. I priced all inclusive units at around $6000. But I need a monitoring service to go with it most likely.
I cant spend 100K, nor should I have to with open source ips now widely available. I am hoping for an answer something like this....
"We use CompanyX. They use snort opensource and developed their own gui around the code and reporting tool. I can log in and see easily all traffic. They also remotely monitor our appliance so if an attack occurs at midnight, they mitigate based on our agreement and someone calls me right away. Our service costs us $600 a month, but has been worth its weight in gold.
I cant spend 100K, nor should I have to with open source ips now widely available. I am hoping for an answer something like this....
"We use CompanyX. They use snort opensource and developed their own gui around the code and reporting tool. I can log in and see easily all traffic. They also remotely monitor our appliance so if an attack occurs at midnight, they mitigate based on our agreement and someone calls me right away. Our service costs us $600 a month, but has been worth its weight in gold.
You don't give any indication of the size of your network.
Why are you using the PIX?
If you need IDS/IDP then I would suggest you dump the PIX completely and replace it with a modern firewall with all the capabillities you require. I suggest you consider a Sonicwall Pro or NSA series, if your target budget is any clue as to the size of your network.
As well as regular "stateful inspection" firewall functions (including redundant hardware modes if you require it!) these provide IDP, and a range of other "deep packet inspection" tools.
Size charts here, in descending order of power/price, will help you see which box(es) match your demand level.
http://www.sonicwall.com/uk/8992.html (NSA)
http://www.sonicwall.com/uk/4986.html (E-class NSA)
http://www.sonicwall.com/uk/PRO_Series.html (pro)
NOTE that you can probably get a trade-in deal on your PIX!
---later---
Ah - I see you've added info on size. If you only have 250 users you proabb;y *don't* need an E-class, or even an NSA, the Pro range should suit. But check the charts for info on throughput if you move large quantities of data or if you also have public access servers to protect.
Sonicwall have a comprehensive reporting tool - Viewpoint - which you can run for yourself, or you can find companies which will managed your Sonicwall for you, and will send you mothly reports - those reports will almost certainly just be the ones you could get of Viewpoint if you ran it yourself, however. Viewpoint runs on a local workstation or server, and is accessed via aweb gui, you can log in at any time, see what traffice levels are, how many attacks have been blocked, what viruses have been seen (and blocked of course!) , any recognised trojan activity, etc., also who's been using all the bandwidth and which sites they've been visiting, how much FTP traffic, you name it, if the firewall can handle it, Viewpoint reports on it. Firms which manage your firewall for you generally use Sonicwall's own central management software, which as well as managing multiple sonicwall devices on any network, incorporates Viewpoint reporting...
Suggest you get hold of your nearest Sonicwall Partner and ask for a demo.
Why are you using the PIX?
If you need IDS/IDP then I would suggest you dump the PIX completely and replace it with a modern firewall with all the capabillities you require. I suggest you consider a Sonicwall Pro or NSA series, if your target budget is any clue as to the size of your network.
As well as regular "stateful inspection" firewall functions (including redundant hardware modes if you require it!) these provide IDP, and a range of other "deep packet inspection" tools.
Size charts here, in descending order of power/price, will help you see which box(es) match your demand level.
http://www.sonicwall.com/uk/8992.html (NSA)
http://www.sonicwall.com/uk/4986.html (E-class NSA)
http://www.sonicwall.com/uk/PRO_Series.html (pro)
NOTE that you can probably get a trade-in deal on your PIX!
---later---
Ah - I see you've added info on size. If you only have 250 users you proabb;y *don't* need an E-class, or even an NSA, the Pro range should suit. But check the charts for info on throughput if you move large quantities of data or if you also have public access servers to protect.
Sonicwall have a comprehensive reporting tool - Viewpoint - which you can run for yourself, or you can find companies which will managed your Sonicwall for you, and will send you mothly reports - those reports will almost certainly just be the ones you could get of Viewpoint if you ran it yourself, however. Viewpoint runs on a local workstation or server, and is accessed via aweb gui, you can log in at any time, see what traffice levels are, how many attacks have been blocked, what viruses have been seen (and blocked of course!) , any recognised trojan activity, etc., also who's been using all the bandwidth and which sites they've been visiting, how much FTP traffic, you name it, if the firewall can handle it, Viewpoint reports on it. Firms which manage your firewall for you generally use Sonicwall's own central management software, which as well as managing multiple sonicwall devices on any network, incorporates Viewpoint reporting...
