Re: Any IDS Recommendations?
From: S. Pidgorny
Date: 07/14/05
- Next message: Chris Hagon: "Users accessing C$"
- Previous message: Rustem: "Re: Subject: Security Event Log reading by Domain Users"
- In reply to: The Poster: "Re: Any IDS Recommendations?"
- Next in thread: The Poster: "Re: Any IDS Recommendations?"
- Reply: The Poster: "Re: Any IDS Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Jul 2005 23:13:00 +1000
G'day,
You've received some good replies so far.
Rule #1: always challenge the vendors' recommendation. In my opinion, even
behind the filtering router, NIDS i next to useless. It's hard enough to
make sense of NIDS in DMZ and on corporate WAN.
Secondly: regarless of your chosen products, it's the people who'll be
monitoring and supporting the solution in production. If you don't have
dedicated team that knows the product and how to make changes and deploy new
sensors quickly - you better don't invest. Without the right process,
auditors won't approve your NIDS.
And you have the right people, they don't necessarily need fancy GUI to get
started with Snort. You'll have a solution at the right cost for NIDS -
$0.00 per monitored IP address.
One thing is really important: have your testing criteria defined, and do
testing. Yes, you'll need traffic generators and all that, but some due
diligence saves time, money and nerves to the project team
-- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "The Poster" <nospam@nospam_dontyoudare.net> wrote in message news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl... > Thanks Simon for the advice. > > Vendors recommend that the first IDS be placed in front of the edge router > (I think I might have read that in a Cisco Safe white paper) - I've taken > this a step further in placing it between the packet filtering router and > the firewall. As I mentioned in my earlier post that we are running a Cisco > based firewall (PIX) - which as I'm sure you are aware of, doesn't provide > much in the way (bar the IDS rule and a few common signatures) of IDS > features. I do appreciate that alot of 'trash' will be reported, and most > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared to > take. > > Snort - do you think its easy to configure? I don't. From the research that > I've done to date Tipping Point seem to have the spot light on them, and are > selling it on the basis that its easy to install and configure, and doesn't > involve constant monitoring. > > Steve. >
- Next message: Chris Hagon: "Users accessing C$"
- Previous message: Rustem: "Re: Subject: Security Event Log reading by Domain Users"
- In reply to: The Poster: "Re: Any IDS Recommendations?"
- Next in thread: The Poster: "Re: Any IDS Recommendations?"
- Reply: The Poster: "Re: Any IDS Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
