Re: Any IDS Recommendations?
From: S. Pidgorny
Date: 07/16/05
- Previous message: Wong Tuck Wah: "RE: shutting down a trusted CA and raising a new trusted CA"
- In reply to: The Poster: "Re: Any IDS Recommendations?"
- Next in thread: Karl Levinson, mvp: "Re: Any IDS Recommendations?"
- Reply: Karl Levinson, mvp: "Re: Any IDS Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 16 Jul 2005 19:02:23 +1000
G'day,
For audit compliance, you must have:
* IDS in place
* Procedures to manage IDS riles (signatures and heuristics)
* Procedures to manage alerts - that is, your Emergency Response
* Reports done regularly
* Testing of the IDS/Emergency response done
* (depending on the auditors' paranoia level) - plan to cover all corporate
network with IDS sensors
I see you have managed to convince the auditors that DMZ isn't the best
place to install the sensors because all traffic there is encrypted. However
I might suggest that this creates and excellent opportunity to come up with
tight IDS rule set: everything that is not on the list of (encrypted)
protocols is potential security breach. And seriously consider internal
network: first of all, NIDS will generate a lot of interesting information -
like curious grads that believe they're h@x0rz and stuff like that. Secndly,
the next IT security audit will require that anyway.
And please - call me Slavko, or Slav. Simon is too Die Hard-ish for me.
-- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "The Poster" <nospam@nospam_dontyoudare.net> wrote in message news:eYhHkURiFHA.576@TK2MSFTNGP15.phx.gbl... > Some good posts indeed Simon. > > I agree with you in every point. I forgot to mention that the primary reason > I'm installing the IDS is for compliancy with the PCI Data Security Standard > (Visa/MasterCard). > > Its a simple scenario - if we don't have an IDS on our network generating > 'traffic' and 'trash' stats - then we fail the compliancy audit. I argued > with the auditors re. the 'best' location for the device, they were > recommending I put it in my 'secure area' (a DMZ area where traffic and data > is encrypted). And my argument was that this was useless - an IDS sniffing > encrypted packets? A complete waste of Dollars or Euros in my case....... > > Steve. > > > "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message > news:%23ayLGXHiFHA.3012@TK2MSFTNGP12.phx.gbl... > > G'day, > > > > You've received some good replies so far. > > > > Rule #1: always challenge the vendors' recommendation. In my opinion, even > > behind the filtering router, NIDS i next to useless. It's hard enough to > > make sense of NIDS in DMZ and on corporate WAN. > > > > Secondly: regarless of your chosen products, it's the people who'll be > > monitoring and supporting the solution in production. If you don't have > > dedicated team that knows the product and how to make changes and deploy > new > > sensors quickly - you better don't invest. Without the right process, > > auditors won't approve your NIDS. > > > > And you have the right people, they don't necessarily need fancy GUI to > get > > started with Snort. You'll have a solution at the right cost for NIDS - > > $0.00 per monitored IP address. > > > > One thing is really important: have your testing criteria defined, and do > > testing. Yes, you'll need traffic generators and all that, but some due > > diligence saves time, money and nerves to the project team > > > > -- > > Svyatoslav Pidgorny, MS MVP - Security, MCSE > > -= F1 is the key =- > > > > > > > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message > > news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl... > > > Thanks Simon for the advice. > > > > > > Vendors recommend that the first IDS be placed in front of the edge > router > > > (I think I might have read that in a Cisco Safe white paper) - I've > taken > > > this a step further in placing it between the packet filtering router > and > > > the firewall. As I mentioned in my earlier post that we are running a > > Cisco > > > based firewall (PIX) - which as I'm sure you are aware of, doesn't > provide > > > much in the way (bar the IDS rule and a few common signatures) of IDS > > > features. I do appreciate that alot of 'trash' will be reported, and > most > > > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared > > to > > > take. > > > > > > Snort - do you think its easy to configure? I don't. From the research > > that > > > I've done to date Tipping Point seem to have the spot light on them, and > > are > > > selling it on the basis that its easy to install and configure, and > > doesn't > > > involve constant monitoring. > > > > > > Steve. > > > > > > > > >
- Previous message: Wong Tuck Wah: "RE: shutting down a trusted CA and raising a new trusted CA"
- In reply to: The Poster: "Re: Any IDS Recommendations?"
- Next in thread: Karl Levinson, mvp: "Re: Any IDS Recommendations?"
- Reply: Karl Levinson, mvp: "Re: Any IDS Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
