Re: Intrusion Detection recommendations

[Rafael Possamai <rafael () gav ufsc br>]

I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA. Depending on
the traffic you have on your fiber uplink, you can get a redundant pair of
ASAs running for less than $2,000 in the US. I just find it less stressful
to use a solution like ASA rather than worrying about patching your kernel
every so often and worrying about possible vulns in the ipfw/pf codes.
That, and you have to make sure EVERYTHING is taken into account when you
create your rules, which requires some intense knowledge on either ipfw, pf
or both.

I am not an expert in intrusion detection, so with regards to that, I'd
just setup a honeypot and monitor activity. You can also regularly run
penetration tests on your own network and see how well you are protected.
Just make sure the appropriate people know about these tests so you don't
get wrongfully reported.


Rafael


On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy () newslink com> wrote:

> NANOG'ers,
>
> I've been tasked by our company president to learn about, investigate and
> recommend an intrusion detection system for our company.
>
> We're a smaller outfit, less than 100 employees, entirely Apple-based.
> Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
> world. We are protected by a FreeBSD firewall setup, and we stay current on
> updates/patches from Apple and FreeBSD, but that's as far as my expertise
> goes.
>
> Initially, what do people recommend for:
>
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or
> software
> 3. Other things I'm likely overlooking
>
> Thank you all in advance for your wisdom.
>
>
> ----
> Andy Ringsmuth
> andy () newslink com
> News Link – Manager Technology & Facilities
> 2201 Winthrop Rd., Lincoln, NE 68502-4158
> (402) 475-6397    (402) 304-0083 cellular