Snort mailing list archives
RE: Snort and M$ Access?????
From: "e-mail lists" <lists () darrenmackay com>
Date: Sat, 9 Feb 2002 13:57:20 +1000
Hi, There are plenty of people here who knew snort better that myself, so I will try and give a perspective on how to handle the politics (well, this has worked for me). Being new to using this mailing list, I apologise in advance if this post starts a flame war - I don't mean to be provocative, I am just trying to share what I have learnt of getting linux and opensource into various enterprise clients of ours (I work for an integrator)
From your management's perspective, their 'perceived' view of
linux (and possibly open source in general) is their 'truth'. If you are a lone crusader pushing opensource in a large organisation it is an up hill battle (although sometimes this is not really a hill, but more like a sheer rock face, and you don't have any safety ropes). Over time, with several small 'wins' under your belt. Ideally, these small wins from my experience are based on the merits of a deployment, and not based on FUD against the alternatives (even if the FUD happens to be true). For a commercial IDS with distributed sensor deployment, you rarely get change out of $50k USD. Some hardware costs for both commercial and opensource IDS deployments would be the approximately same, so if you are confronted with the situation of justifying costs, take this into account. Also, where possibly, use the same class of hardware as used by your NT and netware infrastructure (for instance, IBMs serverguide based installs support RH 62 and soon 7.2 natively). I have found that hardware vendor support for any opensource solutions is extremely important - most companies still want 4hr replacement if there is a hardware failure. If you are using a supported o/s, this makes the warranty process faster and easier (here in australia, the IBM techs that I have met that perform onsite hardware replacement appear to have excellent linux skills also). If it were me in your situation, I would try and develop a plan to fulfil the requirements that your have given you, and then take this plan to then (rather than just hacking away to get it to work). This does not mean you have to agree with the requirements, this is to appease the politicians in your organisation. I would probably include the following (at a minimum) in the plan: 1. why you have used snort in this deployment - $$$ - for the past year, I have not actually used $$$ as justification of using open source against a commercial product, mainly because the clients I deal with are prepared to pay for a solution that fulfils their business requirements and thus look for technical merit and ease of management instead. - features against the 2 main commercial IDS offerings (the following come to mind) - ISS only allow custom signatures for HTTP and SMTP traffic - cisco's custom signature definition language requires fairly advanced knowledge to get working - improving your security posture - assuming your already have at least 1 firewall - I usually use the scenario the firewall is equivalent to the airline check-in, and the IDS is the x-ray machine to ensure that you are not carrying any weapons (management for some reason love explanations like this) - maintenance of the rule set and how this meets the organisations security policies - management of data (reports, backup, etc) - needs to fulfil current policies in your organisation - benefits of using a database server rather than access (most likely from the suits point of view, you have just come out of left field) - an existing database server in you organisation (mssql, oracle, etc) - use of an alternative o/s database server on your NT / 2000 infrastructure - postgres - mysql - sapdb (the suits they certainly can't say the SAP would include a trojan in their product) - interbase (once again, would borland include a trojan in their product) - method transferring data from your existing snort database to this internal database server - then (hopefully) alleviates the need to perform daily backups of your IDS deployment??? - anything else that comes to mind You also have to remember that most organisation have security policies that refer to various documents that they must adhere to - some of the time, these are requirements that are set in stone, and thus there is nothing you can do if the product you wish to use is not listed as approved for use (for instance, here in Australia, all federal government departments that are not classified as 'military', 'secret' or 'cabinet in confidence', and thus are classified as 'protected' must use security products that are certified to EAL4 or better). For opensource to get into this arena, target systems or software have to be submitted for evaluation (which is a $20k USD exercise). this does not guarantee certification though... I hope this helps you, even in a small way. I would be interested to know how you progress with this in your organisation (hopefully others on this would also be interested in hearing how you go) Enjoy, Darren Mackay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Empty MySQL DB, (continued)
- Empty MySQL DB Warrick FitzGerald (Feb 08)
- Re: Empty MySQL DB Phil Wood (Feb 08)
- Re: GIF , PNG, JPEG ....NOT ENABLED Alwin Raymundo (Feb 10)
- Empty MySQL DB Warrick FitzGerald (Feb 08)
- Re: Snort and M$ Access????? Erek Adams (Feb 08)
- Re: Snort and M$ Access????? Byron (Feb 08)
- RE: Snort and M$ Access????? John Kirk (Feb 08)
- Re: Snort and M$ Access????? Brad Plies (Feb 08)
- RE: Re: Snort and M$ Access????? Yom, Francis (Feb 08)
- RE: Snort and M$ Access????? Wirth, Jeff (Feb 08)
- RE: Re: Snort and M$ Access????? Brad Plies (Feb 08)
- RE: Snort and M$ Access????? e-mail lists (Feb 08)