SmartDefense Versus Any IPS/IDS

[yogendra]

I am CCSE, CCSA & working on CP frm last 2.5 yrs. I
ve read about Smartdefancse & has also configured some of the features. But can we compare CP SmartDefense with say CISCO's IPS 4255 or IDS 4210 which can write and ACL even on router to shun the conenciton port.
1. Can we configure CP Smartdefance to do so?
2. If we have smartdefense then do we need to buy separet IPS/IDS box.
3. with Cisco's IPS /IDS we can monitor diffferent subnets is it possible thr CP
Thx
YT
CP Savvy

[Sergej]

The shun feature of the Cisco IDS is not wery valuable thing. I have not heard that someone use it in productive environment. Only during CCIE Sec Lab preparation :) My opinion you can just forget about SHUN feature. The current hipe feature of Cisco IPS 5.1 is Rate Limiting. (This is answer for qestion #1)
This time all the vendors go from IDS to IPS. According to garner IDS are obsolete ( Are firewalls needed? ). So all the vendors adding in-line mode to the IDS sensors and rename them to the IPS. IDS is converting to the deep packet inspection firewalls. Firewalls are moving to the IDS/IPS field. CheckPoint have fast SmartDefence box - Interspect. This one to place inside you perimer, somewhrer in betwen of users and servers. (This is an answer for qestion #2 and #3)
Checkpoint accrued SourceFire IPS vendor few month ago. Lets wayt and see what will be next.
The real pain with Cisco IPS is a management. Cisco have at least 4 different softwares at the moment: IDM (IPS Device Manager) VMS 2.x (VPN/Security Management Solution) (Which is migrating to CSM3.0 currently(Cisco Security Manager)) and MARS and Cisco Incident Control System (ICS). Each have pros and cons.

[yogendra]

Hi,
Thx for the lucid info!
So the essence is We don't requrie separate IPS box like we r going for /cisco 4255 and use smartdefenace on the perimeter FW and for inside N/W sue CP Interspect ... right?

At present i've done CCSE, CCSA, MCSE apart from my engineering post graduate ...do u think i shd go for CCSP also... as i just wanna specialize in CP.
pl suggest,thx uin advance

[srikrishnak]

Interspect roadmap had been quite good but it never realized to a full scale IDS/IPS. The best part of IDS/IPS is not only detect or prevent any intrustion but provide valuable logs which is 'valid'. ( valid means something like a packet capture but not a gui log).
If i remember correctly last time I saw in a CP presentation that they are going to use this feature in 2006.

[Sergej]

Quote:

Originally Posted by yogendra

Hi,
Thx for the lucid info!
So the essence is We don't requrie separate IPS box like we r going for /cisco 4255 and use smartdefenace on the perimeter FW and for inside N/W sue CP Interspect ... right?

If you want to dig to Cisco vision use Cisco SAFE Blueprint - www.cisco.com/go/safe . Start with easiest one - "SAFE Blueprint for Small, Midsize, and Remote-User Networks"
There you can get Cisco point of view on where to place IDS and firewalls.

[chillyjim]

Quote:

Originally Posted by srikrishnak

The best part of IDS/IPS is not only detect or prevent any intrustion but provide valuable logs which is 'valid'. ( valid means something like a packet capture but not a gui log).
If i remember correctly last time I saw in a CP presentation that they are going to use this feature in 2006.

If you're talking about the packet capture mode, it is available today with Interspect NGX (release earlier this month).

-jlh

[RobertGraham]

In my opinion...

SmartDefense can't really be compared to IPS/IDS solutions. SmartDefense even with a StormCenter subscription never really works properly. It breaks more services than are worth protecting, and many large enterprises concerned with security choose to turn off SmartDefense and go another route.

It makes sense to integrate the IPS with the firewall. But, in SD's case it's not quite ready for production.

[rodfunk]

This is quite an interesting discussion. While SmartDefense does have significant limitations, does anyone know if SmartDefense meets the Payment Card Industry (PCI) requirement for IDS/IPS?

Here is the specific requirement:

11.4 Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up to date.

Rod Funk
Systems Manager
Sierra Club

[chillyjim]

Quote:

Originally Posted by RobertGraham

In my opinion...

SmartDefense can't really be compared to IPS/IDS solutions. SmartDefense even with a StormCenter subscription never really works properly. It breaks more services than are worth protecting, and many large enterprises concerned with security choose to turn off SmartDefense and go another route.

It makes sense to integrate the IPS with the firewall. But, in SD's case it's not quite ready for production.

SMDF is NOT IDS/IPS it is protocol enforcement and it doesn't break services, it just doesn't allow poorly written, non-compliant services to traverse the firewall.

SMDF has been implemented and is is use in several major companies.

[chillyjim]

Quote:

Originally Posted by rodfunk

This is quite an interesting discussion. While SmartDefense does have significant limitations, does anyone know if SmartDefense meets the Payment Card Industry (PCI) requirement for IDS/IPS?

I has been accepted in the past.