RE: IDS and NMS

["Jim Butterworth" <res0qh1m () verizon net>]

I agree with David's bottom line...  If you have full time Intrusion
Analysts, don't mix and match, if you're wearing about 15 different
hats, you might consider a hardware solution...
R/Jim Butterworth
SANS GCIA

-----Original Message-----
From: David Markle [mailto:davidmarkle () comcast net] 
Sent: Saturday, June 14, 2003 10:55 AM
To: Mayank-Bhatnagar; focus-ids () securityfocus com
Subject: RE: IDS and NMS

I am not sure that I completely follow your question, but here goes:

There are a few options that are available to you.

As far as sharing the monitoring segment with an NMS system, one could
use
an aggregation type switch to collect all of the span'd or tapped
segments
you monitor, then pass them out several monitor ports to the NMS and IDS
simultaneously.  Several options are available.  I like the Cisco 4006
CatOS
switch because it provides for 1.) the ability to assign collection
ports as
"span ingress" ports (minimizing loops) and 2.) it supports up to 5
"egress"
span ports.  This unit collects all the monitor traffic and sends parts
or
all of the traffic to the monitoring hosts.

With respect to your NMS question, Some NMS companies are now combining
their efforts with IDS.  Take for instance Niksun.  They now offer a
Snort
add in to do IDS as well as the NMS.  I assume that they use the same
monitoring infrastructure on the back end.

Finally, there are many IDS systems (like Snort, Dragon, etc.) that will
support native SNMP to a backend SNMP monitor (i.e. Openview, Tivoli,
etc.).

So, ultimately, the decision depends on your infrastructure, the amount
of
$$ you want spend, and how and who monitors/managed the IDS
analysis/monitoring and NMS analysis/monitoring.

Hope I answered your questions.

Thanks.

David Markle

-----Original Message-----
From: Mayank-Bhatnagar [mailto:mayank () ncb ernet in]
Sent: Friday, June 13, 2003 11:21 AM
To: focus-ids () securityfocus com
Subject: IDS and NMS


hi folks,

Well there is this issue that I would like to put to the group.
"Requirement of an interface of an IDS with an already installed Network
Management System".

Let me state it like this, If we have a managed IDS product it might
have
its own management console and its own
configurations, server etc.

However an organisation which is running a NMS might wish to incorporate
IDS, its features on the NMS itself and might
not wish to invest on another Management Console.

There are some products like HP-OPen View which incorporate IDS in their
feature set.But this scenario is different
in the sens that one has build a NMS and also provided IDS functionality
using SNMP. The other case is where an independent
 IDS solution (independent of SNMP), getting incorporated in a NMS.

How much is this a viable solution or whether such requirement could
exist,
and if yes, what could be implications of same?
As far as I know, top notch IDS products dont have any integration with
NMS,
Some do send traps (which could be a
minimal part of IDS ie sending alerts to IDS management console as well
as
NMS)

Hope I am clear enough.....

Waiting for some views......

thanks and regards,
Mayank




------------------------------------------------------------------------
----
--------
P.N.: The views expressed in this mail are solely the personal opinion
of
the mailer



------------------------------------------------------------------------
----
---
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM
capabilities
- including intrusion identification, relevancy, direction, impact and
analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths,
Challenges,
and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
------------------------------------------------------------------------
----
---


------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------