Re: Network IDS

["Andy Cuff [talisker]" <offthecuff () lineone net>]

Hi Duston
There are loads of network IDS out there that meet your requirements, I'm
sure most of the vendors will have pinged you off list by now.  All the NIDS
I know of are on my site at http://www.networkintrusion.co.uk/N_ids.htm with
a few salient details on each.  With so few servers it may be worth
considering running a Host Intrusion Prevention System on each, though this
will blind you from seeing attacks against your other hosts.  Personally I'd
highly recommend a NIDS and HIPS but make sure the output can be correlated
otherwise there will be a higher management overhead.  Snort is a viable
contender to the commercial products though it is not free as some suggest.
Yes it costs you nothing in licensing but it still has to be managed, you
also have to react to it's output.

Cisco's rebadged Stormwatch is very good, though I haven't played with their
NIDS for a very long time.  ISS RealSecure desktop protector coupled with
Realsecure Network Sensor 7 will ease your entry into IDS but it tends to be
pretty noisy, though tuning is easier of late.

I'd recommend attending Learning Tree International's Deploying IDS course
http://www.learningtree.com/courses/588.htm before you make a choice  as it
introduces various products including Snort, more importantly lets you play
with them !

just a few thoughts
take care
-andy
Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message ----- 
From: "Duston Sickler" <dustons () charter net>
To: <security-basics () securityfocus com>
Sent: Friday, August 15, 2003 6:30 PM
Subject: Network IDS


> Hello,
>
> I would like to thank in advance everyone who is out of the office.  I
> really do like to hear about it.
>
> The Network Administrator for the company I work for has charged me to
> locate a Network Intrusion Detection System.  We do have a monitored
> firewall between us and the outside world.  We need something to protect
our
> servers from anyone coming from the inside.  We have about 20 Windows 2000
> Servers, 5 NT 4 Servers, and 250 Windows 2000/Thin Net workstations.
>
> We live in a 100% Windows world and the powers that be will not be
receptive
> to any *nix solutions.  We are more the willing to pay for a top of the
line
> product as long is it is in fact top of the line.
>
> Currently I have been looking at the Symantec Gateway Device.  We like the
> idea of a stand alone piece of hardware.  The only problem is we already
> have a gateway server washing our email of viruses and 99% of Spam.
>
> Does anyone have any comments on the Symantec Gateway device?  We have had
> excellent experiences with there Gateway software and NAV Corp.  Does
anyone
> have a different or better device that they could point me towards?
>
> I would like to thank everyone who replies to this post.  I have learned a
> great deal being on this list the last year and will continue to
appreciate
> all the expertise that is freely given here.
>
> Duston Sickler
> CompTIA A+ Certified
> "Cedo nulli."
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------