RE: Recommending an IDS system

From: Buyer Jr, David (DBuyer_at_KaleidaHealth.Org)
Date: 03/03/04

  • Next message: Brian Whitehead: "Re: Linux Distribution Recomendation" 
    To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Date: Wed, 3 Mar 2004 09:08:34 -0500

    That feature is not an "Auto-Update" in Cisco. All that it does is bring you
    to a web page that you can download the new signatures. You have to download
    it and then install it all manually. As for writing your own signatures, I
    am not going to pay 15 - 20 thousand dollars for an IDS that I have to write
    my own signatures for. This is something that the company should be doing.
    Cisco is not a "security" company. They buy other companies and stick their
    logo on it. By the way, just for your information, in ISS you can also write
    your own sigs as well. You can also import Snort sigs too (although it puts
    a heavy load on the system when you import Snort sigs).

    David Buyer

    -----Original Message-----
    From: Hoang, Binh P,,DMDCWEST [mailto:Hoangbp@osd.pentagon.mil]
    Sent: Tuesday, March 02, 2004 9:13 PM
    To: 'Buyer Jr, David'; 'security-basics@securityfocus.com'
    Subject: RE: Recommending an IDS system

    I never worked with ISS IDS appliance before so I can't really comment on
    it.
    However, on Cisco IDS sensor appliances, as well as their switches'
    IDSMs,you can update the signatures for those automatically using Auto
    Update feature on VMS/IDS Management Center (IDS MC) or Auto Update using
    PDM.

    As for the time frame of update signatures, it doesn't really matter that
    much as you can always write a customized signatures based on the behavior
    of the new worms/attacks.

    Just my 2 cents.

    Binh
    -----Original Message-----
    From: Buyer Jr, David [mailto:DBuyer@KaleidaHealth.Org]
    Sent: Tuesday, March 02, 2004 9:29 AM
    To: 'security-basics@securityfocus.com'
    Subject: RE: Recommending an IDS system

    We have been using Cisco IDS systems for a number of years and recently
    switched over to the new ISS Proventia Series appliances. I have worked with
    both extensively and I have to say that the ISS solution is MUCH better than
    the Cisco solution. Some of the big differences are that the ISS people get
    out a sig about 2 weeks before Cisco even touches it. Also, the Cisco
    sensors don't have a way of automatically downloading and installing the new
    sigs. Its all a manual process that is a pain in the A** Reporting is much
    much better and faster on the ISS as well. There are many more advantages of
    going with ISS so if you need anymore info email me. I still have all my
    data sheets that I did when we were testing all the solutions.

    PS - go with the inline stuff (IPS). Snort also has an inline patch
    available.

    David Buyer

    -----Original Message-----
    From: Josh Mills [mailto:JMills@cnbwaco.com]
    Sent: Monday, March 01, 2004 6:19 PM
    To: Reza Kordi; Andy Cuff; security-basics@securityfocus.com
    Subject: RE: Recommending an IDS system

    I have implemented a new cisco ids solution and i am very pleased with it!
    the signatures are highly tunable for a commercial package and it seems to
    be pretty stable. the sensor itself runs on redhat so maybe it isnt that
    much different than snort.

    -----Original Message-----
    From: Reza Kordi [mailto:rk@4unet.net]
    Sent: Monday, March 01, 2004 2:03 PM
    To: 'Andy Cuff'; security-basics@securityfocus.com
    Subject: RE: Recommending an IDS system

    Hi Andy

    How good can vendor independant IDS solutions (Specially Opensource) work in
    an Enterprise Cisco Based network?

    What do you think about Cisco IDS solutions?

    Best Regards
    Mit freundlichen Grüssen
    Meilleures Salutations
    med vennlig hilsen
     
    Reza Kordi

    -----Original Message-----
    From: Andy Cuff [mailto:lists@securitywizardry.com]
    Sent: Samstag, 28. Februar 2004 11:21
    To: Matthew MacAulay; security-basics@securityfocus.com
    Subject: Re: Recommending an IDS system
    Importance: Low

    Hi Mat,
    I was faced with the same dilemma some years back, my site below details the
    various technologies you can bring to bear. I also wrote an article for
    SecurityFocus regarding deploying IDS from a vendor neutral standpoint
    http://www.securityfocus.com/infocus/1754

    I'd suggest starting simply and building up but always keep the defence in
    depth end goal in sight. Also, don't forget that in addition to detecting
    attacks you have to react to them also. If you need further advice offlist
    don't hesitate to ask.

    Finally, if you go down the Network IPS route there are 2 main varieties;
    rate based and content based, I refer to the former as Attack Mitigation
    Systems they fill an important role but IMHO are not IPS. Ideally you
    should have both varieties. There are some products that claim to do both,
    but .....

    take care
    -andy
    Talisker Security Tools Directory http://www.securitywizardry.com
    ----- Original Message -----
    From: "Matthew MacAulay" <matthew.macaulay@cobweb.couk>
    To: <security-basics@securityfocus.com>
    Sent: Thursday, February 26, 2004 12:36 PM
    Subject: Recommending an IDS system

    >
    > Hello,
    >
    > I have been tasked with looking at and recommending an IDS system for
    > my company.
    >
    > I have been looking at open source products (Snort) which seems to be
    > a very good system with a lot of community support. My problem is we
    > are an ASP. We want connections to be able to reach our systems for
    > the services we provide. I want to be able to monitor over 100
    > internet facing servers (behind Firewalls and load balancers) and
    > alert / and possibly block non normal traffic / detected attack
    > signatures.
    >
    > After doing some reading into different methods IDS v IPS, Host v
    > Network, I favour a combination, we have at anyone time up to 50,000
    > concurrent connections to our systems so I have a problem of scale.
    > One Snort box is just not going to cut it!
    >
    > Looking at how I can "tap" into the network traffic has been partially
    > solved by using IDSVLANS which is supported by our Switch hardware.
    > (Nortel 8600) So an IDSVLAN could be setup for each of our existing
    > VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to
    > a central server to produce reports / alert / wake people up....
    > Sounds great.
    >
    > Though I have not looked at it in as much detail as network based IDS,
    > I expect I can get a hosts based IDS to also alert (SNMP or what ever)
    > to a central server to again produce reports / alerts / wake people
    > up.
    >
    > I am interested to here what systems you use to do IDS / IPS. Do you
    > have in place IDS systems for platforms of a larger or similar scale?
    > I would like to here from people have who have faced similar
    > challenges
    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with
    Astaro Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost
    of ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
    ----------------------------------------------------------------------------

    CONFIDENTIALITY NOTICE:
    This email transmission and any documents, files,
    or previous e-mail messages attached to it are
    confidential and intended solely for the use of the
    individual or entity to whom they are addressed.
    If you are not the intended recipient, or a person
    responsible for delivering it to the intended recipient,
    you are hereby notified that any further review,
    disclosure, copying, dissemination, distribution, or
    use of any of the information contained in or attached
    to this e-mail transmission is strictly prohibited.
    If you have received this message in error, please
    notify the sender immediately by e-mail, discard
    any paper copies, and delete all electronic files
    of the message. If you are unable to contact the
    sender or you are not sure as to whether you
    are the intended recipient, please e-mail
    ISTSEC@KaleidaHealth.org or call (716) 859-7777.

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040303
    ----------------------------------------------------------------------------

  • Next message: Brian Whitehead: "Re: Linux Distribution Recomendation"