Re: Re: IDS/IPS Info

["Lee" <cheekypeople () sec33 com>]

Debbie,

Maybe my viewpoint is different to what your looking for, but hey here's my 2 cents.

I am not an advocate of IDS/IPS, Personally and maybe I am stirring things up here, but I am not a fan of them, I view 
the products in the range as addons never something I would class as an primary piece of kit.
My thoughts behind this really come from my own background.  I used to be a checkpoint firewall admin for some banks 
and pharma companies, I found any IDS/IPS we have from say cisco etc did the job of other systems I already had.  I 
always looked at them to say "can this product do anything my systems cannot do now".  That would force me to ahve an 
implistic view of my systems.  For example, an IDS/IPS uses rules and signatures to spot code, it does this by 
analysing particular data and then acts as a radar at given perimeter or internal points.  It would then alert a team 
to what it finds based on the signatres and rules.

As part of my job I always try to make the very best use of my current systems, not becuase as a team we couldnt afford 
a dedicated IDS/IPS, its just that by testing the boundaries and knowing what we had we achieved the same results, and 
in a existing window of an existing system (no "one more thing to monitor").

We used primary at first Checkpoint Firewall logs and inspect code.  inspect code allows you to setup and catch with a 
log , particular traffic and then gain alerts, it does this by using its own derived signatures with bytes etc, which 
can be gained from ifnormation on a virus etc.  Seeing any pattern here?
This then allowed us to isolate and amend direct rules live to combat the system.

Now dont get me wrong, this took some time, and we had to implement a HOWTO, but we implemented one based upon a 
current system which is familiar to the people using it, thus saving alot on external costings, while educated the 
current staff to use a product better.

Now dont get me wrong, my view is my own, and one taken in a particular environment, and hopefully others will give you 
their views on what they did, I expect it will be different , but that was the purpose my reply, not to say ours is 
better, just giving a different channel.

Snort I know is excellent, and I expect the cisco kit will be good (in a cicso DC hehehe)

But anyways food for thought, and have a pleasant weekend.

Regards


Knowledge is Power - Nam et ipsa scientia potestas est 
 - Francis Bacon (1561-1626) 

Lee @ STS 
http://www.seethrusec.co.uk
Building Knowledge and Security..
  ----- Original Message ----- 
  From: Debbie 
  To: full-disclosure () lists netsys com 
  Sent: Friday, May 14, 2004 8:27 PM
  Subject: [Full-disclosure] Re: IDS/IPS Info


    Hi all,
    I'm a student doing a research paper on the IDS/IPS industry, from the perspective of analyzing products - what 
works and what doesn't, and also analyzing vendors - who will succeed.  Anyone had good/bad experiences with these 
vendors?  (Your response will be kept strictly confidential.)

    Thanks all for your help!

    Network Associates
    Sana Security
    GreenBorder Tech
    Argus Systems
    Cisco
    Intrusion Inc.
    Tippingpoint Tech
    Internet Security (ISSX)
    Symantec

    -Deborah

    mangomartini2005 () yahoo com


------------------------------------------------------------------------------
  Do you Yahoo!?
  SBC Yahoo! - Internet access at a great low price.