Re: Intrusion Detection Systems, Best of breed?

["Talisker" <talisker () networkintrusion co uk>]

Hi all,

Ofir is absolutely right (as always) the IDS defence in depth approach is
best, I steered clear of it in my original post so as not to confuse too
much, (but NIDS is still the IDS of choice and offers more hits per pound)
HIDS
is extremely valuable but needs more TLC than a NIDS, (hmm depending upon
how much control you have over how the host monitored is configured)  AIDS
are also a very nice tool the main HIDS I have played with has it built in,
with some heuristics thrown in for good measure.  When looking to deploy
HIDS and NIDS it's worth considering Hybrid IDS which combine the 2 at host
level, though there are very few products offering this.  A very important
consideration these days is Network Node IDS which is basically a central
reporting personal firewall.  The USAF have reportedly just purchased
500,000 of them for their desktops. To reduce cost I would suggest only
placing these on servers.

Ron said, "They tend to be noisy little beasts, that send out false alarms
and
positives till your security staff goes numb" I agree but I still like to
see a NIDS outside the firewall, not necessarily to react to, but for stats
to spot changing trends and also for the security staff to see the threat.
Though given an "either or" choice I'd always opt for inside the firewall.

Marcus said about HIDS "(what happens when the underlying O/S crashes
from a DOS attack?) " then you can bring in a network management tool that
pings your critical devices periodically, once again it's just another piece
of information in that defence in depth scenario.  NOTE I'm still not
advocating SNMP <v3

take care
-andy
http://www.networkintrusion.co.uk





_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards