Cisco Sourcefire SNORT Review

Known bugs consume memory and CPU resources to the point where we are seeking a new solution

What is our primary use case?

The primary use of this solution is intrusion prevention, for both user-to-server traffic, and server-to-server traffic.

Most of our environment is Cisco including ISE, our access control, routers, switches, call center, and TelePresence.

How has it helped my organization?

The current solution that we are using is actually a bottleneck for us. It is negatively impacting our performance because it cannot handle our traffic. The SSL offloading did not work and gives us an error regarding resources in terms of memory and CPU. 

Other than the performance issue, this product is very good because it prevents many attacks and intrusions. We have seen this from the monitoring logs. Unfortunately, with the issue related to the system slowing down, it cannot be utilized 100%. I would like to be able to use the SSL offloading and the anti-malware features.

What is most valuable?

The most valuable feature is the ability to automatically learn the traffic in our environment, and change the merit recommendations based on that. It can tune its IPS rules automatically based on what it has learned. This feature is not available in other IPS solutions, so it is very beneficial for us. Manually tuning the IPS rules is difficult because we have thousands of them.

What needs improvement?

We are unhappy with technical support for this solution, and it is not as professional as what we typically expect from Cisco.

Sourcefire SNORT is very resource heavy in terms of CPU usage and memory consumption. Technical support has told us that this is related to bugs that have yet to be fixed.

For how long have I used the solution?

We have been using Cisco Sourcefire SNORT for three years.

What do I think about the stability of the solution?

What we are using now is not very stable and it results in performance issues that are related to memory and CPU consumption.

What do I think about the scalability of the solution?

Scalability-wise, I can see that Cisco is one of the leaders in IPS solutions. However, I cannot comment on it personally because I have not used products by other vendors for this use case.

We have many thousands of machines that are being monitoring by my team, cybersecurity. All of the production traffic goes through Sourcefire. Because of the performance issues, we are unable to use all of the features. For example, we cannot use the SSL policy or the AMP policy.

Which solution did I use previously and why did I switch?

We did use another product prior to Cisco Sourcefire SNORT but it was before I joined the company and I am unable to comment on it.

How was the initial setup?

The initial setup is straightforward and the configuration is easy.

We implemented this solution in stages because it could not be done all at once.  It took us perhaps just over a month to finish moving all of our servers from IDS to IPS, from detection to prevention.

What about the implementation team?

Our own team was responsible for the implementation. I handled all of it myself.

What other advice do I have?

A lot of Cisco equipment is very good, but in judging the model of this solution that we have, I feel that it is the worst. It has very big issues for us in terms of performance, reliability, and stability. It is slowing our network traffic down considerably.

I would rate this solution a one out of ten.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment