NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-01

Re: [Snort-users] cost/benefit analysis of running Snort

From: M. Morgan (mikemorganmindspring.com)
Date: Thu Jan 29 2004 - 09:25:07 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

cost/benefit analysis of running Snort

Tom,

I realize your question is directed specifically towards Snort but there are many documents available that can help you with your efforts.

Read some of these regarding "return on investment"

http://www.securityfocus.com/swsearch?query=ROI&sbm=%2F&metaname=alldoc&sort=swishrank

thanks,

Michael

-----Original Message-----
From: Tom Fulton
Sent: Jan 23, 2004 6:38 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] cost/benefit analysis of running Snort

I'm trying to come up with a cost/benefit analysis of running Snort in a network, in general terms?

Can you add anything that you see is missing or wrong?

A. COSTS:
I would guess costs are mostly in Human time (FTE) functions:

        -Installation, configuration
        -Locking down/securing the boxes' processes (i.e.: Bastille scripts, etc)
        -Patching
        -Monitoring snort logs to determine legitimate alerts
        -Adding, changing fine tuning filter rules
        -Ideally a 24/7 operation requiring HOW MANY FTEs per shift? What does the number of FTEs depend upon?
        -What is the "cost" of having only one shift covered?

But also hardware and software costs:

        -Dedicated PCs (how many?)
        -Operating system and Support agreements for the OS
        -Network bandwidth (how do you address questions of how much network speed is affected by Snort boxes?)

# How do you scale?
# The book: "Snort 2.0 Intrusion Detection" discusses different architectures but doesn’t give any kind of Rule of Thumb for number of boxes per architecture. Yes, I know it depends upon the processor, RAM and BUS speed, etc…but beyond that, how do you define?

# Would it be safe to say that once you see that you are dropping packets you need to add another box? Is it just trial and error ONLY?

B. BENEFITS:

-They can alert you to the presence of attacks (internal and external) the majority of attacks occur, knowingly or unknowingly, from within the network)

        -Identifies vulnerabilities and weaknesses in the perimeter protection devices: firewalls and routers
        -"What you don’t know CAN hurt you"
        -Preventative knowledge: IDSs can alert you to reconnaissance scanning in your network which can alert you to impending attacks

        -Helps enforce security policies
        -Great sources of forensic evidence
        -Inline IDSs can halt active attacks on your network
        -Rounds out an overall security model

Can you add anything or correct me?

Thanks,

------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]