RE: IDS recommendations

From: Robert Zachary (RZachary@verisign.com)
Date: 11/02/01


Message-ID: <1C1E25D810B404489BFE32088773C18816EAEA@CHSVRNT1>
From: Robert Zachary <RZachary@verisign.com>
To: focus-ids@securityfocus.com
Subject: RE: IDS recommendations
Date: Fri, 2 Nov 2001 08:49:16 -0600 

Has anyone been looking at SecureNet Pro www.intrusion.com lately? Any
input?

Robert Zachary

-----Original Message-----
From: Ken [mailto:keneeg@home.com]
Sent: Thursday, November 01, 2001 4:09 PM
To: jono@networkcommand.com; Kevin Martin
Cc: focus-ids@securityfocus.com
Subject: Re: IDS recommendations

I would agree with the comments on Dragon. I have used this product
extensively for both "normal" IDS operations and investigative work. I
am a big fan of the ability to record forensics data and then tie that
data to "events" so that it can be easily viewed. I have worked with
a couple of other products that claim that forensics data is captured,
but it is not very easy to get to.

Custom sigs are a plus if you are into that, especially if you wanna tune
down to your specific environment. Can also be used to enable really
powerful
investigations.

Some people find that the flexibility can be a bit of a challenge to manage.
I
tend to think of it (the flexibility) as a great feature, well worth
spending a little
time to learn the details.

Finally, I think Enterasys has done a pretty good job of coming up with a
cohesive host / network sensor architecture. There are several approaches to
host IDS - they have sided on the file integrity and log monitoring approach
(vs. intercepting system calls and auditing access to file). This allows you
to monitor syslogs, event logs, application logs, etc, and report the
events back
to a common network/host security monitoring station. The host sensor also
has an open signature format, so you can monitor custom app logs or
integrate
with other host monitoring systems like Tripwire.

Hope this helps... feel free to touch base with me if you have additional
questions.

Regards,

Ken

At 10:45 AM 11/1/01 -0800, Jon O . wrote:

>Kevin:
>
>I've had experience with all three products and can give a short quick
>overview of my experience.
>
>Cisco: Works well and is very stable, well designed, etc. It's Cisco
>so it doesn't crash, lockup, etc. Not very flexible, sigs built in,
>no modifications for your environment. Good on your borders.
>
>ISS: Made for people not fully versed in IDS. Keeps things simple at the
>cost of flexiblity and a certain amount of security. Logging is weak,
>no telling what they are using as a signature, locks up, but simple
>for a non-expert to manage and run. Simple issues like IP Protocol
>50, 51 (VPN traffic) considered "Unknown Protocol" no ability to make
>them known. I keep feeling like I can't see everything and things are
>being missed.
>
>Dragon: Great tool. Logging is very flexible and secure, I've used
>in high traffic enterprise environments. Custom signatures are
>quick and you know what triggers all signatures so you can really
>see under the hood. Need some a bit more understanding of IDS
>theory and implementation, but very powerful tool once you read
>the docs. Can keep up in heavy traffic zones, transit networks, etc.
>Overall, the one I'd recommend and really the only one I trust.
>
>
>
>
>On 01-Nov-2001, Kevin Martin wrote:
> > I'm currently researching NIDS and HIDS from a multitude of vendors.
I've
> > read 2 articles from NetworkWorldFusion and Network Computing and it
> appears
> > that they rank Cisco, ISS, and Dragon as their top 3. Any practical
> > experiences with these 3 would be greatly appreciated (need to cut thru
the
> > vendor doubletalk).
> >
> > Thanks..
> >
> > Kevin Martin kmartin@xcaliber.com
> > Stafford Trading Inc. Chief Security Officer
> > Chicago, IL 60604 TEL +1-312.356.4849
> > 230 S. LaSalle, Ste. 688



Relevant Pages

  • Re: IDS recommendations
    ... extensively for both "normal" IDS operations and investigative work. ... Some people find that the flexibility can be a bit of a challenge to manage. ... cohesive host / network sensor architecture. ... to a common network/host security monitoring station. ...
    (Focus-IDS)
  • Re: IDS deployment outside FW?
    ... your IDS sensors should never be active on the ... network that they are monitoring (unless you're doing some sort of ... able to craft the monitoring rules to focus on those devices. ...
    (Focus-IDS)
  • Re: Any IDS Recommendations?
    ... popular location, as well as in DMZs and near valuable infrastructure ... Your network architecture may ... define where you can and should place IDS, because if you only have one IDS, ... >> effective to do that same network monitoring with a NIDS. ...
    (microsoft.public.security)
  • Re: Any IDS Recommendations?
    ... popular location, as well as in DMZs and near valuable infrastructure ... Your network architecture may ... define where you can and should place IDS, because if you only have one IDS, ... >> effective to do that same network monitoring with a NIDS. ...
    (microsoft.public.security.virus)
  • Re: Any IDS Recommendations?
    ... popular location, as well as in DMZs and near valuable infrastructure ... Your network architecture may ... define where you can and should place IDS, because if you only have one IDS, ... >> effective to do that same network monitoring with a NIDS. ...
    (microsoft.public.win2000.security)