EXPERT RESPONSE
Intrusion-detection systems are the focus of a lot of time and attention
these days. Many companies are deploying them without regard to which
IDS best meets their needs. Your question shows that you don't want to
just fill in a check box saying that you have IDS but instead want to
deploy the right solution. First off, IDS come in two general
flavors -- host based and network based. I'll address your question on
the network-based IDS product side, since it gets so much attention these
days.
Unfortunately, the quick answer to your question is, "It depends." You
see, different IDS products meet different needs. If you are on a limited
budget but want a good amount of technical flexibility and the means to
define your own attack signatures, go for the open source Snort tool
(www.snort.org). If you like Snort, but want more support or are
restricted from buying an open source tool (as some companies sadly are),
you should check out the commercialized Snort offerings of Source Fire
(www.sourcefire.com).
If you are looking for a good product that offers excellent detection
capabilities and technical depth, you should check out the Enterasys
Dragon (http://www.enterasys.com/ids/). Another worthy product is the
Network Flight Recorder (www.nfr.com). Finally, if you are looking for a
very shrink-wrapped tool, look into the ISS RealSecure product.
My bottom-line recommendation is that you spend some time piloting IDS
using the freeware Snort tool in your environment. As you get used to
network-based IDS using this free tool, you'll better understand your
particular requirements and can spend the dollars on a commercial solution
(or stay with the free Snort). That way, you learn for
less and can make an educated decision on your product needs.
For more information on this topic, visit these other SearchSecurity.com resources:
Online Event Transcript: Intrusion detection with Ed Yakabovicz
Best Web Links: Intrusion detection
Featured Topic: Intrusion-detection systems
|
