NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-01

[Snort-users] cost/benefit analysis of running Snort

From: Tom Fulton (tfulton9909comcast.net)
Date: Fri Jan 23 2004 - 17:38:57 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm trying to come up with a cost/benefit analysis of running Snort in a
network, in general terms?

Can you add anything that you see is missing or wrong?

A. COSTS:
I would guess costs are mostly in Human time (FTE) functions:

        -Installation, configuration
        -Locking down/securing the boxes' processes (i.e.: Bastille scripts,
etc)
        -Patching
        -Monitoring snort logs to determine legitimate alerts
        -Adding, changing fine tuning filter rules
        -Ideally a 24/7 operation requiring HOW MANY FTEs per shift? What
does the number of FTEs depend upon?
        -What is the "cost" of having only one shift covered?

But also hardware and software costs:

        -Dedicated PCs (how many?)
        -Operating system and Support agreements for the OS
        -Network bandwidth (how do you address questions of how much network
speed is affected by Snort boxes?)

# How do you scale?
# The book: "Snort 2.0 Intrusion Detection" discusses different
architectures but doesn't give any kind of Rule of Thumb for number of boxes
per architecture. Yes, I know it depends upon the processor, RAM and BUS
speed, etc.but beyond that, how do you define?
# Would it be safe to say that once you see that you are dropping packets
you need to add another box? Is it just trial and error ONLY?

B. BENEFITS:

        -They can alert you to the presence of attacks (internal and
external) the majority of attacks occur, knowingly or unknowingly, from
within the network)
        -Identifies vulnerabilities and weaknesses in the perimeter
protection devices: firewalls and routers
        -"What you don't know CAN hurt you"
        -Preventative knowledge: IDSs can alert you to reconnaissance
scanning in your network which can alert you to impending attacks
        -Helps enforce security policies
        -Great sources of forensic evidence
        -Inline IDSs can halt active attacks on your network
        -Rounds out an overall security model

Can you add anything or correct me?

Thanks,

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]