Full Disclosure mailing list archives
Re: Suggestion for IDS
From: Reto Inversini <mlsecurity () lab42 ch>
Date: Wed, 28 Sep 2005 22:06:00 +0200
Hi, Michael Holstein wrote:
Our company plan to install IDS to protect our resources, I'm already read about snort as NIDS, but, that's software based. I'm interesting with hardware based that will work transparently with our Cisco PIX, no need to make changes in our firewall. What's your suggestion.
Don't throw away your money would be my first advice :-) Think about what you need to protect and against who. Calculate your risks and define what measures could mitigate these - an IPS is just one of these and IMHO not the first one I would use. If you want to stick with Cisco, there is also an IDS module for the PIX: http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/ But I never played with it, so I can't give you any advice about that.
My first piece of advice on this is to ignore any company that says they deliver a "turnkey" solution. Such a thing doesn't exist.
Full Ack.
Any IDS will work with any firewall .. unless, of course, you want to connect the two together (eg: dynamically ACL the PIX based on what the IDS sees). That, IMHO, is an invitation do DOS yourself (think .. I spoof a packet that --looks like an attack-- from your upstream router, or smtp server, etc). There's dozens of ways to do this, including free with snort.
To add to the burden: An IDS/IPS can be tricked in many ways by a skilled attacker. Therefore, you still need other measures of protection for your resources. Another question is, how you deal with encrypted traffic, e.g. traffic to an SSL aware application. Of course you can break up the SSL traffic and inspect it, but this has serious privacy issues and poses another risk. If you don't break it up, your application is still vulnerable to e.g. SQL Injections.
You can also examine snort's "inline" mode in which you setup bridging between two interfaces, and let snort "decide" which packets to forward. In order to make such a thing redundant, be prepared to do some fancy H/A stuff with a pair of servers. And don't forget .. an IDS is certianly not "fix and forget" .. it requires daily tinkering (new sigs come out daily .. and they're almost always noisy and require tuning). In most any decent sized network, having a dedicated admin to chase the IDS alerts and keep an eye on things is almost a given.
If you really want to "buy" something useful, hire the best admins available - the ones that take it personally if a system/network doesn't work as expected. A skilled admin is by far the best protection for your resources.
And as for having an IDS "protect" your network .. well .. forget that. An IDS is great for statistical research and forensics .. but with botnets and whatnot going SSL, you're time/resources are much better spent finding your vulnerabilities and patching your hosts.
Yep, and if you want to go even further, harden your hosts, follow the principle of least privilege and do a decent network separation. And if you still have some money after that, you can go for an IPS. An IPS can only work in a very well segmented and documented network. You need to know your traffic very well, otherwise it would be a shot in your own leg, if you deploy an IPS as the service interruptions caused by it would exceed the downtimes by malicious attacks by far.
My $0.02.
I've thrown in another $0.02 :-)
Cheers, Michael Holstein CISSP GCIA
Best regards Reto Inversini _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Suggestion for IDS Fajar Edisya Putera (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Peer Janssen (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Joel Esler (Sep 28)
- Re: Suggestion for IDS Peer Janssen (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Reto Inversini (Sep 28)
- RE: Suggestion for IDS Randall M (Sep 29)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Lew Wolfgang (Sep 28)
- IDS features (was: Suggestion for IDS) Alejandro Barrera (Sep 28)
- Re: IDS features (was: Suggestion for IDS) Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- <Possible follow-ups>
- Re: Suggestion for IDS J. Oquendo (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)