Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
From: Tim Holman (tim_holman_at_hotmail.com)
Date: 10/13/05
- Previous message: Tim Holman: "Re: IDS and Spywares"
- In reply to: Jonathan Gauntt: "Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Next in thread: byte_jump: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: byte_jump: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Frank Knobbe: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Jason: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Jason Haar: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Joel Esler: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Jonathan Gauntt" <jon0966@yahoo.com>, <focus-ids@securityfocus.com> Date: Thu, 13 Oct 2005 12:31:31 +0100
Hi Jonathan,
Wouldn't you rather block bad traffic, rather than detect it?
Most companies are moving away from IDS as a protection mechanism, because:
1) It only detects, and doesn't effectively block intrusions
2) Problems with false positives, as by using pattern matching signatures,
there is always a chance that these patterns also appear in valid traffic
3) Management overheads. An IDS can only be a reasonably effective
prevention method if there is someone on hand 24/7 to monitor logs and take
immediate action on intrusions. Even then , the intrusion has got in, as
admins very rarely use the active blocking features of an IDS (namely
sending RST packets to kill connections, or modifying upstream ACLs), as
these are too likely to have an effect on valid traffic
4) There is absolutely no protection for rate-based attacks (SYN, TCP, UDP
floods)
5) Without maintaining a L3/4 connection/state table, there is no way an
IDS can be truly stateful. 100% statefulness means that everything from the
initial SYN to the final RST/FIN packet of a connection is stored in a
connection table. This requires the device to be INLINE, and operating at
L3. This is the only way a protection device can provide effective defence
against L3 attacks. An offline IDS cannot do this.
I would recommend looking at IPS products instead, so something that you can
postion inline and get immediate value from.
If you feel the Cisco IDS is getting a little tired, then an IPS will also
help take the load off it, by getting rid of Internet white noise, providing
additional firewall filtering, and also defence against rate-based attacks.
A true IPS will focus on defining what is GOOD traffic, and assuming all
else is BAD (and dropping it). By doing this, zero-day attacks can be
virtually be eliminated, as they all ultimately rely on abuse of a valid
protocol in the hope of slipping past your protection mechanisms and onto
your network.
This works quite well in conjucntion with an IDS, that focuses on searching
traffic for badness.
Replacing like for like (IDS for IDS) is not going to give you much value,
and even the market analysts are recommending against it.
IDS isn't dead. Far off it, but use it for what it's good for - DETECTION
and FORENSICS, and not as a device that can insure your network against
rate-based and zero-day attacks.
Regards,
Tim
----- Original Message -----
From: "Jonathan Gauntt" <jon0966@yahoo.com>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, October 12, 2005 5:57 PM
Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
> Hi,
>
> We are currently running a Cisco IDS 4250 that monitors our internal
> traffic. We essentially use this device for historical reporting because
> we
> are a medical oriented facility with at least 100 3rd party connections to
> us besides the 8000 employees.
>
> I am considering upgrading the Cisco IDS 4250 to the XL to handle higher
> throughput but have been evaluating the Sourcefire IS300 and their RNA
> sensor.
>
> I have the ability to purchase the Sourcefire unit or upgrade the 4250.
>
> Sourcefire claims that they are superior with state full IDS inspection
> and
> an overall better product.
>
> Does anyone have any thoughts on these two products? I have about $100k
> in
> my budget to spend.
>
> Thanks,
>
>
> Jonathan
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Tim Holman: "Re: IDS and Spywares"
- In reply to: Jonathan Gauntt: "Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Next in thread: byte_jump: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: byte_jump: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Frank Knobbe: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Jason: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Jason Haar: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Reply: Joel Esler: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
