RE: Network IDS

["Zach Forsyth" <Zach.Forsyth () kiandra com>]

Yeah a NID does nothing to help you protect your systems...
DMZ and locked down network services are all you need and will protect you against everything...

What sage advice, maybe you should install zone alarm on all the systems as well.
DMZ and lockdown is a single stage, in what I would hope is a much broader strategy.

Duston,

For your particular situation I would look into deploing a NID at the gateway, that will be able to inspect all of the 
traffic flows that are important to you.
I personally enjoy deploying snort, and believe it is a very capable system that can be tuned and configured to do 
amazing things for an open source product.
May not be for you as I found the windows version, is not as nice to play with as the *nix versions. 
Never did quiet work out how to see how many packets snort was dropping (or not) under windows.
Out of the NIDS based products I like Enterasys Dragon based systems, and would happily recommend them.

Then I would look into deploying a HID based technology to really protect anything deemed highly critical to your 
business.

I have had some fun with Okena StormWatch and would recommend that.
It has now been purchased by Cisco and has been rename Cisco Security Agent.
The server agents are easily tuned to quite complex systems, and all management is handled centrally by one management 
console.

Another NID of interest may be Entercept, but I gave up on the after having no luck getting decent communication with 
anyone there.
Definitely get out there and evaluate as many technologies as possible.

These are all just my humble opinion and I am sure a great many people will disagree with something I have said.
Bit like Andreas email.

Good luck with your search.

Zach

-----Original Message-----
From: Andreas Krennmair [mailto:netnews () synflood at] 
Sent: Wednesday, 20 August 2003 5:03 AM
To: focus-ids () securityfocus com
Subject: Re: Network IDS


* Duston Sickler <dustons () charter net> [gmane.comp.security.ids]:
>  The Network Administrator for the company I work for has charged me 
> to  locate a Network Intrusion Detection System.  We do have a 
> monitored  firewall between us and the outside world.  We need 
> something to protect our  servers from anyone coming from the inside.

Then a NIDS is not the right thing for you. Network Intrusion Detection is not about protecting systems.

>                                               We have about 20 Windows
> 2000  Servers, 5 NT 4 Servers, and 250 Windows 2000/Thin Net 
> workstations.

Put the servers into a demilitarized zone and turn off any network services that are running on the workstations/thin 
clients.

regards, ak


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the worldÂ's premier 
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------