Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS or Intrusion Prevention Systems

From: "Ali Saifullah Khan" <whipaz () gem net pk>
Date: Sun, 3 Nov 2002 02:04:05 +0500
Salutations !

If its a simple answer you want, go with SNORT.
http://www.snort.org/

Good references on IDS can be found by a simple google, or a look at the
articles posted at Securityfocus
http://online.securityfocus.com/

Mind you ! I'm stating this only is its a SIMPLE suggestion you require.
Otherwise, going with what Paul has said would be a good idea.

Hope this helps.

Ali Saifullah Khan,

Asstt. Project Administrator,
GemSEC Information Security Division,
Gem Internet Services, (Pvt.) Ltd.
Key ID               : 0xA3B7379C
Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C

----- Original Message -----
From: Paul D. Robertson <proberts () patriot net>
To: Walter Ludwig <w.ludwig () gmx at>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Sunday, October 27, 2002 8:11 PM
Subject: Re: [fw-wiz] IDS or Intrusion Prevention Systems



On Sun, 27 Oct 2002, Walter Ludwig wrote:


Hello to all,

i'm looking for an IDS or Intrusion Prevention System to use in our
office. I have no idea which one are good an effective and which one
not. Additionally, I have to write an exam in our school about this


For the record, posts just naming IDS systems won't be approved, posts
with actually useful content may.

IDS systems are relatively immature, so there's no blanket "good and
effective" rubber chicken that can be waved over them.  All of them have
strengths and weaknesses.  Testing IDS products is incredibly difficult to
do well.  ICSA Labs has just started to test and certify products[1],
setting up a common testbed with the right mix of legitimate traffic,
false, but pottentially "bad looking" traffic, and the infrastructure to
do all that takes a lot of time.


topic. This exam is the last one and therefore very hard. Can you help
me?


If you have to *write* the exam, I'd suggest looking at Northcutt's books
on IDS, there's one on IDS in general, and one on writing rules.


Which products are good and why? Which one do you prefer and recommend


Just like firewalls, which one you choose has more to do with what kind of
environment you plan on putting it in, and what kind of policy you're
attempting to enfoce with it than "which product is best" because they all
fit different scenerios differently.  You can't just "Go get the blue one"
because, like when you buy a vehicle, there are different purposes filled
with different ones.  Ferraris aren't better than minivans when the goal
is to take a family of six out to dinner.

You'd probably be much better served spending some significant time
thinking about what sorts of things might change which IDS you chose, or
which evaluation criteria might be interesting for different IDS
deployments, or maybe even back at "what could possibly make one
deployement different from another?"


and how easy are they to administate? Pros and Cons of different
products? Where can I find additional information? Do you know Okena and
their products ("StormWatch", ...)? Are they better (Prevention System)
than common IDSs? When you use an IDS, what additional software are you
using (File Integrity,...)? What will be the most secure solution?


People have already commented on the "intrusion prevention" buzzword and
what it's utility has in the market, so I won't reiterate that here.

The most secure solution is to have systems that don't have exploitable
bugs exposed to other systems.  IDS and "intrusion prevention" don't touch
that piece of the puzzle.

Paul
[1] Disclaimer:  I work for TruSecure, ICSA Labs is an independent
division, and I've been slightly involved in the IDS testing program.
--------------------------------------------------------------------------

---

Paul D. Robertson      "My statements in this message are personal

opinions

proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: