With intrusion defense vendors, one size doesn't fit all

In the final installment of our special series, Intruder Alert, a majority of IT shops say they rely on Cisco and Symantec for intrusion defense, but others say they're just as happy using free open source tools.

For many IT shops, security tools from Cisco Systems Inc. and Symantec Corp. serve as the backbone of their intrusion defense programs, if the results of an exclusive SearchSecurity.com survey are any indication.

Some IT professionals, however, have found that those vendors' products aren't always a good fit for the size and scope of their enterprises. Others have discovered they can repel the bad guys just as well using free open source technology.

Bryan Rood, IT manager for Milpitas, Calif.-based Quantros Inc., a company whose products and services are tailored for the healthcare industry, uses a Cisco PIX Firewall and Symantec AntiVirus Corporate Edition. Both are solid tools, he said, but through experience his department has found that the Cisco firewall may be too much for his two-person IT department, which manages 57 employees and their workstations.

"The PIX firewall is working well," Rood said, noting that the product has a built-in intrusion detection system (IDS). So what's the problem? "We're only using about 50% of what [the product] has," he said. "We don't have the human resources to use the rest."

Therefore, it might be more feasible to switch vendors than to hire someone to manage the unused functionality. "We don't have a complete list of alternative vendors, but there is a discussion going on based on the cost of Cisco compared with other vendors," Rood said. "We might make a change in the next two or three months."

It's unclear if this is an issue facing other staff-challenged organizations using gear from the big vendors, but it is clear that many of the 307 IT professionals surveyed by SearchSecurity.com in February said Cisco and Symantec are key pieces of their intrusion defense programs. A majority of respondents also said they plan to spend the same or more on intrusion defense in the coming year.

No one vendor
The overall responses suggest that while Cisco and Symantec are among the top intrusion defense vendors, IT professionals aren't dependent on any single vendor.

Asked which vendors' intrusion detection/prevention products they use, nearly 43% said Cisco; 34% said Symantec; 30% said Snort and other freeware; close to 26% said McAfee and Microsoft; and almost 20% said Check Point and Sourcefire.

Asked who they consider their primary intrusion detection/prevention vendor, 20% said Cisco; nearly 15% said Symantec; 12% said Snort and other freeware; and 18% check either "none" or "other."

Asked why they chose a specific set of vendors, close to 21% of respondents said the vendor choice fit into their respective infrastructures; 19% cited superior security functionality; more than 16% said the product was already installed as part of another device; and 14% cited cost.

Eric Nooden, information systems manager for Rockford Gastroenterology Associates Ltd. in Rockford, Ill., is one IT professional who has chosen a variety of tools from both mainstream vendors and the open source community to secure the 107 Windows-based network devices in his 100-employee company. Open source tools like Snort have been especially effective for Nooden, the company's lone IT administrator.

About Intruder Alert

Intrusion defense programs are often touted for their ability to guard against today's evolving threats. Based on an exclusive survey of IT professionals, SearchSecurity.com's special news series Intruder Alert takes a look at real-world intrusion defense programs and which vendors are considered most valuable to those in the trenches.

Series menu

  • DAY 1: Ideal intrusion defense combines processes and people -- What defines good intrusion defense? IT pros say the best programs not only thwart insiders with bad computing habits, but also the spyware and other malware they let in.

  • DAY 2: To executives, intrusion defense is a hard sell
    -- Security administrators say intrusion defense frustrates them not only because executives are reluctant to buy in, but also because even the top products have a long way to go.

  • DAY 3: With intrusion defense vendors, one size doesn't fit all
    -- A majority of IT shops rely on Cisco and Symantec for intrusion defense. But others are just as happy using free open source tools.

  • INTRUDER ALERT: Looking at the numbers -- In February, SearchSecurity.com surveyed 307 IT professionals from a variety of industries regarding their intrusion defense programs. Here is a look at some of the questions we asked and the answers they gave.
  • Finding the right mix
    To fight spyware, Nooden uses the tool included in Symantec AntiVirus Corporate Edition. But he's not married to the vendor's product.

    He has also used the open source Spybot Search & Destroy tool and has permission to buy the Spy Sweeper tool from Boulder, Colo.-based Webroot Software Inc.; though he's holding off on the purchase to see how well Symantec performs.

    For IDS, he uses a Snort box that cost nothing to set up and has worked well.

    "We haven't had anything come blasting through the firewall except for some attacks targeting our Citrix server -- stuff like cross-site scripting," he said.

    But up to this point, the security needs of his network haven't necessitated the purchase of a more robust commercial IDS product.

    "By getting tools from the open source community, I've been able to put together a fairly successful intrusion defense program," he said. "Open source is inexpensive and can easily be loaded onto older devices."

    Spending the same or more in 2006
    Despite his success using open source, Nooden said his company may invest in more mainstream devices sometime in the future. One piece of software he's interested in is the CiscoWorks VPN/Security Management tool.

    "We plan to add another doctor this summer," he said, "and if we start using new technology for things like virtual colonoscopies, there may be more need for storage and security. But right now it's on the maybe list."

    Still, as the company's medical technology expands, he's hopeful upper management will understand the need to spend more on security.

    Other respondents indicated they'll be spending the same or more on various security tools in the coming year. For example, 56% said they'll spend the same or more on a network-based intrusion prevention system (IPS), compared to 18% who are spending less or aren't spending at all. Sixty-two percent said they plan to spend the same or more on network-based IDS this year, compared to 18% who are spending less or aren't spending at all.

    More on intrusion defense

    Strategies for defending against zero-day exploits
    Learn how to create and implement a cohesive intrusion defense strategy with guest instructor Joel Snyder, senior partner of consultancy Opus One and Information Security magazine, are available free and on demand. As a bonus, CISSPs and SSCPs are eligible to earn CPE credits from (ISC)2.
    More than 48% of respondents said they plan to spend the same or more on a security event/information management system, while 24% said they'll be spending less or not at all on the technology. Nearly 70% plan to spend the same or more on network firewalls, compared to 16% who will spend less or nothing at all.

    Michael Smith, network security architect for a Chicago-based telecommunications equipment company with 4,400 employees, 5,000 workstations, 1,000 servers and a mix of Windows, Solaris and Linux systems, said his department plans to spend "a little bit more" on security in the coming year.

    His enterprise uses a Cisco firewall and IDS and turns to Symantec for AV. Like numerous other large enterprises, his company is generally more satisfied with these vendors' feature-rich products than are smaller companies with fewer IT workers. When asked to describe the effectiveness of his particular arsenal of intrusion defense tools, Smith called them "pretty solid."

    Nevertheless, his tools don't provide what he'd consider the perfect intrusion defense. He said he would like to improve the flow of network intelligence and bolster incident response capabilities. That's why his company is among those planning to spend more this year on intrusion defense technology.

    "We get volumes and volumes of reports. We can't spend all our time looking through logs, which is why we may invest more in a centralized analysis tool," he said. "Our biggest tech challenge is filtering thru the noise."

    This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close