Suggest you get hold of your nearest Sonicwall Partner and ask for a demo.
ASKER
Thank you for the informative update. Our pix is under warranty until this November.
We have 250 users and about 30 servers. The pix is old, but she does a fine job of protecting us. Funny how in the days when PIX was on top, everyone thought they were great. Now people scoff at them.
I am still waiting on an answer from the client, but they are asking for 24/7 monitoring. Anyone know of a service?
I got a quote from this company:
http://www.securitymetrics.com/securitymetricsappliance.adp
$6000 shipped a complete solution. But no human monitoring. We can configure full alerts to call or email us day or night.
We run Kaspersky that has IPS on every host. The PIX filters out all traffic except specific named traffic in the acl. So we posed this back to the client. No we dont have a front door guard, but we have all the technology on our network to prevent intrustion. If we get a denial of service attack, the pix drops this traffic. And I also have ip blocking and monitoring on our DB that must be manually released if it triggers the alarm. I love the PIX, been a champ for many years, but the reality is I cant log to it. So in Novemebr I will be going with an all in one ASA appliance to replace it.
Anyone else like sonicwalls? I did a lot of work in the old days converting sonics to cisco. People just didnt like them in my expereince. I never ran one myself on any network.
We have 250 users and about 30 servers. The pix is old, but she does a fine job of protecting us. Funny how in the days when PIX was on top, everyone thought they were great. Now people scoff at them.
I am still waiting on an answer from the client, but they are asking for 24/7 monitoring. Anyone know of a service?
I got a quote from this company:
http://www.securitymetrics.com/securitymetricsappliance.adp
$6000 shipped a complete solution. But no human monitoring. We can configure full alerts to call or email us day or night.
We run Kaspersky that has IPS on every host. The PIX filters out all traffic except specific named traffic in the acl. So we posed this back to the client. No we dont have a front door guard, but we have all the technology on our network to prevent intrustion. If we get a denial of service attack, the pix drops this traffic. And I also have ip blocking and monitoring on our DB that must be manually released if it triggers the alarm. I love the PIX, been a champ for many years, but the reality is I cant log to it. So in Novemebr I will be going with an all in one ASA appliance to replace it.
Anyone else like sonicwalls? I did a lot of work in the old days converting sonics to cisco. People just didnt like them in my expereince. I never ran one myself on any network.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Personally I never liked Pix but then I don't like IOS, and whilst we make extensive use of Cisco routers and switches, I never saw that as an *automatic* reason to assume their firewalls were any fun.
And currently at least Cisco are lagging in precisely the areas in which you are expressing interest.
Sonicwalls have been IMHO bulletproof for some years now. The main complaint folk have aganst them, at the smaller end of the market at least, is the user-count based pricing, most complaints arise when someone tries to connect user 11 via a 10 user box...
I suggest you give them a look!
And currently at least Cisco are lagging in precisely the areas in which you are expressing interest.
Sonicwalls have been IMHO bulletproof for some years now. The main complaint folk have aganst them, at the smaller end of the market at least, is the user-count based pricing, most complaints arise when someone tries to connect user 11 via a 10 user box...
I suggest you give them a look!
Have a look, rather call or contact sourcefire, the makers and maintainers for Snort:
http://www.sourcefire.com/solutions/etm/ips
They can provide the service you need if you have to spend money... If you don't require spending much, you can use a very good front-end from Aanval that makes using and reporting on snort much better than using BASE. Setting up snort is really pretty simple, even on windows if you need, then purchase the Aanval package and you can centrally manage any and all snort sensors. If you have one egress point in your network, all the better, that's only one span session, or port mirror.
-rich
http://www.sourcefire.com/solutions/etm/ips
They can provide the service you need if you have to spend money... If you don't require spending much, you can use a very good front-end from Aanval that makes using and reporting on snort much better than using BASE. Setting up snort is really pretty simple, even on windows if you need, then purchase the Aanval package and you can centrally manage any and all snort sensors. If you have one egress point in your network, all the better, that's only one span session, or port mirror.
-rich