Re: [fw-wiz] IDS or Intrusion Prevention Systems

From: Ali Saifullah Khan (whipaz@gem.net.pk)
Date: 11/02/02


From: "Ali Saifullah Khan" <whipaz@gem.net.pk>
To: <firewall-wizards@honor.icsalabs.com>
Date: Sat Nov  2 16:22:01 2002

Salutations !

If its a simple answer you want, go with SNORT.
http://www.snort.org/

Good references on IDS can be found by a simple google, or a look at the
articles posted at Securityfocus
http://online.securityfocus.com/

Mind you ! I'm stating this only is its a SIMPLE suggestion you require.
Otherwise, going with what Paul has said would be a good idea.

Hope this helps.

Ali Saifullah Khan,

Asstt. Project Administrator,
GemSEC Information Security Division,
Gem Internet Services, (Pvt.) Ltd.
Key ID : 0xA3B7379C
Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C

----- Original Message -----
From: Paul D. Robertson <proberts@patriot.net>
To: Walter Ludwig <w.ludwig@gmx.at>
Cc: <firewall-wizards@honor.icsalabs.com>
Sent: Sunday, October 27, 2002 8:11 PM
Subject: Re: [fw-wiz] IDS or Intrusion Prevention Systems

> On Sun, 27 Oct 2002, Walter Ludwig wrote:
>
> > Hello to all,
> >
> > i'm looking for an IDS or Intrusion Prevention System to use in our
> > office. I have no idea which one are good an effective and which one
> > not. Additionally, I have to write an exam in our school about this
>
> For the record, posts just naming IDS systems won't be approved, posts
> with actually useful content may.
>
> IDS systems are relatively immature, so there's no blanket "good and
> effective" rubber chicken that can be waved over them. All of them have
> strengths and weaknesses. Testing IDS products is incredibly difficult to
> do well. ICSA Labs has just started to test and certify products[1],
> setting up a common testbed with the right mix of legitimate traffic,
> false, but pottentially "bad looking" traffic, and the infrastructure to
> do all that takes a lot of time.
>
> > topic. This exam is the last one and therefore very hard. Can you help
> > me?
>
> If you have to *write* the exam, I'd suggest looking at Northcutt's books
> on IDS, there's one on IDS in general, and one on writing rules.
>
> > Which products are good and why? Which one do you prefer and recommend
>
> Just like firewalls, which one you choose has more to do with what kind of
> environment you plan on putting it in, and what kind of policy you're
> attempting to enfoce with it than "which product is best" because they all
> fit different scenerios differently. You can't just "Go get the blue one"
> because, like when you buy a vehicle, there are different purposes filled
> with different ones. Ferraris aren't better than minivans when the goal
> is to take a family of six out to dinner.
>
> You'd probably be much better served spending some significant time
> thinking about what sorts of things might change which IDS you chose, or
> which evaluation criteria might be interesting for different IDS
> deployments, or maybe even back at "what could possibly make one
> deployement different from another?"
>
> > and how easy are they to administate? Pros and Cons of different
> > products? Where can I find additional information? Do you know Okena and
> > their products ("StormWatch", ...)? Are they better (Prevention System)
> > than common IDSs? When you use an IDS, what additional software are you
> > using (File Integrity,...)? What will be the most secure solution?
>
> People have already commented on the "intrusion prevention" buzzword and
> what it's utility has in the market, so I won't reiterate that here.
>
> The most secure solution is to have systems that don't have exploitable
> bugs exposed to other systems. IDS and "intrusion prevention" don't touch
> that piece of the puzzle.
>
> Paul
> [1] Disclaimer: I work for TruSecure, ICSA Labs is an independent
> division, and I've been slightly involved in the IDS testing program.
> --------------------------------------------------------------------------

---
> Paul D. Robertson      "My statements in this message are personal
opinions
> proberts@patriot.net      which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>