IDS mailing list archives
RE: IDS and NMS
From: "Jim Butterworth" <res0qh1m () verizon net>
Date: Tue, 17 Jun 2003 09:48:28 -0700
I guess you'd have to ask yourself what it was that you were trying to gain by putting an IDS embedded with a NMS. Other than a from a hardware resource perspective, I just don't see any benefit. The sniffed traffic on our network was generating a log file size of over a gig an hour in packets, and this was just using header logging, not verbose logging. My opinion is that your IDS solution needs to be separate. When considering Defense in Depth, you should not rely on a single IDS solution. A single NIDS device is not a panacea. A static approach to Intrusion Detection, or a "fire and forget" installation, is a complete waste of money and will not aid anyone. You should place several networked sensors, one on the outside of your firewall (DMZ), and several parked on critical segments of your network, most likely using switch mirroring. Place Host based solutions (embedded firewall NICs or TCP Wrappers) on critical machines and/or servers to provide more information as well. Use a centralized logging mechanism (MySQL, Apache, Python, etc...) to assist the Intrusion analyst while baselining your network. r/Jim Butterworth SANS GCIA -----Original Message----- From: Devdas Bhagat [mailto:dvb () users sourceforge net] Sent: Sunday, June 15, 2003 5:42 AM To: focus-ids () securityfocus com Subject: Re: IDS and NMS On 13/06/03 20:51 +0530, Mayank-Bhatnagar wrote:
hi folks, Well there is this issue that I would like to put to the group. "Requirement of an interface of an IDS with an already installed Network Management System".
Couple of questions here: Is your network management system limited to SNMP? Or is the SNMP functionality a part of what your management system does (and can it do more, via different protocols)? <snip>
a NMS and also provided IDS functionality using SNMP. The other case
is
where an independent IDS solution (independent of SNMP), getting
incorporated
in a NMS.
You can have both possibilities. If your IDS does not have SNMP support for management built into it, you can write a Perl wrapper around it to handle SNMP. The Perl wrapper can modify as you need.
How much is this a viable solution or whether such requirement could
exist,
and if yes, what could be implications of same?
Implications, if you build SNMP support for management into the IDS, you are increasing the probability of compromise of the IDS itself. The IDS has a management protocol, which will have to be maintained as well.
As far as I know, top notch IDS products dont have any integration
with
NMS, Some do send traps (which could be a minimal part of IDS ie
sending
alerts to IDS management console as well as NMS)
Different purposes, different tools. Commonly: The network management scenario involves monitoring of various network components, and their suitability for work. This has to work even in cases of bad network conditions. An IDS is looking for wierd, abnormal behaviour. This is a subset of a full network management system, but has typically not been called for. A good IDS like snort can log to a database and you can extract data from it automatically, via your favorite programming language. If you use PostgreSQL, you could write a trigger with pl/perlu to send a SNMP alert to your NMS for this. On the other hand, SNMP might not be the best way to see the output of an IDS, or to manage its configuration (depending on the IDS, the labour involved in making it SNMP compatible, etc). Devdas Bhagat ------------------------------------------------------------------------ ------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: False Positives (Definitions White Paper) Markle, Scott (Jun 05)
- IDS and NMS Mayank-Bhatnagar (Jun 13)
- RE: IDS and NMS David Markle (Jun 17)
- RE: IDS and NMS Jim Butterworth (Jun 17)
- Re: IDS and NMS Devdas Bhagat (Jun 17)
- RE: IDS and NMS Jim Butterworth (Jun 17)
- Re: IDS and NMS Devdas Bhagat (Jun 18)
- RE: IDS and NMS Jim Butterworth (Jun 18)
- Re: IDS and NMS Devdas Bhagat (Jun 18)
- RE: IDS and NMS David Markle (Jun 17)
- RE: IDS and NMS Mayank-Bhatnagar (Jun 19)
- IDS and NMS Mayank-Bhatnagar (Jun 13)
- Re: IDS and NMS Mayank-Bhatnagar (Jun 18)