Proxy based firewalls aren't really that slow. Sure a Checkpoint is faster but slap on all the 3rd party application inspection engines and it too starts slowing down. In todays world, having a firewall that only goes down to Layer 4 just won't cut it IMHO. And hiding details from the outside world is a good thing! As for Snort...I love it but have to agree that it's just not something you want for an enterprise IDS. I use it at home and it smokes. If I had to manage more than a few?....ugh. ISS is the only solution for enterprise IDS as far I I'm concerned. Proxy-based firewalls are also a hell of a lot slower than stateful packet firewalls. They also can hide the details of the outside world, making IDSs unusable inside your network. Personally, I find that a good stateful firewall can filter out all the junk and handle authentication and monitoring. And then a well tuned IDS can focus in on the traffic and what it is trying to do. The two working together can form a rather significant barrier to hacker scum. It also creates a "separation of duties" the firewall does its job and the IDS does its job. You don't have one unit (hence a single point of failure) trying to do both. . Once again, this is an area where Snort is extremely difficult to use because there is no centralized policy creation and management system as well as a reporting mechanism. Something that virtually all the commercial products - even Sourcefire's commercial product - has.
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 00:14:12 PDT