Security Basics mailing list archives
Re: Recommending an IDS system
From: "Bob Radvanovsky" <rsradvan () unixworks net>
Date: Thu, 11 Mar 2004 16:27:19 -0600
re: Cisco IDS, I have a few things to say about Cisco's product: junk. I had worked for a company in my pre-9/11 days, and we had implemented an enterprise-wide IDS solution, mostly to spy on employees and vendors (via extranets). The solution was at all locations where my previous employer had Internet access (San Francisco, Denver and Chicago). The management believed what Cisco told them, and the product was originally called "Cisco Secure Policy Manager" (CSPM), which interfaced with their NetRangr product line. The Netrangrs were decent, but the management of the signatures and their policies was a cobbed, messed up package. The durn thing kept crashing every time the log file area filled up which usually resulted in rebuilding the entire database -- from scratch. The entire process would *consume* approx. 1 day's worth of hammering against the policy management server that controlled the entire IDS environment. We worked directly with Cisco Product Development, out of both San Francisco and Dallas/Houston areas. Turned out that this product was an "alpha release", and we were their "guinea pig". Also, the IT management wanted to span ALL ports from the various sensors (amounting to over a dozen or so) into ONE inky-dinky "black box" that was maintained by a "security monitoring service". Thing is, is that the INFOSEC group was usually informed -- several hours later -- that there were keyed-signature attack attempts against their network. Nonetheless, against my recommendation, they decided to implement this cobbled mess into production. It failed -- multiple times. Then I was laid-off due to 9/11, and haven't heard anything since. Realistically, with their configuration, and how the IDS environment was installed, they'd never know that someone was attempting to attack them, until it was too late. I strongly NOT recommend the Cisco IDS product line because of this. Save yourself the embarassment and look for alternative commercial solutions if your company wants to go "commercial-grade"; otherwise, consider "open source" as an alternative. ;) Cheers. Bob Radvanovsky [/unixworks] rsradvan(at)unixworks.com "knowledge squared is information shared." DISCLAIMER: As part of my employment agreement with that employer in which I had signed a non-disclosure agreement (NDA), this was in effect for approximately two (2) years from date of termination or laid-off period. That was effective (to me) as of October 31, 2001. Since no longer working for them (as of October 1, 2001), and having not provided specific details of their networking environment, nor the name of the company, no breach of contract has been violated. ----- Original Message ----- From: "Buyer Jr, David" <DBuyer () KaleidaHealth Org> To: <security-basics () securityfocus com> Sent: Thursday, March 11, 2004 7:51 AM Subject: RE: Recommending an IDS system
I think your talking about the HIDS product. I cant say anything for or against ISS on that since I haven't used it. I have however tested the
Cisco
HIDS and it is really bad. It is hard to manage and also crashes all the time (as did the VMS system for the IDS product). Like I said before, ISS beats Cisco hands down anyway you look at it for their IDS product (especially the inline Proventia stuff). See for yourself though and have both of them bring in their appliances and test them yourself. David Buyer -----Original Message----- From: Nero, Nick [mailto:Nick.Nero () disney com] Sent: Wednesday, March 10, 2004 4:17 PM To: D B; security-basics () securityfocus com Subject: RE: Recommending an IDS system Holy cow stay away from ISS, man. It is a horrible product. Were I to do it all over again, I would push for Snort over their solution. We
recently
had 20 tech support people from ISS onsite telling us that they still
don't
know why it is crashing Win2k and Solaris boxes (core dumps!) after 1 year of chasing bugs down on version 6.5. And of course they are saying if we upgrade to version 7.0 everything will be fine. But they just had a security hole in the agent for 7.0, so it doesn't look like they made that much progress. Seriously, we have it disabled on over half of our servers because it was either crashing them outright (tclproc.exe likes to eat
100%
of the CPU), or it blocks traffic even when configured not to do so. Stay away. I hear Cisco's Okena/CSA is pretty awesome. Nick Nero CISSP, MCSE (2k3/2k/NT), CCNA The Walt Disney Company -----Original Message----- From: D B [mailto:be281 () bfn org] Sent: Wednesday, March 10, 2004 7:54 AM To: security-basics () securityfocus com Subject: Re: Recommending an IDS system In-Reply-To: <3BAFCFDABE11C64DA68B005B0682BB84BF1B18 () cnbmail cnb-waco com> Last week I sent a bunch of people some of my information on Cisco and ISS systems. Could someone post it here again or email me it. I have been getting more requests for it and I dont want to write it up all over
again.
I know, I should have saved it in the "sent mail" folder but it got
deleted.
