Security Basics mailing list archives
RE: Recommending an IDS system
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 26 Feb 2004 15:29:39 -0800
I want to be able to monitor over 100 internet facing servers (behind Firewalls and load balancers) and alert / and possibly
block non
normal traffic / detected attack signatures.
Then your IDS needs to integrate with your security infrastructure. I.e. Cisco, Checkpoint, etc. To stop/shape traffic depending on your needs. IDS is just a detection system, the alerting part is easy but if you want it to stop/shape traffic you need to look at your infrastructure vendors.
After doing some reading into different methods IDS v IPS, Host v
Network, I favor a combination,
we have at anyone time up to 50,000 concurrent connections to our
systems so I have a problem of scale.
One Snort box is just not going to cut it!
You wouldn't use one anyways, that silly. No matter what IDS you use just placing one on your network and thinking your golden is IMHO irresponsible. You need to separate your network into zones, banks or servers, logical network subnets, different locations, etc. From there place your IDS systems on a network choke point that shape traffic to each bank, i.e. behind a router. I have a small network, less then 300 users, and I have multiple Snort boxes talking back to a MSSQL database using ACID to view the data.
Looking at how I can "tap" into the network traffic has been partially
solved by using IDSVLANS which
is supported by our Switch hardware. (Nortel 8600) So an IDSVLAN could
be setup for each of our existing
VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to a
central server to produce
reports / alert / wake people up.... Sounds great.
Most switches provide 'port mirroring' where you can allow a port to see other ports traffic. IDSVLANS is just a fancy implementation of port mirroring technology. I have a old bay networks switch that supports the technology, but they didn't use marketing jargon, :-). The problem with these, and it always has been, is that network IDS is best behind a traffic shaping device, like a router, firewall, bridge, etc. You don't want your IDS seeing everything, just the stuff you care about, and if your router has taking care of the problem (ACL's) then you don't want to get an alert on it because the IDS box is sitting on your core layer 3 switch with port mirroring on for every port. You also need to think about the extra load you put on your switch when mirror traffic, that's CPU, memory and backplane (sometimes network) bandwidth being used for every packet that needs to be duplicated.
Though I have not looked at it in as much detail as network based IDS,
I expect I can get a
hosts based IDS to also alert (SNMP or what ever) to a central server
to again produce reports
/ alerts / wake people up.
I always use both, and I don't think you should ever just have a network or host based IDS. In example, someone dumpster dives and finds a piece of paper with some passwords on it. Then they access your network, say from a VPN account that was on the paper and access your server. This is all normal traffic, the Net-IDS won't see it. But when they try adding accounts and uploading backdoors/root kits to your system your network IDS trips and you get the bugger.
I am interested to here what systems you use to do IDS / IPS. Do you
have in place IDS systems for
platforms of a larger or similar scale? I would like to here from
people have who have faced similar challenges. I've used Tripwire on larger installed for Net and Host based IDS protection. I've also used Cisco's solution to interface with the IDS based on the routers and firewalls, all tying back to a central syslog/db server that will notify people.
Am I trying to do too much, should I just concentrate on host based
IDS? You need both, one is not good without the other. Note you WILL get a LOT more false positives with Net-IDS then Host-IDS.
Is network based IDS the right way to go? Or am I right in trying to do both?
Again, same answer as above.
Should I be using an open source product to do ID? Are there commercial products which can do what I want?
I've always likes Tripwire when I have the money and a security need that match. Otherwise I use Snort with ACID and other Open Source solutions. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Recommending an IDS system Matthew MacAulay (Feb 26)
- Re: Recommending an IDS system Scott M. Algatt (Feb 27)
- <Possible follow-ups>
- RE: Recommending an IDS system Shawn Jackson (Feb 26)