Tuesday, July 26, 2005

SC Magazine IPS Reviews

Recently I received the new SC Magazine and noticed a new Group Test addressing so-called intrusion prevention systems. The reviewer was Christopher Moody, but I was unable to get any sort of background information on him. He has written most of the recent SC Magazine Group Tests, however. As you can read in the story, or in this press release, the Sourcefire IS-2000 won SC Magazine's "Best Buy" award. From the review:

< "Its high level of protection and simple rule writing using the Snort engine make it a good standalone product. But it is when it is used as part of the 3D System that it really takes off. Sourcefire’s Defense Center provides excellent centralized management and reporting, and its Real-time Network analysis appliance gives a wider look at the network to help secure it."

The Top Talyer IPS 5500 Attack Mitigator was the SC Magazine Recommended product, even though it had a "small attack signature database compared to other products." Review readers will notice that all of the heavyweight IPS vendors were listed, including TippingPoint and ISS. In addition to Sourcefire, three (perhaps four) other products were Snort-based: Countersnipe, Barbedwire, and V-Secure. (I suspect XSGuard is Snort-based too, but I have no proof.) Did you notice that none of those three are part of Sourcefire's Certified Snort Integrator program? That means they are not allowed to apply VRT rule updates to their products.

Overall I do not have that much confidence in the quality of the review. I trust someone like Greg Shipley who seems to ask the right questions and back them up with real tests. See his recent firewall round-up as an example; at least they mention testing methodologies. I suspect Mr. Moody was limited by page space, but he could have provided more detail on the SC Magazine Web site. I do think that Snort + RNA is incredibly powerful, and I doubt there is a better solution available. I just don't think SC Magazine makes its judgements in a manner I find most helpful.

On a related note, the Open Source Snort Rules Consortium (OSSRC) is online; consider joining.

1 comment:

Prav said...

As you pointed out in a previous post that according to Infonetics Research Cisco and ISS have the lead in market share for IDS/IPS.

However I am yet to see a group test / review take a look at the now defunct NetRanger, Cisco 4200 series appliance , or the MARS correlation engine they acquired from Protego.

If Cisco truly does have 22% of the market, why doesn’t the tech media mention or review them.