Re: Recommending an IDS system

[D B <be281 () bfn org>]

In-Reply-To: <3BAFCFDABE11C64DA68B005B0682BB84BF1B18 () cnbmail cnb-waco com>

Last week I sent a bunch of people some of my information on Cisco and ISS systems. Could someone post it here again or 
email me it. I have been getting more requests for it and I dont want to write it up all over again. I know, I should 
have saved it in the "sent mail" folder but it got deleted. Thanks in advance.

David Buyer


> Received: (qmail 15436 invoked from network); 9 Mar 2004 01:15:27 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 9 Mar 2004 01:15:27 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 8B749A3751; Mon,  8 Mar 2004 17:28:09 -0700 (MST)
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 20107 invoked from network); 8 Mar 2004 16:37:04 -0000
> content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> Subject: RE: Recommending an IDS system 
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
> Date: Mon, 8 Mar 2004 14:17:55 -0600
> Message-ID: <3BAFCFDABE11C64DA68B005B0682BB84BF1B18 () cnbmail cnb-waco com>
> X-MS-Has-Attach: 
> X-MS-TNEF-Correlator: 
> Thread-Topic: Recommending an IDS system 
> Thread-Index: AcQFShDFzrn8axlQRSKMnBaG6NqgzQAABqwA
> From: "Josh Mills" <JMills () cnbwaco com>
> To: "Buyer Jr, David" <DBuyer () KaleidaHealth Org>,
>       <security-basics () securityfocus com>
>
> I setup a dragon solution about a year ago and it seemed like it was =
> very difficult to configure when compared to all the rest of the systems =
> partially because of the way you had to go online and get a license for =
> each service then download a key and try to load the key and make it all =
> work together. This may have all changed by now but at the time i had a =
> ton of trouble getting it installed.=20
>
> -----Original Message-----
> From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org]
> Sent: Monday, March 08, 2004 6:59 AM
> To: security-basics () securityfocus com
> Subject: RE: Recommending an IDS system=20
>
>
> Havent used that one but Enterasys is a pretty good company.
>
> David Buyer
>
>
>
> -----Original Message-----
> From: eeefm [mailto:eeefm () singnet com sg]
> Sent: Sunday, March 07, 2004 2:13 AM
> To: 'Buyer Jr, David'; security-basics () securityfocus com
> Subject: RE: Recommending an IDS system=20
>
>
> What you think of Dragon ? Thank you.
>
> -----Original Message-----
> From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org]=20
> Sent: Wednesday, March 03, 2004 1:29 AM
> To: 'security-basics () securityfocus com'
> Subject: RE: Recommending an IDS system=20
>
>
> We have been using Cisco IDS systems for a number of years and recently
> switched over to the new ISS Proventia Series appliances. I have worked
> with both extensively and I have to say that the ISS solution is MUCH
> better than the Cisco solution. Some of the big differences are that the
> ISS people get out a sig about 2 weeks before Cisco even touches it.
> Also, the Cisco sensors don't have a way of automatically downloading
> and installing the new sigs. Its all a manual process that is a pain in
> the A** Reporting is much much better and faster on the ISS as well.
> There are many more advantages of going with ISS so if you need anymore
> info email me. I still have all my data sheets that I did when we were
> testing all the solutions.
>
> PS - go with the inline stuff (IPS). Snort also has an inline patch
> available.
>
> David Buyer
>
>
>
> -----Original Message-----
> From: Josh Mills [mailto:JMills () cnbwaco com]
> Sent: Monday, March 01, 2004 6:19 PM
> To: Reza Kordi; Andy Cuff; security-basics () securityfocus com
> Subject: RE: Recommending an IDS system=20
>
>
> I have implemented a new cisco ids solution and i am very pleased with
> it! the signatures are highly tunable for a commercial package and it
> seems to be pretty stable. the sensor itself runs on redhat so maybe it
> isnt that much different than snort.
>
> -----Original Message-----
> From: Reza Kordi [mailto:rk () 4unet net]
> Sent: Monday, March 01, 2004 2:03 PM
> To: 'Andy Cuff'; security-basics () securityfocus com
> Subject: RE: Recommending an IDS system=20
>
>
> Hi Andy
>
> How good can vendor independant IDS solutions (Specially Opensource)
> work in an Enterprise Cisco Based network?
>
> What do you think about Cisco IDS solutions?
>
>
> Best Regards
> Mit freundlichen Gr=FCssen
> Meilleures Salutations
> med vennlig hilsen
> =20
> Reza Kordi
>
>
> -----Original Message-----
> From: Andy Cuff [mailto:lists () securitywizardry com]=20
> Sent: Samstag, 28. Februar 2004 11:21
> To: Matthew MacAulay; security-basics () securityfocus com
> Subject: Re: Recommending an IDS system=20
> Importance: Low
>
> Hi Mat,
> I was faced with the same dilemma some years back, my site below details
> the various technologies you can bring to bear.  I also wrote an article
