IDS mailing list archives

RE: IDS and NMS

From: "Jim Butterworth" <res0qh1m () verizon net>
Date: Tue, 17 Jun 2003 09:48:28 -0700

        I guess you'd have to ask yourself what it was that you were
trying to gain by putting an IDS embedded with a NMS.  Other than a from
a hardware resource perspective, I just don't see any benefit.  The
sniffed traffic on our network was generating a log file size of over a
gig an hour in packets, and this was just using header logging, not
verbose logging.  My opinion is that your IDS solution needs to be
separate. 
        When considering Defense in Depth, you should not rely on a
single IDS solution.  A single NIDS device is not a panacea.  A static
approach to Intrusion Detection, or a "fire and forget" installation, is
a complete waste of money and will not aid anyone.  You should place
several networked sensors, one on the outside of your firewall (DMZ),
and several parked on critical segments of your network, most likely
using switch mirroring.  Place Host based solutions (embedded firewall
NICs or TCP Wrappers) on critical machines and/or servers to provide
more information as well.  Use a centralized logging mechanism (MySQL,
Apache, Python, etc...) to assist the Intrusion analyst while baselining
your network.   
         
r/Jim Butterworth
SANS GCIA


-----Original Message-----
From: Devdas Bhagat [mailto:dvb () users sourceforge net] 
Sent: Sunday, June 15, 2003 5:42 AM
To: focus-ids () securityfocus com
Subject: Re: IDS and NMS

On 13/06/03 20:51 +0530, Mayank-Bhatnagar wrote:

hi folks,

Well there is this issue that I would like to put to the group.
"Requirement of an interface of an IDS with an already installed 
Network Management System".

Couple of questions here:
Is your network management system limited to SNMP?
Or is the SNMP functionality a part of what your management system does
(and can it do more, via different protocols)?
<snip>

a NMS and also provided IDS functionality using SNMP. The other case

is

where an independent IDS solution (independent of SNMP), getting

incorporated

in a NMS.

You can have both possibilities.
If your IDS does not have SNMP support for management built into it, you
can write a Perl wrapper around it to handle SNMP. The Perl wrapper can
modify as you need.

How much is this a viable solution or whether such requirement could

exist,

and if yes, what could be implications of same?

Implications, if you build SNMP support for management into the IDS, you
are increasing the probability of compromise of the IDS itself.
The IDS has a management protocol, which will have to be maintained as
well.

As far as I know, top notch IDS products dont have any integration

with

NMS, Some do send traps (which could be a minimal part of IDS ie

sending

alerts to IDS management console as well as NMS)

Different purposes, different tools.
Commonly:
The network management scenario involves monitoring of various network
components, and their suitability for work. This has to work even in
cases of bad network conditions.
An IDS is looking for wierd, abnormal behaviour. This is a subset of a
full network management system, but has typically not been called for.


A good IDS like snort can log to a database and you can extract data
from it automatically, via your favorite programming language.
If you use PostgreSQL, you could write a trigger with pl/perlu to send a
SNMP alert to your NMS for this.

On the other hand, SNMP might not be the best way to see the output of
an IDS, or to manage its configuration (depending on the IDS, the labour
involved in making it SNMP compatible, etc).

Devdas Bhagat

------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Current thread:

RE: False Positives (Definitions White Paper) Markle, Scott (Jun 05)
- IDS and NMS Mayank-Bhatnagar (Jun 13)
  - RE: IDS and NMS David Markle (Jun 17)
    - RE: IDS and NMS Jim Butterworth (Jun 17)
  - Re: IDS and NMS Devdas Bhagat (Jun 17)
    - RE: IDS and NMS Jim Butterworth (Jun 17)
    - Re: IDS and NMS Devdas Bhagat (Jun 18)
    - RE: IDS and NMS Jim Butterworth (Jun 18)
    - Re: IDS and NMS Devdas Bhagat (Jun 18)
    - RE: IDS and NMS Mayank-Bhatnagar (Jun 19)
    - Re: IDS and NMS Mayank-Bhatnagar (Jun 18)