Re: IDS Comparison

[gshipley () neohapsis com (Greg Shipley)]

On Sat, 4 Mar 2000, John S Flowers wrote:

> I almost let this thread pass by without responding, but I couldn't help
> myself with this last e-mail.  I'm having trouble believing the same
> person who actually recommended RealSecure in their NWC article [Greg
> Shipley] is also the person talking about command line interfaces in the
> message below.

Oh boy.  Here we go.  Still giving me shit for that one, huh?  *grin*  So
I'm not allowed to adjust my comments per audience now, huh?  Gee, I
suppose the 809,000 readers of Network Computing have the EXACT SAME
PROFILE as the ones on this list, huh?  I suppose one audience fits all
then, eh John?

Come on.  Right.  I'm only about the GUI.  Pardon me, I forgot.

> Unfortunately, almost all of our clients actually make statements like,
> "Can your scanner integrate with HP OpenView.  Our entire company uses
> it for network topology and management."  Believe it or not, people *do*
> use HP OpenView and other graphical tools to simplify their day-to-day
> tasks.

Oh, I *know* people are using it - I don't question that.  I'm just saying
that *I* hate it.  IMHO, you should have OpenView as an *OPTION*.  ISS has
an Openview "snap-in" but you don't HAVE to use it.  Cisco on the
otherhand sticks you with OpenView, whether you like it or not.  You have
no choice.  And then there is the entire method the IDS integrates into
Openview (alerts flashing on the sensor icon, rather then on the unit
being attacked) but that is another discussion entirely.  Oh, and then
there is the problem with 100+ attack icons flooding a single view, and
you, the admin, getting screwed over by it.  Oh, wait, I'm going into why
I don't like Openview....sorry.

Yes, I'm sure you do have clients asking about OpenView.  And we have
clients, believe it or not, that hate it (clients with security staffs of
over 15 dedicated security people).  It goes both ways.  I'm just saying
I'd like to have some options, other interfaces are better, and that I
hate OpenView.  Take it for whatever it's worth....

> My other comment relates to the following (possibly naive) statements:
>
> > ... The NetRanger sensors
> > run between (last I checked) $20k and $22k (US dollars) per sensor.
> > That's for, essentially, a Pentium-II (III now?  dunno) based Intel
> > machine running Solaris x86 and the NetRanger software.  Last I checked
> > RealSecure ran about $10k for a network "engine" and a single console.
> > So, unless you drop $10k+ on your Intel boxes, it's obvious which one is
> > cheaper.
>
> OK.  It sounds like you're saying that the cost of the IDS relates
> *solely* to the cost of the hardware and software.  Just because
> RealSecure costs $10k for the sensor and another $3k for a decent chunk
> of hardware [and the Windows NT you'll probably be running it on] does
> not mean that the "total cost" of RealSecure is $13k.  Let's be honest,
> there's a reason that NFR is getting their ass kicked in the IDS
> market.  It has nothing to do with whether they're a superior solution
> to ISS' RealSecure or whether they are more flexible.  ISS is wailing on
> other vendors because people can comprehend the ISS RealSecure model and
> understand a shrink wrapped Windows product.  Other than the truly
> technical people out there, no one wants to learn n-code or CASL or
> other options.  People want to buy a solution that they plug in or
> install and that they can run reports from without worrying about
> tinkering with the product for 2 weeks before it becomes usable in their
> environment.
>
> The bottom line with all IDS products is how damn hard they are for the
> average IT person to setup or even understand.  Yeah, I know it's an
> unpopular opinion.  Yeah, I know that most of the readers of this list
> are saying, "Bullshit!  I can setup an IDS -- NO PROBLEM!  I understand
> IDS technology too!"  

Ergh...I was drawing a comparison on up-front costs.  Ok, allow me to
update my statement - Note to all on this list: For people running Super
IDS Net Pro 2000 with 10.2 billion sensors, you need to make sure you
factor in the cost of management, the cost of more consoles, confusion,
employee overhead, Red Bull, etc. - the $20k per sensor is not the total
cost of the IDS. (that should clear up any confusion)

> Well, the readers of this list are saying that because they're probably
> in the top 5% of brain power in the security industry.  Most people
> responsible for setting up IDSs are $30-40k a year Windows
> administrators who are putting and IDS in their organization because
> their CTO/CEO/VP/Director/Manager told them (after reading the latest
> copy of some trade journal) that they " .. have to start being proactive
> and put measures in place to ensure that our company is secure against
> hackers."

Are they?  Are most people responsible for setting up IDSs "$30k-$40k
windows administrators?"  Maybe things are done differently in the
valley/bay area, but that certainly isn't what we see in the midwest and
east coast.  In fact, I've NEVER seen that out here.  IDSs are run by
security people, and they certainly aren't making $30k.  But I am
digressing....

> Now, if you add the 450 checkable options of RealSecure along with the
> logging requirements and all of the report options, then you add the
> fact that RealSecure actually has to run on hardware that's already been
> spec'd and installed plus the deployment aspects related to the fact
> that anything over 10 sensors kills the management system...  I could go
> on and on [and probably have already], but I'm trying to say that
> RealSecure costs real dollars to install, support, maintain, update, and
> so on.  Unless there's a way of getting free IT resources, you have to
> actually pay the people setting up these solutions.

Agreed, but now I've got to ask, this is a pitch for what, exactly? :)

> I'm consistently amazed at how smart people in this industry keep making
> statements about price, performance, functionality and other comparative
> statements without taking the time to make sure they are conveying a
> real message to an audience that's obviously listening.  We have a
> responsibility to be honest about the limitations of this technology
> while still espousing the benefits.

Listen, while I don't necesarily consider myself as one of the super
"smart persons" in the industry, I'm certainly not going to write a
dissertation every time I post to a mailing list.  Sure, there is more to
ID then just hardware and licensing costs.  Sure, people need to factor
in a slew of other aspects when doing enterprise-class purchases.

But I will say this:  you can't pigeon-hole organizations into the model
you've laid out in your reply.  It's just not that simple.  Yes, I've seen
organizations that only give a shit about one or two sensors.  Yes I've
seen organizations that will make a purchasing decision based SOLELY on a
$10k-$20k cost difference.  Yes the infamous "TCO" buzz-word comes into
play, but come on, how many organizations are REALLY factoring that into
IDS purchasing decisions?  The smart ones are, many are not.

Most orgs I've been at, anyway, are fighting for the budget to purchase ID
systems and then having the admins fight over who gets to "own" them.  
But I will admit, I, as an individual, only see so much....I'm sure it's
different everywhere.  Dunno - what do the people on this list think?

In short - I agree with you, somewhat.  IDSs are more then just a hardware
and software cost - absolutely.  I apologize if I've implied it was THAT
simple.  My intention was just to draw some attention to a few facts, and
I'd like to think that input is valuable without being packaged with five
disclaimers and ten billion external references.

IMHO, it all boils back to the comment of "You really have to think about
how an ID product will fit into your environment, and what you want to use
it for." 

-G