A call for help to open source integrators.
Long-time intrusion-detection system watchers will inevitably want to know: what about Snort?
Long-time intrusion-detection system watchers will inevitably want to know: what about Snort? The popular open source IDS has a fanatical following and is respected as an excellent detection engine. Why wasn't it included in this review?
Testing open source products has always been a difficult proposition. The lack of timely technical support, as well as a heavy reliance on lore and custom (rather than defaults and documentation) for proper and speedy operation has often caused test results that might reflect how open source products at their worst, rather than their best.
Snort makes this even more difficult, because it is far from a complete IDS solution. In this review, we spent little time analyzing the detection engine and most of our effort evaluating how well the product supports security analysts in their day-to-day job. Snort, out of the box, would have fared miserably in this test - and Snort's advocates would legitimately cry "foul." Snort's enthusiastic user community has built its own extensive set of add-ons and plug-ins - more than 20 of them - that take Snort from a good detection engine to a full-fledged network IDS.
For many network managers, having so many possibilities is a blessing. For a reviewer, it's a curse. If we pick a particular set of add-ons to provide an environment similar to, for example, what Cisco or Internet Security Systems sell, then how do we pick the add-ons? What operating system should it run on? How should the hardware be configured, and what kinds of I/O subsystems are needed? More generally, how do we architect an IDS implementation out of the thousands of possible options that would fairly represent how Snort compares with the commercial products we tested?
Snort, like many complex open source tools, requires the security analyst to also be a system integrator: pick operating system, hardware, multiple applications, and bring them all together into a high-performance network IDS. Reviewing Snort would require us to play system integrator to start to capture the possibilities surrounding the popular detection engine.
Our experience has taught us one important thing: no matter what choice of product, add-on and architecture we make, it won't satisfy the set of hard-core Snort aficionados who believe that Snort is the answer to any (or most) intrusion-detection questions. While the hate mail wouldn't bother us, there's a bigger point to be made. Our goal in these reviews is to help enterprise network managers understand products in the marketplace, their strengths and weaknesses, capabilities and deficiencies. How would picking a particular set of options meet those goals?
One option might be to let the open source community act as system integrators. While that could be an easy way to deflect criticism from our own choice of products, options, and tuning, we found that it doesn't matter: no one was willing to bell the cat. Our call for assistance to the Snort community, for someone to act as the "vendor" for our Snort solution, brought a number of volunteers who expressed interest. However, none were actually willing and/or able to spend the time required to put Snort in the review as a peer product.
Snort did get in this review, at least partially, with the Barbedwired product, which includes Snort as an integral part of its IDS. We also invited Sourcefire, the company where Snort's authors work, to submit their commercialized version of Snort for review, although it declined.
In what may be a first for the technology industry, RSA Conference 2015 next month apparently will be...
Website password strength meters, like a spouse asked to assess your haircut or outfit, often tell you...
With all the public cloud storage offerings on the market today, many vendors just want customers to...
Sponsored by AT&T
Sponsored by Brocade
Investors made a crowd around the cloud this week, investing $175 million in companies focused on...
The SDN project now has a security response team to quickly handle new vulnerability reports
Here's how many cybersecurity entry-level job seekers fail to make a great first impression.
As CIOs become overwhelmed by IT demands, chief data officers (CDOs) are stepping in to serve as a...