Re: Any IDS Recommendations?

From: Steve Clark [MSFT] (bogus_at_microsoft.com)
Date: 07/13/05 

Date: Wed, 13 Jul 2005 09:57:37 -0700

Honestly, NIDS is nothing more than a waste of time and money IMO.

Put HIDS on high value servers and workstations or other devices. Hackers
don't want to "0wn" the network; they use it like dial tone to get to where
they are really going, which is the host where data resides. The only
exception to this is DDoS attacks, which aren't going to be prevented by
NIDS in any event.

Focus effort on the points where attackers want to get to, and less on the
roads they use to get there with. If you operate from the worst assumption
(i.e., they are already inside the network) then they will be using
"trusted" paths to communicate with the intended targets. Most
organizations do not monitor internal traffic going to other internal
destination sets as they do the "perimeter" or remote access paths.

You can spend the rest of your life trying to figure out what "normal" is on
the network or especially the Internet; you darn sure ought to know what
normal is on hosts that you manage though, and that battle can actually be
won by the sysadmin. It's also higher-yield in that you have more
information to conduct forensic analysis, etc.

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
> IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>

Relevant Pages

  • Re: Remote Access and Outlook Web Access on SBS 2003
    ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... network, firewall, secure Web site, and e-mail. ... NETWORKING CONFIGURATION SUMMARY ...
    (microsoft.public.windows.server.sbs)
  • Re: Big hole??
    ... >supposedly safe SP2 for Windows XP invites any Internet user to have a look around your PC. ... Internet Connection Sharing of the PC has to be disabled. ... >A number of test scans run by PC-Welt revealed that this in fact is a common configuration ... >network at home: Often, we did not even encounter password protection. ...
    (microsoft.public.windowsxp.customize)
  • Re: Big hole??
    ... >supposedly safe SP2 for Windows XP invites any Internet user to have a look around your PC. ... Internet Connection Sharing of the PC has to be disabled. ... >A number of test scans run by PC-Welt revealed that this in fact is a common configuration ... >network at home: Often, we did not even encounter password protection. ...
    (microsoft.public.windowsxp.basics)
  • Re: Big hole??
    ... >supposedly safe SP2 for Windows XP invites any Internet user to have a look around your PC. ... Internet Connection Sharing of the PC has to be disabled. ... >A number of test scans run by PC-Welt revealed that this in fact is a common configuration ... >network at home: Often, we did not even encounter password protection. ...
    (microsoft.public.windowsxp.general)
  • Re: Any IDS Recommendations?
    ... NIDS is nothing more than a waste of time and money IMO. ... they are already inside the network) ... the network or especially the Internet; you darn sure ought to know what ... > - ease of configuration and ongoing management ...
    (microsoft.public.security)