Re: Recommending an IDS system

["John Kingston" <JKINGSTON () arvest com>]

I'm running a smaller setup than your old employer attempted to run.  I do have some comments though.

CSPM was and is absolute CRAP.  The signature updates required a rebuild of the system (in my case anyway).  Cisco sent 
out an engineer 2 times, and he couldn't figure out what was wrong with it.  It's really not important now because it's 
not supported anymore.

We are still using Cisco IDS products.  We are currently using CiscoWorks 2000 on Windows 2000 to replace the CSPM 
product.  The version of the sensor supported by CSPM (3.X) has been replaced by a newer, much more stable Red Har 
based product (4.X).  Using this setup, we haven't had any of the stability problems, updating problems or headache 
that the CSPM product caused.

Just my .02 here.
John Kingston

> > > "Bob Radvanovsky" <rsradvan () unixworks net> 03/11/04 04:27PM >>>
re: Cisco IDS, I have a few things to say about Cisco's product: junk.

I had worked for a company in my pre-9/11 days, and we had implemented an
enterprise-wide IDS solution, mostly to spy on employees and vendors (via
extranets).  The solution was at all locations where my previous employer
had Internet access (San Francisco, Denver and Chicago).  The management
believed what Cisco told them, and the product was originally called "Cisco
Secure Policy Manager" (CSPM), which interfaced with their NetRangr product
line.  The Netrangrs were decent, but the management of the signatures and
their policies was a cobbed, messed up package.  The durn thing kept
crashing every time the log file area filled up which usually resulted in
rebuilding the entire database -- from scratch.  The entire process would
*consume* approx. 1 day's worth of hammering against the policy management
server that controlled the entire IDS environment.

We worked directly with Cisco Product Development, out of both San Francisco
and Dallas/Houston areas.  Turned out that this product was an "alpha
release", and we were their "guinea pig".  Also, the IT management wanted to
span ALL ports from the various sensors (amounting to over a dozen or so)
into ONE inky-dinky "black box" that was maintained by a "security
monitoring service".  Thing is, is that the INFOSEC group was usually
informed -- several hours later -- that there were keyed-signature attack
attempts against their network.

Nonetheless, against my recommendation, they decided to implement this
cobbled mess into production.  It failed -- multiple times.  Then I was
laid-off due to 9/11, and haven't heard anything since.  Realistically, with
their configuration, and how the IDS environment was installed, they'd never
know that someone was attempting to attack them, until it was too late.  I
strongly NOT recommend the Cisco IDS product line because of this.

Save yourself the embarassment and look for alternative commercial solutions
if your company wants to go "commercial-grade"; otherwise, consider "open
source" as an alternative.  ;)

Cheers.




-----------------------------------------
The information transmitted is intended only for the person or entity to which it is addressed and may contain 
confidential or privileged material.  Any review, distribution, or other unauthorized use of the information by persons 
or entities other than the intended recipient is prohibited.   If you received this communication in error, please 
contact the sender and delete the material from any computer.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------