Re: Any IDS Recommendations?
From: The Poster (nospam_at_nospam_dontyoudare.net)
Date: 07/15/05
- Next message: Chris Hagon: "Re: Users accessing C$"
- Previous message: Ken Zhao [MSFT]: "RE: Query based security group"
- In reply to: S. Pidgorny
: "Re: Any IDS Recommendations?" - Next in thread: S. Pidgorny
: "Re: Any IDS Recommendations?" - Reply: S. Pidgorny
: "Re: Any IDS Recommendations?" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Jul 2005 09:16:00 +0100
Some good posts indeed Simon.
I agree with you in every point. I forgot to mention that the primary reason
I'm installing the IDS is for compliancy with the PCI Data Security Standard
(Visa/MasterCard).
Its a simple scenario - if we don't have an IDS on our network generating
'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
with the auditors re. the 'best' location for the device, they were
recommending I put it in my 'secure area' (a DMZ area where traffic and data
is encrypted). And my argument was that this was useless - an IDS sniffing
encrypted packets? A complete waste of Dollars or Euros in my case.......
Steve.
"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:%23ayLGXHiFHA.3012@TK2MSFTNGP12.phx.gbl...
> G'day,
>
> You've received some good replies so far.
>
> Rule #1: always challenge the vendors' recommendation. In my opinion, even
> behind the filtering router, NIDS i next to useless. It's hard enough to
> make sense of NIDS in DMZ and on corporate WAN.
>
> Secondly: regarless of your chosen products, it's the people who'll be
> monitoring and supporting the solution in production. If you don't have
> dedicated team that knows the product and how to make changes and deploy
new
> sensors quickly - you better don't invest. Without the right process,
> auditors won't approve your NIDS.
>
> And you have the right people, they don't necessarily need fancy GUI to
get
> started with Snort. You'll have a solution at the right cost for NIDS -
> $0.00 per monitored IP address.
>
> One thing is really important: have your testing criteria defined, and do
> testing. Yes, you'll need traffic generators and all that, but some due
> diligence saves time, money and nerves to the project team
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
> > Thanks Simon for the advice.
> >
> > Vendors recommend that the first IDS be placed in front of the edge
router
> > (I think I might have read that in a Cisco Safe white paper) - I've
taken
> > this a step further in placing it between the packet filtering router
and
> > the firewall. As I mentioned in my earlier post that we are running a
> Cisco
> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
provide
> > much in the way (bar the IDS rule and a few common signatures) of IDS
> > features. I do appreciate that alot of 'trash' will be reported, and
most
> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> to
> > take.
> >
> > Snort - do you think its easy to configure? I don't. From the research
> that
> > I've done to date Tipping Point seem to have the spot light on them, and
> are
> > selling it on the basis that its easy to install and configure, and
> doesn't
> > involve constant monitoring.
> >
> > Steve.
> >
>
>
- Next message: Chris Hagon: "Re: Users accessing C$"
- Previous message: Ken Zhao [MSFT]: "RE: Query based security group"
- In reply to: S. Pidgorny
: "Re: Any IDS Recommendations?" - Next in thread: S. Pidgorny
: "Re: Any IDS Recommendations?" - Reply: S. Pidgorny
: "Re: Any IDS Recommendations?" - Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
