Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Recommending an IDS system

From: "John Kingston" <JKINGSTON () arvest com>
Date: Mon, 08 Mar 2004 13:33:07 -0600
The new ones run on Red Hat (4.x).  The old ones were Solaris (3.x)


Daniel Cid <danielcid () yahoo com br> 03/02/04 01:35PM >>>

Just correcting, the Cisco IDS sensors runs on Solaris
and an advantage under the snort (the open source one)
is the possibility to apply a shun (to block traffic)
and it's much easies to view/analyze the logs...

Daniel B. Cid


--- Josh Mills <JMills () cnbwaco com> escreveu: > I
have implemented a new cisco ids solution and i am
very pleased with it! the signatures are highly
tunable for a commercial package and it seems to be
pretty stable. the sensor itself runs on redhat so
maybe it isnt that much different than snort.

-----Original Message-----
From: Reza Kordi [mailto:rk () 4unet net] 
Sent: Monday, March 01, 2004 2:03 PM
To: 'Andy Cuff'; security-basics () securityfocus com 
Subject: RE: Recommending an IDS system 


Hi Andy

How good can vendor independant IDS solutions
(Specially Opensource) work in
an Enterprise Cisco Based network?

What do you think about Cisco IDS solutions?


Best Regards
Mit freundlichen GrĂ¼ssen
Meilleures Salutations
med vennlig hilsen
 
Reza Kordi


-----Original Message-----
From: Andy Cuff [mailto:lists () securitywizardry com] 
Sent: Samstag, 28. Februar 2004 11:21
To: Matthew MacAulay;
security-basics () securityfocus com 
Subject: Re: Recommending an IDS system 
Importance: Low

Hi Mat,
I was faced with the same dilemma some years back,
my site below details the
various technologies you can bring to bear.  I also
wrote an article for
SecurityFocus regarding deploying IDS from a vendor
neutral standpoint
http://www.securityfocus.com/infocus/1754 

I'd suggest starting simply and building up but
always keep the defence in
depth end goal in sight.  Also, don't forget that in
addition to detecting
attacks you have to react to them also.  If you need
further advice offlist
don't hesitate to ask.

Finally, if you go down the Network IPS route there
are 2 main varieties;
rate based and content based, I refer to the former
as Attack Mitigation
Systems  they fill an important role but IMHO are
not IPS.  Ideally you
should have both varieties.   There are some
products that claim to do both,
but .....

take care
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com 
----- Original Message -----
From: "Matthew MacAulay"
<matthew.macaulay () cobweb co uk>
To: <security-basics () securityfocus com>
Sent: Thursday, February 26, 2004 12:36 PM
Subject: Recommending an IDS system




Hello,

I have been tasked with looking at and

recommending an IDS system for my

company.

I have been looking at open source products

(Snort) which seems to be a

very good system with a lot of community support.

My problem is we are

an ASP. We want connections to be able to reach

our systems for the

services we provide. I want to be able to monitor

over 100 internet

facing servers (behind Firewalls and load

balancers) and alert / and

possibly block non normal traffic / detected

attack signatures.


After doing some reading into different methods

IDS v IPS, Host v

Network, I favour a combination, we have at anyone

time up to 50,000

concurrent connections to our systems so I have a

problem of scale. One

Snort box is just not going to cut it!

Looking at how I can "tap" into the network

traffic has been partially

solved by using IDSVLANS which is supported by our

Switch hardware.

(Nortel 8600) So an IDSVLAN could be setup for

each of our existing

VLANS and a couple of load balanced IDS boxes per

IDSVLAN to alert to a

central server to produce reports / alert / wake

people up.... Sounds

great.

Though I have not looked at it in as much detail

as network based IDS, I

expect I can get a hosts based IDS to also alert

(SNMP or what ever) to

a central server to again produce reports / alerts

/ wake people up.


I am interested to here what systems you use to do

IDS / IPS. Do you

have in place IDS systems for platforms of a

larger or similar scale? I

would like to here from people have who have faced

similar challenges.


Questions I keep asking myself:

Am I trying to do too much, should I just

concentrate on host based IDS?


Is network based IDS the right way to go?
Or am I right in trying to do both?
Should I be using an open source product to do ID?
Are there commercial products which can do what I

want?


Your thoughts, recommendations and pointers to

further reading are

welcome.

Regards,

Mat.






----------------------------------------------------------------

The information in this email is confidential and

may be legally

privileged. It is intended solely for the

addressee. Access to

this email by anyone else is unauthorised. If you

are not the

intended recipient, any disclosure, copying,

distribution or any

action taken or omitted to be taken in reliance on

it, is

prohibited and may be unlawful. If you have

received this

communication in error please return it to the

sender, then

delete and destroy any copies of it.




----------------------------------------------------------------






--------------------------------------------------------------------------

-





--------------------------------------------------------------------------

--








---------------------------------------------------------------------------



----------------------------------------------------------------------------






---------------------------------------------------------------------------

Free 30-day trial: firewall with virus/spam
protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam
and other risks with Astaro
Security Linux, the comprehensive security solution
that combines six
applications in one software solution for ease of
use and lower total cost of
ownership.

Download your free trial at


http://www.securityfocus.com/sponsor/Astaro_security-basics_040301 



=== message truncated === 

______________________________________________________________________

Yahoo! Mail - O melhor e-mail do Brasil! Abra sua conta agora:
http://br.yahoo.com/info/mail.html 

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301 
----------------------------------------------------------------------------


-----------------------------------------
The information transmitted is intended only for the person or entity to which it is addressed and may contain 
confidential or privileged material.  Any review, distribution, or other unauthorized use of the information by persons 
or entities other than the intended recipient is prohibited.   If you received this communication in error, please 
contact the sender and delete the material from any computer.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: