Firewall Wizards mailing list archives
RE: Intrusion Detection Systems, Best of breed?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sun, 23 Dec 2001 12:54:33 -0500 (EST)
Rob, Et. Al., I think anyone looking at placing a single or simple IDS based product into their security realm might well not be looking at the full picture of security and relying too much upon a one step solution rather then layering in products that fit their security policies laid out to protect their assests. It's our feeling that one does not seekout either an NIDS, HIDS, or "AIDS" product and rely upon that for fault tolerance in the security area. Thee products must be shimmed in with the existing firewall and access modifying applications and appliances already in use by the company and a one size, single application approach seldom fits the full needs of todays world security wise. One is better off working with at least a set of these application/appliances that work at each of the NIDS/HIDS/AIDS areas and layers those to function together to monitor ones systems for abuse. These should be applications and or devices that allow you to tune thier alert signatures to fit the needs of your network, not a one size fits all shim that you have to modify yourself to. The IDS shim should function as an addon piece that works with existing security equipment and services. We've often advocated that NIDS's function best as placements behind the firewall, to monitor traffic that passes that devise and those before it, to send out alearts for any traffic that has passed that first perimiter set which should perhaps not have. Such devices can be well tuned to reflect the security policies in place and enhance ones awareness of how well the perimiter devices are functioning. Be wary of the 90%+ of companies marketing such devises and application systems that will advocate placing these NIDS out front, to be beat upon by the script-kiddies and blackhats at will, they will see lots of nasty traffic that is already being blocked just behind their placement. They tend to be noisy little beasts, that send out false alarms and positives till your security staff goes numb to their pages going off at all hours of the day and night. Companies in the IDS realm like to advocate such 'open' placements as it gets a mgr.'s eyes to widen as he sees their traffic analysis showing all sorts of nasties, though none if any has really been a threat to the network, if the perimeter devices are really doing their job. These 'external' IDS systems are best put in place to monitor the effectivness of the perimeter devices, as a last call to arms should something weasle it;s way past the perimeter. And additional use of NIDS/HIDS.AIDS functions as an 'internal' monitor. Placed in a fashoin to observe what is passing about your corporate backbone and backout the perimeter devies for your business partners and the Internet at large. Here we like to refer to such systems as EDS <extrusion detection systems>, and have worked up a short paper on such psystems placements at http://sysinfo.com/eds.html. The goal here is to keep an eye open for trojans that have made it inside via e-mail, or what have you, or to monitor insiders who are trying to circumvent your policies for various reasons, helping you avoind internal compromise, embarrassment, and perhaps costly resorations and the like. Thanks, Ron DuFresne
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of ROB SLAUGHTER Sent: ä 13 ãöîáø 2001 20:06 To: firewall-wizards () nfr com Subject: [fw-wiz] Intrusion Detection Systems, Best of breed? I was checking in to Best of Breed intrusion detection products and was wondering if anyone had suggestions on which manufacturers truly have a "Best of Breed" product. If you know of any that you feel strong about (possitive) could you please supply me with a few links? Thanks, Rob Slaughter Sales Account Manager CPS Technology Solutions 10205 51st Avenue North Plymouth, MN 55442 Phone: 763-278-9620 or 877-348-0916 Fax: 763-553-9058 rslaughter () cpsts com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Intrusion Detection Systems, Best of breed? ROB SLAUGHTER (Dec 14)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 22)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 23)
- RE: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 23)
- Re: Intrusion Detection Systems, Best of breed? Stephen P. Berry (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 23)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 23)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 24)
- Re: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 25)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 27)
- RE: Intrusion Detection Systems, Best of breed? franks (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)