Re: Any IDS Recommendations?

From: The Poster (nospam_at_nospam_dontyoudare.net)
Date: 07/15/05 

Date: Fri, 15 Jul 2005 09:27:04 +0100

Excellent advise Phil...... I like the idea of Snort running on a 'plug and
play' device - off which I'm going to investigate further.

3Com have agreed to lend me a Tipping Point 50 system for a few weeks
trial - a nice gesture. It proves that theye've got confidence in there
product and are quite willing to lend it to me on a trial basis. Now all I
need is some traffic generating software... :-)

Out of interest - have you come across any of the devices you mentioned in
PCI (Visa/MasterCard Credit Card Security Standard) based environments?
Where topology wise were they placed?

Steve.

I do agree with you point (and Simons previous post) - that if you don't
maintain an IDS, then its worthless/useless and a complete waste of money.
"Phil Agcaoili" <nospam@spam.org> wrote in message
news:%23v$l5WJiFHA.2904@tk2msftngp13.phx.gbl...
> Ease of use is relative, but in this category your first requirement is to
> get an appliance-based IDS/IPS solution.
>
> This rules stuff out like Snort. Snort is one of the best IDS solutions by
> the way because it is highly configurable and very fast.
>
> SourceFire is the commercial company that the founder of Snort started. It
> is an appliance solution with a Web GUI that you manage. You do not have
to
> install Linux or compile anything to get it working, it comes out of the
box
> ready with an OS and Snort running, and you simply configure and manage it
> with your Browser.
>
> Also, with any signature based IDS, there is a learning curve and then
there
> is another process which will require all admins to update and make
specific
> judgements on which signatures to use or create based on their
environment.
>
> You can simply install an IDS and not touch it. It will become out of
date.
> Consider IDS like Antivirus, without the latest definition file, A/V is
> useless.
>
> If you want to get closer to a set it and forget it type of intrusion
> detection solution, I would also consider an anomaly/behavior-based
solution
> such as Lancope, Tipping Point, and McAfee. I've seen implementations
that
> have been profiled and left alone for a while, but still detecting odd
> network conditions and flagging that the links needs to be monitored.
>
> The IDS/IPS market is commodity right now, so what ever you choose from
the
> vendors I pointed out above you should be good to go. Just know that you
> need to manage these systems or else they're useless.
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
> > Thanks Simon for the advice.
> >
> > Vendors recommend that the first IDS be placed in front of the edge
router
> > (I think I might have read that in a Cisco Safe white paper) - I've
taken
> > this a step further in placing it between the packet filtering router
and
> > the firewall. As I mentioned in my earlier post that we are running a
> > Cisco
> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
provide
> > much in the way (bar the IDS rule and a few common signatures) of IDS
> > features. I do appreciate that alot of 'trash' will be reported, and
most
> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> > to
> > take.
> >
> > Snort - do you think its easy to configure? I don't. From the research
> > that
> > I've done to date Tipping Point seem to have the spot light on them, and
> > are
> > selling it on the basis that its easy to install and configure, and
> > doesn't
> > involve constant monitoring.
> >
> > Steve.
> >
> >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> >> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> >> > G/Day Forum,
> >> >
> >> > I currently in the process of evaluating a number of IDS solutions.
> >> > This
> >> IDS
> >> > system will sit between an edge router (configured with
ingress/egress
> >> > filtering) and a Cisco Firewall. Our throughput requirement is low,
as
> >> we've
> >> > only got a 2mb leased line to our ISP..
> >> >
> >> > Whats important to us:
> >> > - ease of configuration and ongoing management
> >> > - cost effectiveness
> >> > - suitability to Industry (Financial)
> >> > - logging ability/high quality reports/audit trail
> >> >
> >> > The products I'm currently looking at are:
> >> > - Tipping Point 50
> >> > - Cisco IDS 4215
> >> >
> >> > Any ideas, opinions, guidance?
> >> >
> >> > Regards,
> >> > Steve.
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Relevant Pages

  • Re: Any IDS Recommendations?
    ... maintain an IDS, then its worthless/useless and a complete waste of money. ... > This rules stuff out like Snort. ... > ready with an OS and Snort running, and you simply configure and manage it ... > You can simply install an IDS and not touch it. ...
    (microsoft.public.security)
  • Re: Any IDS Recommendations?
    ... maintain an IDS, then its worthless/useless and a complete waste of money. ... > This rules stuff out like Snort. ... > ready with an OS and Snort running, and you simply configure and manage it ... > You can simply install an IDS and not touch it. ...
    (microsoft.public.security.virus)
  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • RE: Snort IDS
    ... Snort is an intrusion DETECTION tool, ... If you do monitor the IDS output and react to it, then the IDS is a tool ... OpenSSH or install the new release of Apache. ... tremendous number of log messages to deal with every day... ...
    (Security-Basics)
  • Re: ids inquisition
    ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
    (Focus-IDS)