Security Basics mailing list archives
Re: Recommending an IDS system
From: "John Kingston" <JKINGSTON () arvest com>
Date: Thu, 18 Mar 2004 09:49:34 -0600
I'm running a smaller setup than your old employer attempted to run. I do have some comments though. CSPM was and is absolute CRAP. The signature updates required a rebuild of the system (in my case anyway). Cisco sent out an engineer 2 times, and he couldn't figure out what was wrong with it. It's really not important now because it's not supported anymore. We are still using Cisco IDS products. We are currently using CiscoWorks 2000 on Windows 2000 to replace the CSPM product. The version of the sensor supported by CSPM (3.X) has been replaced by a newer, much more stable Red Har based product (4.X). Using this setup, we haven't had any of the stability problems, updating problems or headache that the CSPM product caused. Just my .02 here. John Kingston
"Bob Radvanovsky" <rsradvan () unixworks net> 03/11/04 04:27PM >>>
re: Cisco IDS, I have a few things to say about Cisco's product: junk. I had worked for a company in my pre-9/11 days, and we had implemented an enterprise-wide IDS solution, mostly to spy on employees and vendors (via extranets). The solution was at all locations where my previous employer had Internet access (San Francisco, Denver and Chicago). The management believed what Cisco told them, and the product was originally called "Cisco Secure Policy Manager" (CSPM), which interfaced with their NetRangr product line. The Netrangrs were decent, but the management of the signatures and their policies was a cobbed, messed up package. The durn thing kept crashing every time the log file area filled up which usually resulted in rebuilding the entire database -- from scratch. The entire process would *consume* approx. 1 day's worth of hammering against the policy management server that controlled the entire IDS environment. We worked directly with Cisco Product Development, out of both San Francisco and Dallas/Houston areas. Turned out that this product was an "alpha release", and we were their "guinea pig". Also, the IT management wanted to span ALL ports from the various sensors (amounting to over a dozen or so) into ONE inky-dinky "black box" that was maintained by a "security monitoring service". Thing is, is that the INFOSEC group was usually informed -- several hours later -- that there were keyed-signature attack attempts against their network. Nonetheless, against my recommendation, they decided to implement this cobbled mess into production. It failed -- multiple times. Then I was laid-off due to 9/11, and haven't heard anything since. Realistically, with their configuration, and how the IDS environment was installed, they'd never know that someone was attempting to attack them, until it was too late. I strongly NOT recommend the Cisco IDS product line because of this. Save yourself the embarassment and look for alternative commercial solutions if your company wants to go "commercial-grade"; otherwise, consider "open source" as an alternative. ;) Cheers. ----------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. Any review, distribution, or other unauthorized use of the information by persons or entities other than the intended recipient is prohibited. If you received this communication in error, please contact the sender and delete the material from any computer. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Recommending an IDS system, (continued)
- RE: Recommending an IDS system Josh Mills (Mar 08)
- RE: Recommending an IDS system JGrimshaw (Mar 09)
- RE: Recommending an IDS system Nick Benigno (Mar 09)
- Re: Recommending an IDS system D B (Mar 10)
- RE: Recommending an IDS system Mitchell Rowton (Mar 10)
- RE: Recommending an IDS system Jim Conner (Mar 11)
- Re: Recommending an IDS system Bob Radvanovsky (Mar 11)
- RE: Recommending an IDS system Nero, Nick (Mar 11)
- RE: Recommending an IDS system Buyer Jr, David (Mar 11)
- Re: Recommending an IDS system Bob Radvanovsky (Mar 12)
- Re: Recommending an IDS system John Kingston (Mar 18)
- RE: Recommending an IDS system Khaled (Mar 24)
- RE: Recommending an IDS system Stephen K. Kodz (Mar 25)
- RE: Recommending an IDS system Haim Chibotero (Mar 29)
- RE: Recommending an IDS system Manoj Kumar Neelapareddy (Mar 30)
- Re: Recommending an IDS system stephen flanagan (Mar 31)
- RE: Recommending an IDS system Manoj Kumar Neelapareddy (Mar 30)
- RE: Recommending an IDS system Josh Mills (Mar 08)