Put some fire in your network security
David Myers profile photo
August 10, 2017

Put some fire in your network security

Score 10 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with Cisco Sourcefire SNORT

We use Sourcefire as an intrusion detection/prevention platform, but also as a form of a web filter, blocking certain types of sites. Its use is centered only in IT, as there's no need for any other part of the organization to use it. The goal of having it is to address the concern of watching web traffic and having a mechanism to aggressively block known bad sites, attacks, requests, etc.
  • The threat intelligence from Cisco TALOS is unparalleled. This is grafted into the Sourcefire application which greatly improves security visibility. With this there are a lot of groups that you can use for white listing or blacklisting, knowing its being updated in the background without additional work from you.
  • Flexible. Instead of putting a traditional firewall inline you can put a source fire appliance (or firewall with sourcefire on-board) to not only block/allow traffic, but if you insights into it, and do some forms of threat scoring.
  • In depth information. Sometimes a bit overwhelming, but you are able to do more than just see alerts, you can view the full information and packets that lead to the conclusion, though the conclusion is prepared in advance for you.
  • Due to the extensive interface, it can be quite overwhelming to try and manage the product. There are many different places to go to set up individual items. It would be nice to simplify the interface down a bit
  • Upgrades can be somewhat hazardous. I think they are working to get the upgrade process streamlined, but currently moving major version (5.x to 6.x) there was a lot of additional work outside of the UI that if not done correctly can tank the system, requiring a fresh load or restore from backup
  • Sourcefire has given us a positive ROI. We don't really have the metrics to show this, but the cost for having it, vs the savings between blocking bad sites and the manpower to respond to malware infestations are worth it. It's hard to measure what you don't get.
For our organization, the Cisco defense in depth concept works the best. While Cisco can be made to work with other vendors, we have found the best in depth protection by integrating Cisco products for maximum visibility. We had a Barracuda Web Filter, but it was difficult to maintain when you had limited scope on what you could block, so we created a whitelist only setup which required a lot of additional manpower. This wouldn't have covered new threats with DNS spoofing and the like.

Sourcefire also integrated with our anti-malware platform (Cisco AMP) for even better visibility on what may be happening on the end users workstation. We are planning on adding in Cisco ISE to complete the approach and possibly stealthwatch to cover our bases in the future. The Palo Alto gear was interesting, but it was priced far out of our range.
I think in any situation where you have the IT staff to be able to manage it, Sourcefire SNORT is a good fit. Perhaps if you have a very large budget, and could get something like Palo Alto there might be a different fit, but Sourcefire works very well in our market (SMB) but would scale nicely in a larger organization, as you can use the interface to manage multiple devices. For smaller customers with less dedicated IT teams or none, Cisco Meraki offers the same level of protection with less work via the MX model of firewalls.