RE: Recommending an IDS system

[Nick Benigno <NBenigno () atchealthcare com>]

I have used EagleX from Engage.

http://www.engagesecurity.com/products/eaglex/


Its basically snort/acid/+more all packaged up with a frontend to boot. Very
easy installation, and not difficult to manage. It's a free solution so you
can't go wrong trying it.



-----Original Message-----
From: Josh Mills [mailto:JMills () cnbwaco com]
Sent: Monday, March 08, 2004 3:18 PM
To: Buyer Jr, David; security-basics () securityfocus com
Subject: RE: Recommending an IDS system 


I setup a dragon solution about a year ago and it seemed like it was very
difficult to configure when compared to all the rest of the systems
partially because of the way you had to go online and get a license for each
service then download a key and try to load the key and make it all work
together. This may have all changed by now but at the time i had a ton of
trouble getting it installed. 

-----Original Message-----
From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org]
Sent: Monday, March 08, 2004 6:59 AM
To: security-basics () securityfocus com
Subject: RE: Recommending an IDS system 


Havent used that one but Enterasys is a pretty good company.

David Buyer



-----Original Message-----
From: eeefm [mailto:eeefm () singnet com sg]
Sent: Sunday, March 07, 2004 2:13 AM
To: 'Buyer Jr, David'; security-basics () securityfocus com
Subject: RE: Recommending an IDS system 


What you think of Dragon ? Thank you.

-----Original Message-----
From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org] 
Sent: Wednesday, March 03, 2004 1:29 AM
To: 'security-basics () securityfocus com'
Subject: RE: Recommending an IDS system 


We have been using Cisco IDS systems for a number of years and recently
switched over to the new ISS Proventia Series appliances. I have worked
with both extensively and I have to say that the ISS solution is MUCH
better than the Cisco solution. Some of the big differences are that the
ISS people get out a sig about 2 weeks before Cisco even touches it.
Also, the Cisco sensors don't have a way of automatically downloading
and installing the new sigs. Its all a manual process that is a pain in
the A** Reporting is much much better and faster on the ISS as well.
There are many more advantages of going with ISS so if you need anymore
info email me. I still have all my data sheets that I did when we were
testing all the solutions.

PS - go with the inline stuff (IPS). Snort also has an inline patch
available.

David Buyer



-----Original Message-----
From: Josh Mills [mailto:JMills () cnbwaco com]
Sent: Monday, March 01, 2004 6:19 PM
To: Reza Kordi; Andy Cuff; security-basics () securityfocus com
Subject: RE: Recommending an IDS system 


I have implemented a new cisco ids solution and i am very pleased with
it! the signatures are highly tunable for a commercial package and it
seems to be pretty stable. the sensor itself runs on redhat so maybe it
isnt that much different than snort.

-----Original Message-----
From: Reza Kordi [mailto:rk () 4unet net]
Sent: Monday, March 01, 2004 2:03 PM
To: 'Andy Cuff'; security-basics () securityfocus com
Subject: RE: Recommending an IDS system 


Hi Andy

How good can vendor independant IDS solutions (Specially Opensource)
work in an Enterprise Cisco Based network?

What do you think about Cisco IDS solutions?


Best Regards
Mit freundlichen Grüssen
Meilleures Salutations
med vennlig hilsen
 
Reza Kordi


-----Original Message-----
From: Andy Cuff [mailto:lists () securitywizardry com] 
Sent: Samstag, 28. Februar 2004 11:21
To: Matthew MacAulay; security-basics () securityfocus com
Subject: Re: Recommending an IDS system 
Importance: Low

Hi Mat,
I was faced with the same dilemma some years back, my site below details
the various technologies you can bring to bear.  I also wrote an article
for SecurityFocus regarding deploying IDS from a vendor neutral
standpoint http://wwwsecurityfocus.com/infocus/1754

I'd suggest starting simply and building up but always keep the defence
in depth end goal in sight.  Also, don't forget that in addition to
detecting attacks you have to react to them also.  If you need further
advice offlist don't hesitate to ask.

Finally, if you go down the Network IPS route there are 2 main
varieties; rate based and content based, I refer to the former as Attack
Mitigation Systems  they fill an important role but IMHO are not IPS.
Ideally you
should have both varieties.   There are some products that claim to do
both,
but .....

take care
-andy
Talisker Security Tools Directory http://www.securitywizardry.com
----- Original Message -----
From: "Matthew MacAulay" <matthew.macaulay () cobweb couk>
To: <security-basics () securityfocus com>
Sent: Thursday, February 26, 2004 12:36 PM
Subject: Recommending an IDS system


> Hello,
>
> I have been tasked with looking at and recommending an IDS system for 
> my company.
>
> I have been looking at open source products (Snort) which seems to be 
> a very good system with a lot of community support. My problem is we 
> are an ASP We want connections to be able to reach our systems for 
> the services we provide. I want to be able to monitor over 100 
> internet facing servers (behind Firewalls and load balancers) and 
> alert / and possibly block non normal traffic / detected attack 
> signatures.
>
> After doing some reading into different methods IDS v IPS, Host v 
> Network, I favour a combination, we have at anyone time up to 50,000 
> concurrent connections to our systems so I have a problem of scale. 
> One Snort box is just not going to cut it!
>
> Looking at how I can "tap" into the network traffic has been partially

> solved by using IDSVLANS which is supported by our Switch hardware. 
> (Nortel 8600) So an IDSVLAN could be setup for each of our existing 
> VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to 
> a central server to produce reports / alert / wake people up.... 
> Sounds great.
>
> Though I have not looked at it in as much detail as network based IDS,

> I expect I can get a hosts based IDS to also alert (SNMP or what ever)

> to a central server to again produce reports / alerts / wake people 
> up.
>
> I am interested to here what systems you use to do IDS / IPS. Do you 
> have in place IDS systems for platforms of a larger or similar scale? 
> I would like to here from people have who have faced similar 
> challenges
------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN, wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines
six applications in one software solution for ease of use and lower
total cost of ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
------------------------------------------------------------------------
----

CONFIDENTIALITY NOTICE: 
This email transmission and any documents, files, 
or previous e-mail messages attached to it are 
confidential and intended solely for the use of the 
individual or entity to whom they are addressed. 
If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, 
you are hereby notified that any further review, 
disclosure, copying, dissemination, distribution, or 
use of any of the information contained in or attached 
to this e-mail transmission is strictly prohibited. 
If you have received this message in error, please 
notify the sender immediately by e-mail, discard 
any paper copies, and delete all electronic files 
of the message. If you are unable to contact the 
sender or you are not sure as to whether you 
are the intended recipient, please e-mail 
ISTSEC () KaleidaHealth org or call (716) 859-7777. 



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------