Firewall Wizards mailing list archives
Re: IDS or Intrusion Prevention Systems
From: "Ali Saifullah Khan" <whipaz () gem net pk>
Date: Sun, 3 Nov 2002 02:04:05 +0500
Salutations ! If its a simple answer you want, go with SNORT. http://www.snort.org/ Good references on IDS can be found by a simple google, or a look at the articles posted at Securityfocus http://online.securityfocus.com/ Mind you ! I'm stating this only is its a SIMPLE suggestion you require. Otherwise, going with what Paul has said would be a good idea. Hope this helps. Ali Saifullah Khan, Asstt. Project Administrator, GemSEC Information Security Division, Gem Internet Services, (Pvt.) Ltd. Key ID : 0xA3B7379C Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C ----- Original Message ----- From: Paul D. Robertson <proberts () patriot net> To: Walter Ludwig <w.ludwig () gmx at> Cc: <firewall-wizards () honor icsalabs com> Sent: Sunday, October 27, 2002 8:11 PM Subject: Re: [fw-wiz] IDS or Intrusion Prevention Systems
On Sun, 27 Oct 2002, Walter Ludwig wrote:Hello to all, i'm looking for an IDS or Intrusion Prevention System to use in our office. I have no idea which one are good an effective and which one not. Additionally, I have to write an exam in our school about thisFor the record, posts just naming IDS systems won't be approved, posts with actually useful content may. IDS systems are relatively immature, so there's no blanket "good and effective" rubber chicken that can be waved over them. All of them have strengths and weaknesses. Testing IDS products is incredibly difficult to do well. ICSA Labs has just started to test and certify products[1], setting up a common testbed with the right mix of legitimate traffic, false, but pottentially "bad looking" traffic, and the infrastructure to do all that takes a lot of time.topic. This exam is the last one and therefore very hard. Can you help me?If you have to *write* the exam, I'd suggest looking at Northcutt's books on IDS, there's one on IDS in general, and one on writing rules.Which products are good and why? Which one do you prefer and recommendJust like firewalls, which one you choose has more to do with what kind of environment you plan on putting it in, and what kind of policy you're attempting to enfoce with it than "which product is best" because they all fit different scenerios differently. You can't just "Go get the blue one" because, like when you buy a vehicle, there are different purposes filled with different ones. Ferraris aren't better than minivans when the goal is to take a family of six out to dinner. You'd probably be much better served spending some significant time thinking about what sorts of things might change which IDS you chose, or which evaluation criteria might be interesting for different IDS deployments, or maybe even back at "what could possibly make one deployement different from another?"and how easy are they to administate? Pros and Cons of different products? Where can I find additional information? Do you know Okena and their products ("StormWatch", ...)? Are they better (Prevention System) than common IDSs? When you use an IDS, what additional software are you using (File Integrity,...)? What will be the most secure solution?People have already commented on the "intrusion prevention" buzzword and what it's utility has in the market, so I won't reiterate that here. The most secure solution is to have systems that don't have exploitable bugs exposed to other systems. IDS and "intrusion prevention" don't touch that piece of the puzzle. Paul [1] Disclaimer: I work for TruSecure, ICSA Labs is an independent division, and I've been slightly involved in the IDS testing program. --------------------------------------------------------------------------
---
Paul D. Robertson "My statements in this message are personal
opinions
proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IDS or Intrusion Prevention Systems Ali Saifullah Khan (Nov 02)