> for SecurityFocus regarding deploying IDS from a vendor neutral
> standpoint http://wwwsecurityfocus.com/infocus/1754
>
> I'd suggest starting simply and building up but always keep the defence
> in depth end goal in sight.  Also, don't forget that in addition to
> detecting attacks you have to react to them also.  If you need further
> advice offlist don't hesitate to ask.
>
> Finally, if you go down the Network IPS route there are 2 main
> varieties; rate based and content based, I refer to the former as Attack
> Mitigation Systems  they fill an important role but IMHO are not IPS.
> Ideally you
> should have both varieties.   There are some products that claim to do
> both,
> but .....
>
> take care
> -andy
> Talisker Security Tools Directory http://www.securitywizardry.com
> ----- Original Message -----
> From: "Matthew MacAulay" <matthew.macaulay () cobweb couk>
> To: <security-basics () securityfocus com>
> Sent: Thursday, February 26, 2004 12:36 PM
> Subject: Recommending an IDS system
>
>
> > Hello,
> >
> > I have been tasked with looking at and recommending an IDS system for=20
> > my company.
> >
> > I have been looking at open source products (Snort) which seems to be=20
> > a very good system with a lot of community support. My problem is we=20
> > are an ASP We want connections to be able to reach our systems for=20
> > the services we provide. I want to be able to monitor over 100=20
> > internet facing servers (behind Firewalls and load balancers) and=20
> > alert / and possibly block non normal traffic / detected attack=20
> > signatures.
> >
> > After doing some reading into different methods IDS v IPS, Host v=20
> > Network, I favour a combination, we have at anyone time up to 50,000=20
> > concurrent connections to our systems so I have a problem of scale.=20
> > One Snort box is just not going to cut it!
> >
> > Looking at how I can "tap" into the network traffic has been partially
>
> > solved by using IDSVLANS which is supported by our Switch hardware.=20
> > (Nortel 8600) So an IDSVLAN could be setup for each of our existing=20
> > VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to=20
> > a central server to produce reports / alert / wake people up....=20
> > Sounds great.
> >
> > Though I have not looked at it in as much detail as network based IDS,
>
> > I expect I can get a hosts based IDS to also alert (SNMP or what ever)
>
> > to a central server to again produce reports / alerts / wake people=20
> > up.
> >
> > I am interested to here what systems you use to do IDS / IPS. Do you=20
> > have in place IDS systems for platforms of a larger or similar scale?=20
> > I would like to here from people have who have faced similar=20
> > challenges
> ------------------------------------------------------------------------
> ---
> Free 30-day trial: firewall with virus/spam protection, URL filtering,
> VPN, wireless security
>
> Protect your network against hackers, viruses, spam and other risks with
> Astaro Security Linux, the comprehensive security solution that combines
> six applications in one software solution for ease of use and lower
> total cost of ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
> ------------------------------------------------------------------------
> ----
>
> CONFIDENTIALITY NOTICE:=20
> This email transmission and any documents, files,=20
> or previous e-mail messages attached to it are=20
> confidential and intended solely for the use of the=20
> individual or entity to whom they are addressed.=20
> If you are not the intended recipient, or a person=20
> responsible for delivering it to the intended recipient,=20
> you are hereby notified that any further review,=20
> disclosure, copying, dissemination, distribution, or=20
> use of any of the information contained in or attached=20
> to this e-mail transmission is strictly prohibited.=20
> If you have received this message in error, please=20
> notify the sender immediately by e-mail, discard=20
> any paper copies, and delete all electronic files=20
> of the message. If you are unable to contact the=20
> sender or you are not sure as to whether you=20
> are the intended recipient, please e-mail=20
> ISTSEC () KaleidaHealth org or call (716) 859-7777.=20
>
>
>
> -------------------------------------------------------------------------=
> --
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 =
> off=20
> any course! All of our class sizes are guaranteed to be 10 students or =
> less=20
> to facilitate one-on-one interaction with one of our expert instructors. =
>
> Attend a course taught by an expert instructor with years of =
> in-the-field=20
> pen testing experience in our state of the art hacking lab. Master the =
> skills=20
> of an Ethical Hacker to better assess the security of your organization. =
>
> Visit us at:=20
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------=
> ---
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------