Security Basics mailing list archives
RE: Recommending an IDS system
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Wed, 3 Mar 2004 12:41:30 -0500
Same here - haven't used the ISS, but I have no problem with auto updates, and Cisco is releasing signatures very quickly. That hasn't always been the case; but last week, there were 3 updates alone. -----Original Message----- From: Hoang, Binh P,,DMDCWEST [mailto:Hoangbp () osd pentagon mil] Sent: Tuesday, March 02, 2004 9:13 PM To: 'Buyer Jr, David'; 'security-basics () securityfocus com' Subject: RE: Recommending an IDS system I never worked with ISS IDS appliance before so I can't really comment on it. However, on Cisco IDS sensor appliances, as well as their switches' IDSMs,you can update the signatures for those automatically using Auto Update feature on VMS/IDS Management Center (IDS MC) or Auto Update using PDM. As for the time frame of update signatures, it doesn't really matter that much as you can always write a customized signatures based on the behavior of the new worms/attacks. Just my 2 cents. Binh -----Original Message----- From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org] Sent: Tuesday, March 02, 2004 9:29 AM To: 'security-basics () securityfocus com' Subject: RE: Recommending an IDS system We have been using Cisco IDS systems for a number of years and recently switched over to the new ISS Proventia Series appliances. I have worked with both extensively and I have to say that the ISS solution is MUCH better than the Cisco solution. Some of the big differences are that the ISS people get out a sig about 2 weeks before Cisco even touches it. Also, the Cisco sensors don't have a way of automatically downloading and installing the new sigs. Its all a manual process that is a pain in the A** Reporting is much much better and faster on the ISS as well. There are many more advantages of going with ISS so if you need anymore info email me. I still have all my data sheets that I did when we were testing all the solutions. PS - go with the inline stuff (IPS). Snort also has an inline patch available. David Buyer -----Original Message----- From: Josh Mills [mailto:JMills () cnbwaco com] Sent: Monday, March 01, 2004 6:19 PM To: Reza Kordi; Andy Cuff; security-basics () securityfocus com Subject: RE: Recommending an IDS system I have implemented a new cisco ids solution and i am very pleased with it! the signatures are highly tunable for a commercial package and it seems to be pretty stable. the sensor itself runs on redhat so maybe it isnt that much different than snort. -----Original Message----- From: Reza Kordi [mailto:rk () 4unet net] Sent: Monday, March 01, 2004 2:03 PM To: 'Andy Cuff'; security-basics () securityfocus com Subject: RE: Recommending an IDS system Hi Andy How good can vendor independant IDS solutions (Specially Opensource) work in an Enterprise Cisco Based network? What do you think about Cisco IDS solutions? Best Regards Mit freundlichen GrĂ¼ssen Meilleures Salutations med vennlig hilsen Reza Kordi -----Original Message----- From: Andy Cuff [mailto:lists () securitywizardry com] Sent: Samstag, 28. Februar 2004 11:21 To: Matthew MacAulay; security-basics () securityfocus com Subject: Re: Recommending an IDS system Importance: Low Hi Mat, I was faced with the same dilemma some years back, my site below details the various technologies you can bring to bear. I also wrote an article for SecurityFocus regarding deploying IDS from a vendor neutral standpoint http://www.securityfocus.com/infocus/1754 I'd suggest starting simply and building up but always keep the defence in depth end goal in sight. Also, don't forget that in addition to detecting attacks you have to react to them also. If you need further advice offlist don't hesitate to ask. Finally, if you go down the Network IPS route there are 2 main varieties; rate based and content based, I refer to the former as Attack Mitigation Systems they fill an important role but IMHO are not IPS. Ideally you should have both varieties. There are some products that claim to do both, but ..... take care -andy Talisker Security Tools Directory http://www.securitywizardry.com ----- Original Message ----- From: "Matthew MacAulay" <matthew.macaulay () cobweb couk> To: <security-basics () securityfocus com> Sent: Thursday, February 26, 2004 12:36 PM Subject: Recommending an IDS system
Hello, I have been tasked with looking at and recommending an IDS system for my company. I have been looking at open source products (Snort) which seems to be a very good system with a lot of community support. My problem is we are an ASP. We want connections to be able to reach our systems for the services we provide. I want to be able to monitor over 100 internet facing servers (behind Firewalls and load balancers) and alert / and possibly block non normal traffic / detected attack signatures. After doing some reading into different methods IDS v IPS, Host v Network, I favour a combination, we have at anyone time up to 50,000 concurrent connections to our systems so I have a problem of scale. One Snort box is just not going to cut it! Looking at how I can "tap" into the network traffic has been partially solved by using IDSVLANS which is supported by our Switch hardware. (Nortel 8600) So an IDSVLAN could be setup for each of our existing VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to a central server to produce reports / alert / wake people up.... Sounds great. Though I have not looked at it in as much detail as network based IDS, I expect I can get a hosts based IDS to also alert (SNMP or what ever) to a central server to again produce reports / alerts / wake people up. I am interested to here what systems you use to do IDS / IPS. Do you have in place IDS systems for platforms of a larger or similar scale? I would like to here from people have who have faced similar challenges
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_security-basics_040301 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_security-basics_040301 ---------------------------------------------------------------------------- Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.htm ----------------------------------------------------------------------------
Current thread:
- RE: Recommending an IDS system, (continued)
- RE: Recommending an IDS system Josh Mills (Mar 02)
- RE: Recommending an IDS system Daniel Cid (Mar 03)
- RE: Recommending an IDS system AJ Butcher, Information Systems and Computing (Mar 04)
- RE: Recommending an IDS system AJ Butcher, Information Systems and Computing (Mar 03)
- RE: Recommending an IDS system Daniel Cid (Mar 03)
- RE: Recommending an IDS system Dave Gonsalves (Mar 02)
- RE: Recommending an IDS system Buyer Jr, David (Mar 02)
- RE: Recommending an IDS system Josh Mills (Mar 03)
- RE: Recommending an IDS system Hoang, Binh P,,DMDCWEST (Mar 03)
- RE: Recommending an IDS system Buyer Jr, David (Mar 03)
- RE: Recommending an IDS system Josh Mills (Mar 03)
- RE: Recommending an IDS system Fields, James (Mar 03)
- RE: Recommending an IDS system Josh Mills (Mar 03)
- Re: Recommending an IDS system Bhargav Bhikkaji (Mar 04)
- Re: Recommending an IDS system Bob Radvanovsky (Mar 04)
- Re: Recommending an IDS system Karsten Iwen (Mar 08)
- RE: Recommending an IDS system Fields, James (Mar 04)
- RE: Recommending an IDS system Fields, James (Mar 04)
- RE: Recommending an IDS system Buyer Jr, David (Mar 08)
- RE: Recommending an IDS system John Kingston (Mar 08)
- RE: Recommending an IDS system Josh Mills (Mar 08)
- RE: Recommending an IDS system JGrimshaw (Mar 09)
(Thread continues...)
- RE: Recommending an IDS system Josh Mills (Mar 02)