RE: Network IDS

[<Robert.Lupo () nokia com>]

The question should not be so much what product you should buy, but can you properly do IDS? Let me explain. You can 
buy any device you want and it will be useless unless you know how to read dump files and analyze traffic. Vendor 
training on a product only teaches you how to use the product but not how to be an IDS analyst.

I have seen time and time again people buying a product, getting vendor training and then viewing the logs and thinking 
"wo ho! I have IDS!" but do you know how to write your own rules, signatures, analyze the traffic for what your company 
needs?

Before you go and buy any product, you should get yourself properly trained, then view the products and figure out what 
is going to best suit your needs.

The SANS IDS course is very good and gives you a good head start in this. 

I'm not trying to put you down at all, so please forgive me if you got that impression. This situation happens to be a 
subject for a white paper I am writing. You will be doing your self and the company by buying a product with out truly 
knowing how IDS works. 

Now, if you happen to be an IDS specialist, my bad. If not, jump on the SANS page and look for the next class. It is a 
6 day course and you will learn a lot.

Robert J. Lupo


 -----Original Message-----
From:   ext Duston Sickler [mailto:dustons () charter net] 
Sent:   Saturday, August 16, 2003 8:48 AM
To:     focus-ids () securityfocus com
Subject:        Network IDS

Hello,

I would like to thank in advance everyone who is out of the office.  I
really do like to hear about it.

The Network Administrator for the company I work for has charged me to
locate a Network Intrusion Detection System.  We do have a monitored
firewall between us and the outside world.  We need something to protect our
servers from anyone coming from the inside.  We have about 20 Windows 2000
Servers, 5 NT 4 Servers, and 250 Windows 2000/Thin Net workstations.

We live in a 100% Windows world and the powers that be will not be receptive
to any *nix solutions.  We are more the willing to pay for a top of the line
product as long is it is in fact top of the line.

Currently I have been looking at the Symantec Gateway Device.  We like the
idea of a stand alone piece of hardware.  The only problem is we already
have a gateway server washing our email of viruses and 99% of Spam.

Does anyone have any comments on the Symantec Gateway device?  We have had
excellent experiences with there Gateway software and NAV Corp.  Does anyone
have a different or better device that they could point me towards?

I would like to thank everyone who replies to this post.  I have learned a
great deal being on this list the last year and will continue to appreciate
all the expertise that is freely given here.

Duston Sickler
CompTIA A+ Certified
"Cedo nulli."


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------