Thanks in advance. David BuyerReceived: (qmail 15436 invoked from network); 9 Mar 2004 01:15:27 -0000Received: from outgoing3.securityfocus.com (205.206.231.27)by mail.securityfocus.com with SMTP; 9 Mar 2004 01:15:27 -0000Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 8B749A3751; Mon, 8 Mar 2004 17:28:09 -0700 (MST)Mailing-List: contact security-basics-help () securityfocus com; run by ezmlmPrecedence: bulkList-Id: <security-basics.list-id.securityfocus.com>List-Post: <mailto:security-basics () securityfocus com>List-Help: <mailto:security-basics-help () securityfocus com>List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>Delivered-To: mailing list security-basics () securityfocus comDelivered-To: moderator for security-basics () securityfocus comReceived: (qmail 20107 invoked from network); 8 Mar 2004 16:37:04 -0000content-class: urn:content-classes:messageMIME-Version: 1.0Content-Type: text/plain;charset="iso-8859-1"Content-Transfer-Encoding: quoted-printableSubject: RE: Recommending an IDS systemX-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1Date: Mon, 8 Mar 2004 14:17:55 -0600Message-ID: <3BAFCFDABE11C64DA68B005B0682BB84BF1B18 () cnbmail cnb-waco com>X-MS-Has-Attach:X-MS-TNEF-Correlator:Thread-Topic: Recommending an IDS systemThread-Index: AcQFShDFzrn8axlQRSKMnBaG6NqgzQAABqwAFrom: "Josh Mills" <JMills () cnbwaco com>To: "Buyer Jr, David" <DBuyer () KaleidaHealth Org>,<security-basics () securityfocus com>I setup a dragon solution about a year ago and it seemed like it was =very difficult to configure when compared to all the rest of the systems =partially because of the way you had to go online and get a license for =each service then download a key and try to load the key and make it all =work together. This may have all changed by now but at the time i had a =ton of trouble getting it installed.=20-----Original Message-----From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org]Sent: Monday, March 08, 2004 6:59 AMTo: security-basics () securityfocus comSubject: RE: Recommending an IDS system=20Havent used that one but Enterasys is a pretty good company.David Buyer-----Original Message-----From: eeefm [mailto:eeefm () singnet com sg]Sent: Sunday, March 07, 2004 2:13 AMTo: 'Buyer Jr, David'; security-basics () securityfocus comSubject: RE: Recommending an IDS system=20What you think of Dragon ? Thank you.-----Original Message-----From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org]=20Sent: Wednesday, March 03, 2004 1:29 AMTo: 'security-basics () securityfocus com'Subject: RE: Recommending an IDS system=20We have been using Cisco IDS systems for a number of years and recentlyswitched over to the new ISS Proventia Series appliances. I have workedwith both extensively and I have to say that the ISS solution is MUCHbetter than the Cisco solution. Some of the big differences are that theISS people get out a sig about 2 weeks before Cisco even touches it.Also, the Cisco sensors don't have a way of automatically downloadingand installing the new sigs. Its all a manual process that is a pain inthe A** Reporting is much much better and faster on the ISS as well.There are many more advantages of going with ISS so if you need anymoreinfo email me. I still have all my data sheets that I did when we weretesting all the solutions.PS - go with the inline stuff (IPS). Snort also has an inline patchavailable.David Buyer-----Original Message-----From: Josh Mills [mailto:JMills () cnbwaco com]Sent: Monday, March 01, 2004 6:19 PMTo: Reza Kordi; Andy Cuff; security-basics () securityfocus comSubject: RE: Recommending an IDS system=20I have implemented a new cisco ids solution and i am very pleased withit! the signatures are highly tunable for a commercial package and itseems to be pretty stable. the sensor itself runs on redhat so maybe itisnt that much different than snort.-----Original Message-----From: Reza Kordi [mailto:rk () 4unet net]Sent: Monday, March 01, 2004 2:03 PMTo: 'Andy Cuff'; security-basics () securityfocus comSubject: RE: Recommending an IDS system=20Hi AndyHow good can vendor independant IDS solutions (Specially Opensource)work in an Enterprise Cisco Based network?What do you think about Cisco IDS solutions?Best RegardsMit freundlichen Gr=FCssenMeilleures Salutationsmed vennlig hilsen=20Reza Kordi-----Original Message-----From: Andy Cuff [mailto:lists () securitywizardry com]=20Sent: Samstag, 28. Februar 2004 11:21To: Matthew MacAulay; security-basics () securityfocus comSubject: Re: Recommending an IDS system=20Importance: LowHi Mat,I was faced with the same dilemma some years back, my site below detailsthe various technologies you can bring to bear. I also wrote an articlefor SecurityFocus regarding deploying IDS from a vendor neutralstandpoint http://wwwsecurityfocus.com/infocus/1754I'd suggest starting simply and building up but always keep the defencein depth end goal in sight. Also, don't forget that in addition todetecting attacks you have to react to them also. If you need furtheradvice offlist don't hesitate to ask.Finally, if you go down the Network IPS route there are 2 mainvarieties; rate based and content based, I refer to the former as AttackMitigation Systems they fill an important role but IMHO are not IPS.Ideally youshould have both varieties. There are some products that claim to doboth,but .....take care-andyTalisker Security Tools Directory http://www.securitywizardry.com----- Original Message -----From: "Matthew MacAulay" <matthew.macaulay () cobweb couk>To: <security-basics () securityfocus com>Sent: Thursday, February 26, 2004 12:36 PMSubject: Recommending an IDS systemHello,I have been tasked with looking at and recommending an IDS system for=20my company.I have been looking at open source products (Snort) which seems to be=20a very good system with a lot of community support. My problem is we=20are an ASP We want connections to be able to reach our systems for=20the services we provide. I want to be able to monitor over 100=20internet facing servers (behind Firewalls and load balancers) and=20alert / and possibly block non normal traffic / detected attack=20signatures.After doing some reading into different methods IDS v IPS, Host v=20Network, I favour a combination, we have at anyone time up to 50,000=20concurrent connections to our systems so I have a problem of scale.