With intrusion defense vendors, one size doesn't fit all

Article

With intrusion defense vendors, one size doesn't fit all

Bill Brenner, Senior News Writer

For many IT shops, security tools from Cisco Systems Inc. and Symantec Corp. serve as the backbone of their intrusion defense programs, if the results of an exclusive SearchSecurity.com survey are any indication.

Some IT professionals, however, have found that those vendors' products aren't always a good fit for the size and scope of their enterprises. Others have discovered they can repel the bad guys just as well using free open source technology.

Bryan Rood, IT manager for Milpitas, Calif.-based Quantros Inc., a company whose products and services are tailored for the healthcare industry, uses a

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Cisco PIX Firewall and Symantec AntiVirus Corporate Edition. Both are solid tools, he said, but through experience his department has found that the Cisco firewall may be too much for his two-person IT department, which manages 57 employees and their workstations.

"The PIX firewall is working well," Rood said, noting that the product has a built-in intrusion detection system (IDS). So what's the problem? "We're only using about 50% of what [the product] has," he said. "We don't have the human resources to use the rest."

Therefore, it might be more feasible to switch vendors than to hire someone to manage the unused functionality. "We don't have a complete list of alternative vendors, but there is a discussion going on based on the cost of Cisco compared with other vendors," Rood said. "We might make a change in the next two or three months."

It's unclear if this is an issue facing other staff-challenged organizations using gear from the big vendors, but it is clear that many of the 307 IT professionals surveyed by SearchSecurity.com in February said Cisco and Symantec are key pieces of their intrusion defense programs. A majority of respondents also said they plan to spend the same or more on intrusion defense in the coming year.

No one vendor
The overall responses suggest that while Cisco and Symantec are among the top intrusion defense vendors, IT professionals aren't dependent on any single vendor.

Asked which vendors' intrusion detection/prevention products they use, nearly 43% said Cisco; 34% said Symantec; 30% said Snort and other freeware; close to 26% said McAfee and Microsoft; and almost 20% said Check Point and Sourcefire.

Asked who they consider their primary intrusion detection/prevention vendor, 20% said Cisco; nearly 15% said Symantec; 12% said Snort and other freeware; and 18% check either "none" or "other."

Asked why they chose a specific set of vendors, close to 21% of respondents said the vendor choice fit into their respective infrastructures; 19% cited superior security functionality; more than 16% said the product was already installed as part of another device; and 14% cited cost.

Eric Nooden, information systems manager for Rockford Gastroenterology Associates Ltd. in Rockford, Ill., is one IT professional who has chosen a variety of tools from both mainstream vendors and the open source community to secure the 107 Windows-based network devices in his 100-employee company. Open source tools like Snort have been especially effective for Nooden, the company's lone IT administrator.

Finding the right mix
To fight spyware, Nooden uses the tool included in Symantec AntiVirus Corporate Edition. But he's not married to the vendor's product.

He has also used the open source Spybot Search & Destroy tool and has permission to buy the Spy Sweeper tool from Boulder, Colo.-based Webroot Software Inc.; though he's holding off on the purchase to see how well Symantec performs.

For IDS, he uses a Snort box that cost nothing to set up and has worked well.

"We haven't had anything come blasting through the firewall except for some attacks targeting our Citrix server -- stuff like cross-site scripting," he said.

But up to this point, the security needs of his network haven't necessitated the purchase of a more robust commercial IDS product.

"By getting tools from the open source community, I've been able to put together a fairly successful intrusion defense program," he said. "Open source is inexpensive and can easily be loaded onto older devices."

Spending the same or more in 2006
Despite his success using open source, Nooden said his company may invest in more mainstream devices sometime in the future. One piece of software he's interested in is the CiscoWorks VPN/Security Management tool.

"We plan to add another doctor this summer," he said, "and if we start using new technology for things like virtual colonoscopies, there may be more need for storage and security. But right now it's on the maybe list."

Still, as the company's medical technology expands, he's hopeful upper management will understand the need to spend more on security.

Other respondents indicated they'll be spending the same or more on various security tools in the coming year. For example, 56% said they'll spend the same or more on a network-based intrusion prevention system (IPS), compared to 18% who are spending less or aren't spending at all. Sixty-two percent said they plan to spend the same or more on network-based IDS this year, compared to 18% who are spending less or aren't spending at all.

More than 48% of respondents said they plan to spend the same or more on a security event/information management system, while 24% said they'll be spending less or not at all on the technology. Nearly 70% plan to spend the same or more on network firewalls, compared to 16% who will spend less or nothing at all.

Michael Smith, network security architect for a Chicago-based telecommunications equipment company with 4,400 employees, 5,000 workstations, 1,000 servers and a mix of Windows, Solaris and Linux systems, said his department plans to spend "a little bit more" on security in the coming year.

His enterprise uses a Cisco firewall and IDS and turns to Symantec for AV. Like numerous other large enterprises, his company is generally more satisfied with these vendors' feature-rich products than are smaller companies with fewer IT workers. When asked to describe the effectiveness of his particular arsenal of intrusion defense tools, Smith called them "pretty solid."

Nevertheless, his tools don't provide what he'd consider the perfect intrusion defense. He said he would like to improve the flow of network intelligence and bolster incident response capabilities. That's why his company is among those planning to spend more this year on intrusion defense technology.

"We get volumes and volumes of reports. We can't spend all our time looking through logs, which is why we may invest more in a centralized analysis tool," he said. "Our biggest tech challenge is filtering thru the noise."