Full Disclosure mailing list archives
RE: Suggestion for IDS
From: "Randall M" <randallm () fidmail com>
Date: Thu, 29 Sep 2005 05:39:52 -0500
Michael, I value your opinion on this subject as my knowledge about IDS is slim. Your suggestion below as I understand you basically says, from a company stand point, IDS is not a solution? We were thinking in this line of using IDS along with IPS system too. We basically have nothing to inspect the high bandwidth usage or catching infection from mobile or desktops users and thought IDS and IPS would help. Your thought? Thank You Randall M ===================== "You too can have your very own Computer!" Note: Side effects include: Blue screens; interrupt violation; illegal operations; remote code exploitations; virus and mailware infestations; and other unknown vulnerabilities. ::::-----Original Message----- ::::From: full-disclosure-bounces () lists grok org uk ::::[mailto:full-disclosure-bounces () lists grok org uk] On ::::Behalf Of Michael Holstein ::::Sent: Wednesday, September 28, 2005 8:24 AM ::::To: full-disclosure () lists grok org uk ::::Subject: Re: [Full-disclosure] Suggestion for IDS :::: ::::> Our company plan to install IDS to protect our resources, ::::I'm already ::::> read about snort as NIDS, but, that's software based. I'm ::::interesting ::::> with hardware based that will work transparently with our ::::Cisco PIX, ::::> no need to make changes in our firewall. What's your suggestion. :::: ::::My first piece of advice on this is to ignore any company ::::that says they deliver a "turnkey" solution. Such a thing ::::doesn't exist. :::: ::::Any IDS will work with any firewall .. unless, of course, ::::you want to connect the two together (eg: dynamically ACL ::::the PIX based on what the IDS sees). That, IMHO, is an ::::invitation do DOS yourself (think .. I spoof a packet that ::::--looks like an attack-- from your upstream router, or smtp ::::server, etc). There's dozens of ways to do this, including ::::free with snort. :::: ::::You can also examine snort's "inline" mode in which you ::::setup bridging between two interfaces, and let snort ::::"decide" which packets to forward. ::::In order to make such a thing redundant, be prepared to do ::::some fancy H/A stuff with a pair of servers. :::: ::::And don't forget .. an IDS is certianly not "fix and ::::forget" .. it requires daily tinkering (new sigs come out ::::daily .. and they're almost always noisy and require ::::tuning). In most any decent sized network, having a ::::dedicated admin to chase the IDS alerts and keep an eye on ::::things is almost a given. :::: ::::And as for having an IDS "protect" your network .. well .. ::::forget that. ::::An IDS is great for statistical research and forensics .. ::::but with botnets and whatnot going SSL, you're ::::time/resources are much better spent finding your ::::vulnerabilities and patching your hosts. :::: ::::My $0.02. :::: :::: ::::Cheers, :::: ::::Michael Holstein CISSP GCIA ::::Cleveland State University ::::_______________________________________________ ::::Full-Disclosure - We believe in it. ::::Charter: http://lists.grok.org.uk/full-disclosure-charter.html ::::Hosted and sponsored by Secunia - http://secunia.com/ :::: _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Suggestion for IDS Fajar Edisya Putera (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Peer Janssen (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Joel Esler (Sep 28)
- Re: Suggestion for IDS Peer Janssen (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Reto Inversini (Sep 28)
- RE: Suggestion for IDS Randall M (Sep 29)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Lew Wolfgang (Sep 28)
- IDS features (was: Suggestion for IDS) Alejandro Barrera (Sep 28)
- Re: IDS features (was: Suggestion for IDS) Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- <Possible follow-ups>
- Re: Suggestion for IDS J. Oquendo (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)