RE: Intrusion Detection Systems, Best of breed?

["R. DuFresne" <dufresne () sysinfo com>]

Rob, Et. Al.,

I think anyone looking at placing a single or simple IDS based product
into their security realm might well not be looking at the full picture of
security and relying too much upon a one step solution rather then
layering in products that fit their security policies laid out to protect
their assests.  It's our feeling that one does not seekout either an NIDS,
HIDS, or "AIDS" product and rely upon that for fault tolerance in the
security area.  Thee products must be shimmed in with the existing
firewall and access modifying applications and appliances already in use
by the company and a one size, single application approach seldom fits the
full needs of todays world security wise.  One is better off working with
at least a set of these application/appliances that work at each of the
NIDS/HIDS/AIDS areas and layers those to function together to monitor ones
systems for abuse.  These should be applications and or devices that allow
you to tune thier alert signatures to fit the needs of your network, not a
one size fits all shim that you have to modify yourself to.  The IDS shim
should function as an addon piece that works with existing security
equipment and services.  

We've often advocated that NIDS's function best as placements behind the
firewall, to monitor traffic that passes that devise and those before it,
to send out alearts for any traffic that has passed that first perimiter
set which should perhaps not have.  Such devices can be well tuned to
reflect the security policies in place and enhance ones awareness of how
well the perimiter devices are functioning.  Be wary of the 90%+ of
companies marketing such devises and application systems that will
advocate placing these NIDS out front, to be beat upon by the
script-kiddies and blackhats at will, they will see lots of nasty traffic
that is already being blocked just behind their placement.  They tend to
be noisy little beasts, that send out false alarms and positives till your
security staff goes numb to their pages going off at all hours of the day
and night.  Companies in the IDS realm like to advocate such 'open'
placements as it gets a mgr.'s eyes to widen as he sees their traffic
analysis showing all sorts of nasties, though none if any has really been
a threat to the network, if the perimeter devices are really doing their
job.  These 'external' IDS systems are best put in place to monitor the
effectivness of the perimeter devices, as a last call to arms should
something weasle it;s way past the perimeter.

And additional use of NIDS/HIDS.AIDS functions as an 'internal' monitor.
Placed in a fashoin to observe what is passing about your corporate
backbone and backout the perimeter devies for your business partners and
the Internet at large.  Here we like to refer to such systems as EDS
<extrusion detection systems>, and have worked up a short paper on such
psystems placements at http://sysinfo.com/eds.html.  The goal here is to
keep an eye open for trojans that have made it inside via e-mail, or what
have you, or to monitor insiders who are trying to circumvent your
policies for various reasons, helping you avoind internal compromise,
embarrassment, and perhaps costly resorations and the like.

Thanks,

Ron DuFresne

> -----Original Message-----
> From: firewall-wizards-admin () nfr com
> [mailto:firewall-wizards-admin () nfr com] On Behalf Of ROB SLAUGHTER
> Sent: ä 13 ãöîáø 2001 20:06
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Intrusion Detection Systems, Best of breed?
>
> I was checking in to Best of Breed intrusion detection products and was
> wondering if anyone had suggestions on which manufacturers truly have a
> "Best of Breed" product.  If you know of any that you feel strong about
> (possitive) could you please supply me with a few links?  Thanks,
>
> Rob Slaughter
> Sales Account Manager
> CPS Technology Solutions
> 10205 51st Avenue North
> Plymouth, MN  55442
> Phone:  763-278-9620  or  877-348-0916
> Fax:  763-553-9058
> rslaughter () cpsts com
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  sysinfo.com
                  http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards