RE: Recommending an IDS system

["Shawn Jackson" <sjackson () horizonusa com>]

> I want to be able to monitor over 100 internet facing 
> servers (behind Firewalls and load balancers) and alert / and possibly
block non 
> normal traffic / detected attack signatures. 

Then your IDS needs to integrate with your security infrastructure. I.e.
Cisco, Checkpoint, etc. To
stop/shape traffic depending on your needs. IDS is just a detection
system, the alerting part is easy
but if you want it to stop/shape traffic you need to look at your
infrastructure vendors.

> After doing some reading into different methods IDS v IPS, Host v
Network, I favor a combination, 
> we have at anyone time up to 50,000 concurrent connections to our
systems so I have a problem of scale. 
> One Snort box is just not going to cut it!

You wouldn't use one anyways, that silly. No matter what IDS you use
just placing one on your network
and thinking your golden is IMHO irresponsible. You need to separate
your network into zones, banks or servers,
logical network subnets, different locations, etc. From there place your
IDS systems on a network choke point
that shape traffic to each bank, i.e. behind a router. I have a small
network, less then 300 users, 
and I have multiple Snort boxes talking back to a MSSQL database using
ACID to view the data.

> Looking at how I can "tap" into the network traffic has been partially
solved by using IDSVLANS which 
> is supported by our Switch hardware. (Nortel 8600) So an IDSVLAN could
be setup for each of our existing 
> VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to a
central server to produce 
> reports / alert / wake people up.... Sounds great.

Most switches provide 'port mirroring' where you can allow a port to see
other ports traffic. IDSVLANS is
just a fancy implementation of port mirroring technology. I have a old
bay networks switch that supports
the technology, but they didn't use marketing jargon, :-). The problem
with these, and it always has been, 
is that network IDS is best behind a traffic shaping device, like a
router, firewall, bridge, etc. You don't
want your IDS seeing everything, just the stuff you care about, and if
your router has taking care of the problem
(ACL's) then you don't want to get an alert on it because the IDS box is
sitting on your core layer 3 switch
with port mirroring on for every port. You also need to think about the
extra load you put on your switch when
mirror traffic, that's CPU, memory and backplane (sometimes network)
bandwidth being used for every packet
that needs to be duplicated.

> Though I have not looked at it in as much detail as network based IDS,
I expect I can get a 
> hosts based IDS to also alert (SNMP or what ever) to a central server
to again produce reports 
> / alerts / wake people up.

I always use both, and I don't think you should ever just have a network
or host based IDS. In example, someone
dumpster dives and finds a piece of paper with some passwords on it.
Then they access your network, say from
a VPN account that was on the paper and access your server. This is all
normal traffic, the Net-IDS won't see
it. But when they try adding accounts and uploading backdoors/root kits
to your system your network IDS trips
and you get the bugger.


> I am interested to here what systems you use to do IDS / IPS. Do you
have in place IDS systems for 
> platforms of a larger or similar scale? I would like to here from
people have who have faced similar challenges.

I've used Tripwire on larger installed for Net and Host based IDS
protection. I've also used Cisco's solution
to interface with the IDS based on the routers and firewalls, all tying
back to a central syslog/db server
that will notify people.

> Am I trying to do too much, should I just concentrate on host based
IDS?

You need both, one is not good without the other. Note you WILL get a
LOT more
false positives with Net-IDS then Host-IDS.

> Is network based IDS the right way to go?
> Or am I right in trying to do both?

Again, same answer as above.

> Should I be using an open source product to do ID?
> Are there commercial products which can do what I want?

I've always likes Tripwire when I have the money and a security
need that match. Otherwise I use Snort with ACID and other Open
Source solutions.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338


---------------------------------------------------------------------------
----------------------------------------------------------------------------