Snort mailing list archives
RE: *very* many snort installations..
From: <hugh_fraser () dofasco ca>
Date: Fri, 28 Nov 2003 14:00:57 -0500
The host and network IDS's are different animals. Symantec (and several other companies) offer a HID that monitors and enforces policies that define how applications on the host behave. While this includes network activity, it goes beyond that to include access to any resources on the host. It's very different, but at the same time complimentary, to what a NID does. Both provide valuable insight into what's happening in your environment, and are indispensable when doing the forensic work your talking about. Deployment of NID technology on all workstations may provide more resolution than you need if there are key network "hubs" in through which all internal traffic passes. As always, start with the perimeter firewalls, but also include dialup access points (i.e.. Citrix, reachout, etc.). Internally, monitor the routers, hubs, firewalls, etc.. As well, monitor servers providing common networking services, such as proxy servers. If you're running a switched network and using VLANs to segment traffic, monitor systems that may straddle multiple VLANs, such as domain controllers, dns or dhcp servers, etc.. With some up-front effort, you may find that a much smaller deployment if NIDs can provide you with the ability to track activity, without an overwhelming infrastructure to manage. In the same way, deploying a HID to 10,000 machines may also be overkill. Again, the selection of key points to monitor may provide you with the information you need. Don't underestimate the impact of either of these technologies on the systems to which they're deployed. HIDs, especially, may require considerable amounts of hand-holding before they become invisible to the end user. In anything other than vanilla applications that the HID understands out of the box, it will need to be taught what to expect before it can be deployed to provide non-noise information. And if you're using them to enforce policies rather than just monitor for violations, this training will be even more important unless your help desk enjoys extra work. Enforcement is the holy grail we're all looking for, since it's a reality that you will at some point suffer an intrusion, and enforcing policies (whether in a NID or a HID) is what will allow you to contain the intrusion and limit the damage. With regards to the collection of traffic from 10,000 machines, hierarchical approaches need to be used to deal with the load. In a large environment, it typically makes sense to have local collection agents that do some form of filtering and correlation and forward traffic on to higher levels that have a more enterprise view. This buys you several benefits... Each local collection agent can be relatively autonomous, giving you a degree of fault tolerance. It localizes potentially heavy network traffic in the event of an intrusion. Finally, it provides you with a scalable architecture that can be adapted to arbitrary changes either in capacity or topology. Hugh Fraser Senior Technical Specialist Dofasco Inc.
-----Original Message----- From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: Wednesday, November 26, 2003 6:01 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] *very* many snort installations.. On Thu, 2003-11-27 at 04:46, Michael Steele wrote:The solution is not to install Snort on every workstation.Strange - companies like Symantec would disagree with you. They certainly think there's a future in host-based IDS. Of course, the IDS is easy - it's the centralised management that's hard... How you handle 10,000 hosts all sending 100 alerts/sec to your central console when SLAMMER-IV hits one machine is beyond me ;-) [to be fair, I'm confusing centralised management with centralised logging here] Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- *very* many snort installations.. Mokum (Nov 26)
- Re: *very* many snort installations.. Shane Smith (Nov 26)
- RE: *very* many snort installations.. Michael Steele (Nov 26)
- RE: *very* many snort installations.. Jason Haar (Nov 26)
- <Possible follow-ups>
- RE: *very* many snort installations.. hugh_fraser (Nov 28)
- Re: *very* many snort installations.. Adriel T. Desautels (Dec 02)