RE: Recommending an IDS system

• Previous message: F.O. Bossert: "Re: Encryption question"
• Maybe in reply to: Reza Kordi: "RE: Recommending an IDS system"
• Next in thread: Buyer Jr, David: "RE: Recommending an IDS system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 2 Mar 2004 12:19:28 -0500
To: "Josh Mills" <JMills@cnbwaco.com>, "Reza Kordi" <rk@4unet.net>, "Andy Cuff" <lists@securitywizardry.com>, <security-basics@securityfocus.com>

Not trying to make this a Cisco commercial, but I too am very satisfied with Cisco. We implemented an IDSM2, sensor device, and Cisco Security Agent for Host Intrusion Prevention. They all report into an easy to use central management location.

Dave Gonsalves
Eagle Investment Systems
P 617-219-0313
C 617-293-1210
F 617-558-7136
www.eagleinvsys.com

The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee.
Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized.
If you are not the intended recipient please notify us immediately by returning the e-mail to the originator.

-----Original Message-----
From: Josh Mills [mailto:JMills@cnbwaco.com]
Sent: Monday, March 01, 2004 6:19 PM
To: Reza Kordi; Andy Cuff; security-basics@securityfocus.com
Subject: RE: Recommending an IDS system

I have implemented a new cisco ids solution and i am very pleased with it! the signatures are highly tunable for a commercial package and it seems to be pretty stable. the sensor itself runs on redhat so maybe it isnt that much different than snort.

-----Original Message-----
From: Reza Kordi [mailto:rk@4unet.net]
Sent: Monday, March 01, 2004 2:03 PM
To: 'Andy Cuff'; security-basics@securityfocus.com
Subject: RE: Recommending an IDS system

Hi Andy

How good can vendor independant IDS solutions (Specially Opensource) work in
an Enterprise Cisco Based network?

What do you think about Cisco IDS solutions?

Best Regards
Mit freundlichen Grüssen
Meilleures Salutations
med vennlig hilsen
 
Reza Kordi

-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Samstag, 28. Februar 2004 11:21
To: Matthew MacAulay; security-basics@securityfocus.com
Subject: Re: Recommending an IDS system
Importance: Low

Hi Mat,
I was faced with the same dilemma some years back, my site below details the
various technologies you can bring to bear. I also wrote an article for
SecurityFocus regarding deploying IDS from a vendor neutral standpoint
http://www.securityfocus.com/infocus/1754

I'd suggest starting simply and building up but always keep the defence in
depth end goal in sight. Also, don't forget that in addition to detecting
attacks you have to react to them also. If you need further advice offlist
don't hesitate to ask.

Finally, if you go down the Network IPS route there are 2 main varieties;
rate based and content based, I refer to the former as Attack Mitigation
Systems they fill an important role but IMHO are not IPS. Ideally you
should have both varieties. There are some products that claim to do both,
but .....

take care
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com
----- Original Message -----
From: "Matthew MacAulay" <matthew.macaulay@cobweb.co.uk>
To: <security-basics@securityfocus.com>
Sent: Thursday, February 26, 2004 12:36 PM
Subject: Recommending an IDS system

>
> Hello,
>
> I have been tasked with looking at and recommending an IDS system for my
> company.
>
> I have been looking at open source products (Snort) which seems to be a
> very good system with a lot of community support. My problem is we are
> an ASP. We want connections to be able to reach our systems for the
> services we provide. I want to be able to monitor over 100 internet
> facing servers (behind Firewalls and load balancers) and alert / and
> possibly block non normal traffic / detected attack signatures.
>
> After doing some reading into different methods IDS v IPS, Host v
> Network, I favour a combination, we have at anyone time up to 50,000
> concurrent connections to our systems so I have a problem of scale. One
> Snort box is just not going to cut it!
>
> Looking at how I can "tap" into the network traffic has been partially
> solved by using IDSVLANS which is supported by our Switch hardware.
> (Nortel 8600) So an IDSVLAN could be setup for each of our existing
> VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to a
> central server to produce reports / alert / wake people up.... Sounds
> great.
>
> Though I have not looked at it in as much detail as network based IDS, I
> expect I can get a hosts based IDS to also alert (SNMP or what ever) to
> a central server to again produce reports / alerts / wake people up.
>
> I am interested to here what systems you use to do IDS / IPS. Do you
> have in place IDS systems for platforms of a larger or similar scale? I
> would like to here from people have who have faced similar challenges.
>
> Questions I keep asking myself:
>
> Am I trying to do too much, should I just concentrate on host based IDS?
>
> Is network based IDS the right way to go?
> Or am I right in trying to do both?
> Should I be using an open source product to do ID?
> Are there commercial products which can do what I want?
>
> Your thoughts, recommendations and pointers to further reading are
> welcome.
>
> Regards,
>
> Mat.
>
>
> ----------------------------------------------------------------
> The information in this email is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to
> this email by anyone else is unauthorised. If you are not the
> intended recipient, any disclosure, copying, distribution or any
> action taken or omitted to be taken in reliance on it, is
> prohibited and may be unlawful. If you have received this
> communication in error please return it to the sender, then
> delete and destroy any copies of it.
> ----------------------------------------------------------------
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------

--
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
----------------------------------------------------------------------------

• Previous message: F.O. Bossert: "Re: Encryption question"
• Maybe in reply to: Reza Kordi: "RE: Recommending an IDS system"
• Next in thread: Buyer Jr, David: "RE: Recommending an IDS system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Recommending an IDS system ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... into ONE inky-dinky "black box" that was maintained by a "security ... Like I said before, ISS ... (Security-Basics) RE: Recommending an IDS system ... That feature is not an "Auto-Update" in Cisco. ... As for writing your own signatures, ... Subject: Recommending an IDS system ... (Security-Basics) RE: Recommending an IDS system ... Same here - haven't used the ISS, but I have no problem with auto updates, and Cisco is releasing signatures very quickly. ... Subject: Recommending an IDS system ... I never worked with ISS IDS appliance before so I can't really comment on ... (Security-Basics) Re: Recommending an IDS system ... >We have been using Cisco IDS systems for a number of years and recently ... >better than the Cisco solution. ... >Astaro Security Linux, the comprehensive security solution that combines ... >Ethical Hacking at the InfoSec Institute. ... (Security-Basics) RE: Recommending an IDS system ... We have been using Cisco IDS systems for a number of years and recently ... switched over to the new ISS Proventia Series appliances. ... Subject: Recommending an IDS system ... (Security-Basics)