RE: Gateway Scanner or IDP

[krymson () gmail com]

If your users run as local admin, you might be better off spending your hours weaning them away from admin rights. In 
addition, make sure your perimeter firewall egress (outbound) firewall rules are tight, as a damage-control step.

If you do implement gateway scanning, be aware that you'll want to do this in conjunction with your endpoint AV 
installs, and thus likely from a different vendor to get a different viewpoint on malware. I wouldn't look to replace 
endpoint AV with gateway scanning, fully. 

You might be better off lobbying for a web filter with built-in malware detection if your users are browsing bad web 
sites (IronPort is a great example). Many of these solutions include tie-ins that effectively give you some gateway 
scanning anyway, with the added benefit of reputation-based filtering and being protocol-aware or even offering 
visibility into SSL-enabled connections.

By IDP, I think you mean IDS/IPS. I would consider IDS/IPS to be very important for a security posture, but it is a 
more advanced technology, and probably shouldn't be relied upon *too* much to provide additional protection above and 
beyond your endpoint or gateway AV.

For solution value to you, the question will be whether you have the time to manage something. If you have the time, 
you have plenty of options. If you don't, then you need that pre-packaged approach or pay someone else to manage it 
remote. Pre-packaged is often either lower quality or deceptively complicated to manage properly (i.e. so many features 
to meet every customer that every customer ends up overwhelmed with all the subsequent features). Always thoroughly 
test-drive anything like this, so you know if it'll work for you or against you. Third-party management may mean you 
have to trust them, they may miss things, they may swamp you with false positive notices, and they likely won't 
understand or care about your business very much.

For any of these technologies, I'd always stress looking at how much time you can devote to the care-and-feeding. Even 
your generic endpoint AV needs attention, as you've been experiencing, and all of these other technologies will add 
some overhead as well. (Web-filtering the least, from a good vendor with a nice appliance.)


<- snip ->

I work for an SMB and have been concerned, as I should be, about keeping the network clean/safe for my users. 

My most immediate threat is virus and malware.  We have desktop anti-virus but it doesn't seem to catch or clean it 
all.  Sure, we run spybot and malwarebytes after the fact. And sometimes it cleans it up but we are finding that lately 
we simply have to wipe the system and re-image to be sure we have it cleaned up.

So I've begun looking at gateway scanners (i.e. eset, juniper, checkpoint, trend micro, etc.)  but began thinking that 
this seems really close to an IDP.

I have been looking at IDP systems for a few years but I don't have a lot of time to manage a Snort box and will have 
to do some hard selling if I'm going to request a budget for a Sourcefire deployment.  They didn't buy in a few years 
ago when I pushed for it. (If those are the right products?)

Should I be taking a different approach to this?

Do I install a gateway scanner?  Do I implement a proxy server or content filtering solution?  Do I install an IDP?  
All of the above?

If I invest in a prepackaged solution is that going to give me the best solution for my money? Or do I look to contract 
with someone who can manage snort remotely? 

Those of you who have been through this, how did you get to your decision? What would you do different if you had to?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------