Re: Any IDS Recommendations?
From: Phil Agcaoili (nospam_at_spam.org)
Date: 07/14/05
- Next message: Miha Pihler [MVP]: "Re: File Security"
- Previous message: Paul Williams [MVP]: "Re: Password Management Issue"
- In reply to: The Poster: "Re: Any IDS Recommendations?"
- Next in thread: The Poster: "Re: Any IDS Recommendations?"
- Reply: The Poster: "Re: Any IDS Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Jul 2005 12:59:15 -0400
Ease of use is relative, but in this category your first requirement is to
get an appliance-based IDS/IPS solution.
This rules stuff out like Snort. Snort is one of the best IDS solutions by
the way because it is highly configurable and very fast.
SourceFire is the commercial company that the founder of Snort started. It
is an appliance solution with a Web GUI that you manage. You do not have to
install Linux or compile anything to get it working, it comes out of the box
ready with an OS and Snort running, and you simply configure and manage it
with your Browser.
Also, with any signature based IDS, there is a learning curve and then there
is another process which will require all admins to update and make specific
judgements on which signatures to use or create based on their environment.
You can simply install an IDS and not touch it. It will become out of date.
Consider IDS like Antivirus, without the latest definition file, A/V is
useless.
If you want to get closer to a set it and forget it type of intrusion
detection solution, I would also consider an anomaly/behavior-based solution
such as Lancope, Tipping Point, and McAfee. I've seen implementations that
have been profiled and left alone for a while, but still detecting odd
network conditions and flagging that the links needs to be monitored.
The IDS/IPS market is commodity right now, so what ever you choose from the
vendors I pointed out above you should be good to go. Just know that you
need to manage these systems or else they're useless.
"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
> Thanks Simon for the advice.
>
> Vendors recommend that the first IDS be placed in front of the edge router
> (I think I might have read that in a Cisco Safe white paper) - I've taken
> this a step further in placing it between the packet filtering router and
> the firewall. As I mentioned in my earlier post that we are running a
> Cisco
> based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
> much in the way (bar the IDS rule and a few common signatures) of IDS
> features. I do appreciate that alot of 'trash' will be reported, and most
> of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> to
> take.
>
> Snort - do you think its easy to configure? I don't. From the research
> that
> I've done to date Tipping Point seem to have the spot light on them, and
> are
> selling it on the basis that its easy to install and configure, and
> doesn't
> involve constant monitoring.
>
> Steve.
>
>> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
>> > G/Day Forum,
>> >
>> > I currently in the process of evaluating a number of IDS solutions.
>> > This
>> IDS
>> > system will sit between an edge router (configured with ingress/egress
>> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
>> we've
>> > only got a 2mb leased line to our ISP..
>> >
>> > Whats important to us:
>> > - ease of configuration and ongoing management
>> > - cost effectiveness
>> > - suitability to Industry (Financial)
>> > - logging ability/high quality reports/audit trail
>> >
>> > The products I'm currently looking at are:
>> > - Tipping Point 50
>> > - Cisco IDS 4215
>> >
>> > Any ideas, opinions, guidance?
>> >
>> > Regards,
>> > Steve.
>> >
>> >
>>
>>
>
>
- Next message: Miha Pihler [MVP]: "Re: File Security"
- Previous message: Paul Williams [MVP]: "Re: Password Management Issue"
- In reply to: The Poster: "Re: Any IDS Recommendations?"
- Next in thread: The Poster: "Re: Any IDS Recommendations?"
- Reply: The Poster: "Re: Any IDS Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
