Re: In search of the right tool(s)

[Technical Incursion Countermeasures <lists () ticm com>]

Hi Marc,
two things you can do..

1. install an IDS on the inside of your networks all reporting back to a
central station (through secure channels of course). A good place to start
is at the host level. Tripwire, COPS, Realsecure, et al...

2. Install honeypots on the inside near well used servers. This might give
you a chance to catch them before they make a mess of your main resources..
goes for outside hacker too... Of course the best bit about honeypots is
the trails of incriminating evidence they can create for you.

Cheers,

Bret

At 07:40 23/01/00 -0500, you wrote:
> Hello -
>
> I am looking for tools that I can setup to monitor network traffic,
> ideally passively, which will try to detect and alert me to attacks or
> suspicious activity _originating_ within my networks. I already have
> several tools setup that detect activity targetting my networks, and now
> want to make certain that knowbody launches anything from within the
> address space that I am responsible for. For reference, I am working with
> several /18, /19, and various smaller network blocks, often times
> multi-homed through several geographically diverse methods.
>
> Suggestions and references would be greatly appreciated.
>
> Thanks in advance - Marc
Technical Incursion Countermeasures 
consulting () TICM COM                      http://www.ticm.com/
voice mail/fax: (+65)98421426(UTC+8 hrs)      

The Insider - a e'zine on Computer security 
http://www.ticm.com/info/insider/index.html