Re: remotely monitoring from multiple campuses & sample SIEM/log management RFPs

[Brass Hat at Crystal Palace <fmtaylor () PURDUE EDU>]

If cost is a concern, and you have a couple of good network/unix geeks you
could use Snort.  The price of each sensor is the price of a used PC, and the
time to install it.

On Tuesday 21 April 2009 11:21 am, Youngquist, Jason R. formed electrons in
this pattern:
> For those of you that have multiple campuses, do you have an IDS/IPS
> device at each campus, or how are you monitoring abnormal/malicious
> activity from the campuses?  Currently we have ~30 remote campuses (size
> varies from a couple computers to ~80 computers) and each has their own
> Internet connection.  Instead of deploying an IDS/IPS at each campus
> (which would have been cost prohibitive) each campus has a Cisco router
> exporting neflows to a central collector, and we are using a commercial
> NBAD product to monitor the campuses for any abnormal/potentially
> malicious activity based on netflow information.
>
> If we just had one Internet pipe at our main campus, I could stick in
> something like a TippingPoint for IDS/IPS, but since we have a large
> amount of remote campuses we also want to monitor, it makes things a bit
> challenging.  I'm looking for suggestions others might have for any
> alternatives to monitoring the traffic for malicious activity at our
> remote campuses.
>
> Also, does anyone have any sample log management/SIEM RFPs they would be
> willing to share?
>
> Appreciate any information you can provide.
>
>
> Thanks.
> Jason Youngquist
> Information Technology Security Engineer, Security+
> Technology Services
> Columbia College
> 1001 Rogers Street, Columbia, MO  65216
> (573) 875-7334
> jryoungquist () ccis edu
> http://www.ccis.edu