=20One Snort box is just not going to cut it!Looking at how I can "tap" into the network traffic has been partiallysolved by using IDSVLANS which is supported by our Switch hardware.=20(Nortel 8600) So an IDSVLAN could be setup for each of our existing=20VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to=20a central server to produce reports / alert / wake people up....=20Sounds great.Though I have not looked at it in as much detail as network based IDS,I expect I can get a hosts based IDS to also alert (SNMP or what ever)to a central server to again produce reports / alerts / wake people=20up.I am interested to here what systems you use to do IDS / IPS. Do you=20have in place IDS systems for platforms of a larger or similar scale?=20I would like to here from people have who have faced similar=20challenges----------------------------------------------------------------------- ----Free 30-day trial: firewall with virus/spam protection, URL filtering,VPN, wireless securityProtect your network against hackers, viruses, spam and other risks withAstaro Security Linux, the comprehensive security solution that combinessix applications in one software solution for ease of use and lowertotal cost of ownership.Download your free trial athttp://www.securityfocus.com/sponsor/Astaro_security-basics_040301----------------------------------------------------------------------- -----CONFIDENTIALITY NOTICE:=20This email transmission and any documents, files,=20or previous e-mail messages attached to it are=20confidential and intended solely for the use of the=20individual or entity to whom they are addressed.=20If you are not the intended recipient, or a person=20responsible for delivering it to the intended recipient,=20you are hereby notified that any further review,=20disclosure, copying, dissemination, distribution, or=20use of any of the information contained in or attached=20to this e-mail transmission is strictly prohibited.=20If you have received this message in error, please=20notify the sender immediately by e-mail, discard=20any paper copies, and delete all electronic files=20of the message. If you are unable to contact the=20sender or you are not sure as to whether you=20are the intended recipient, please e-mail=20ISTSEC () KaleidaHealth org or call (716) 859-7777.=20----------------------------------------------------------------------- --=--Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 =off=20any course! All of our class sizes are guaranteed to be 10 students or =less=20to facilitate one-on-one interaction with one of our expert instructors. =Attend a course taught by an expert instructor with years of =in-the-field=20pen testing experience in our state of the art hacking lab. Master the =skills=20of an Ethical Hacker to better assess the security of your organization. =Visit us at:=20http://www.infosecinstitute.com/courses/ethical_hacking_training.html----------------------------------------------------------------------- --=-------------------------------------------------------------------------- ----Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
--
CONFIDENTIALITY NOTICE: This email transmission and any documents, files, or previous e-mail messages attached to it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any further review, disclosure, copying, dissemination, distribution, or use of any of the information contained in or attached to this e-mail transmission is strictly prohibited. If you have received this message in error, please notify the sender immediately by e-mail, discard any paper copies, and delete all electronic files of the message. If you are unable to contact the sender or you are not sure as to whether you are the intended recipient, please e-mail ISTSEC () KaleidaHealth org or call (716) 859-7777. --------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
-- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Recommending an IDS system, (continued)
- RE: Recommending an IDS system John Kingston (Mar 08)
- RE: Recommending an IDS system Josh Mills (Mar 08)
- RE: Recommending an IDS system JGrimshaw (Mar 09)
- RE: Recommending an IDS system Nick Benigno (Mar 09)
- Re: Recommending an IDS system D B (Mar 10)
- RE: Recommending an IDS system Mitchell Rowton (Mar 10)
- RE: Recommending an IDS system Jim Conner (Mar 11)
- Re: Recommending an IDS system Bob Radvanovsky (Mar 11)
- RE: Recommending an IDS system Nero, Nick (Mar 11)
- RE: Recommending an IDS system Buyer Jr, David (Mar 11)
- Re: Recommending an IDS system Bob Radvanovsky (Mar 12)
- Re: Recommending an IDS system John Kingston (Mar 18)
- RE: Recommending an IDS system Khaled (Mar 24)
- RE: Recommending an IDS system Stephen K. Kodz (Mar 25)
- RE: Recommending an IDS system Haim Chibotero (Mar 29)
- RE: Recommending an IDS system Manoj Kumar Neelapareddy (Mar 30)
- Re: Recommending an IDS system stephen flanagan (Mar 31)
- RE: Recommending an IDS system Manoj Kumar Neelapareddy (Mar 30)