Re: [fw-wiz] IDS or Intrusion Prevention Systems

From: Ali Saifullah Khan (whipaz@gem.net.pk)
Date: 11/02/02


From: "Ali Saifullah Khan" <whipaz@gem.net.pk>
To: <firewall-wizards@honor.icsalabs.com>
Date: Sat Nov  2 16:22:01 2002

Salutations !

If its a simple answer you want, go with SNORT.
http://www.snort.org/

Good references on IDS can be found by a simple google, or a look at the
articles posted at Securityfocus
http://online.securityfocus.com/

Mind you ! I'm stating this only is its a SIMPLE suggestion you require.
Otherwise, going with what Paul has said would be a good idea.

Hope this helps.

Ali Saifullah Khan,

Asstt. Project Administrator,
GemSEC Information Security Division,
Gem Internet Services, (Pvt.) Ltd.
Key ID : 0xA3B7379C
Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C

----- Original Message -----
From: Paul D. Robertson <proberts@patriot.net>
To: Walter Ludwig <w.ludwig@gmx.at>
Cc: <firewall-wizards@honor.icsalabs.com>
Sent: Sunday, October 27, 2002 8:11 PM
Subject: Re: [fw-wiz] IDS or Intrusion Prevention Systems

> On Sun, 27 Oct 2002, Walter Ludwig wrote:
>
> > Hello to all,
> >
> > i'm looking for an IDS or Intrusion Prevention System to use in our
> > office. I have no idea which one are good an effective and which one
> > not. Additionally, I have to write an exam in our school about this
>
> For the record, posts just naming IDS systems won't be approved, posts
> with actually useful content may.
>
> IDS systems are relatively immature, so there's no blanket "good and
> effective" rubber chicken that can be waved over them. All of them have
> strengths and weaknesses. Testing IDS products is incredibly difficult to
> do well. ICSA Labs has just started to test and certify products[1],
> setting up a common testbed with the right mix of legitimate traffic,
> false, but pottentially "bad looking" traffic, and the infrastructure to
> do all that takes a lot of time.
>
> > topic. This exam is the last one and therefore very hard. Can you help
> > me?
>
> If you have to *write* the exam, I'd suggest looking at Northcutt's books
> on IDS, there's one on IDS in general, and one on writing rules.
>
> > Which products are good and why? Which one do you prefer and recommend
>
> Just like firewalls, which one you choose has more to do with what kind of
> environment you plan on putting it in, and what kind of policy you're
> attempting to enfoce with it than "which product is best" because they all
> fit different scenerios differently. You can't just "Go get the blue one"
> because, like when you buy a vehicle, there are different purposes filled
> with different ones. Ferraris aren't better than minivans when the goal
> is to take a family of six out to dinner.
>
> You'd probably be much better served spending some significant time
> thinking about what sorts of things might change which IDS you chose, or
> which evaluation criteria might be interesting for different IDS
> deployments, or maybe even back at "what could possibly make one
> deployement different from another?"
>
> > and how easy are they to administate? Pros and Cons of different
> > products? Where can I find additional information? Do you know Okena and
> > their products ("StormWatch", ...)? Are they better (Prevention System)
> > than common IDSs? When you use an IDS, what additional software are you
> > using (File Integrity,...)? What will be the most secure solution?
>
> People have already commented on the "intrusion prevention" buzzword and
> what it's utility has in the market, so I won't reiterate that here.
>
> The most secure solution is to have systems that don't have exploitable
> bugs exposed to other systems. IDS and "intrusion prevention" don't touch
> that piece of the puzzle.
>
> Paul
> [1] Disclaimer: I work for TruSecure, ICSA Labs is an independent
> division, and I've been slightly involved in the IDS testing program.
> --------------------------------------------------------------------------

---
> Paul D. Robertson      "My statements in this message are personal
opinions
> proberts@patriot.net      which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>


Relevant Pages

  • Re: [fw-wiz] IDS or Intrusion Prevention Systems
    ... > i'm looking for an IDS or Intrusion Prevention System to use in our ... For the record, posts just naming IDS systems won't be approved, posts ... This exam is the last one and therefore very hard. ... The most secure solution is to have systems that don't have exploitable ...
    (Firewall-Wizards)
  • Packet/Protocol Anomaly Detection with IDS
    ... and at the moment im searching ... for some input to write my exam. ... The title is "Packet/Protocol Anomaly Detection with IDS", i already got some good input. ... I know there are attacks like Dos or Buffer Overflows. ...
    (Focus-IDS)
  • [fw-wiz] IDS or Intrusion Prevention Systems
    ... i'm looking for an IDS or Intrusion Prevention System to use in our ... This exam is the last one and therefore very hard. ... Are they better (Prevention System) ... When you use an IDS, ...
    (Firewall-Wizards)
  • RE: Changes in IDS Companies?
    ... "intrusion prevention" which imo is 90% marketing, ... organizations would trust an IDS alert to enforce network policy. ... > Subject: RE: Changes in IDS Companies? ... > called Intrusion Prevention Systems or Perimeter Security ...
    (Focus-IDS)
  • RE: Changes in IDS Companies?
    ... The IPS systems MUST be placed at the host. ... Subject: Changes in IDS Companies? ... >"intrusion prevention" which imo is 90% marketing, ... >organizations would trust an IDS alert to enforce network policy. ...
    (Focus-IDS)