Re: Any IDS Recommendations?

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 07/16/05 

Date: Sat, 16 Jul 2005 19:02:23 +1000

G'day,

For audit compliance, you must have:

* IDS in place
* Procedures to manage IDS riles (signatures and heuristics)
* Procedures to manage alerts - that is, your Emergency Response
* Reports done regularly
* Testing of the IDS/Emergency response done
* (depending on the auditors' paranoia level) - plan to cover all corporate
network with IDS sensors

I see you have managed to convince the auditors that DMZ isn't the best
place to install the sensors because all traffic there is encrypted. However
I might suggest that this creates and excellent opportunity to come up with
tight IDS rule set: everything that is not on the list of (encrypted)
protocols is potential security breach. And seriously consider internal
network: first of all, NIDS will generate a lot of interesting information -
like curious grads that believe they're h@x0rz and stuff like that. Secndly,
the next IT security audit will require that anyway.

And please - call me Slavko, or Slav. Simon is too Die Hard-ish for me. 

-- 
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:eYhHkURiFHA.576@TK2MSFTNGP15.phx.gbl...
> Some good posts indeed Simon.
>
> I agree with you in every point. I forgot to mention that the primary
reason
> I'm installing the IDS is for compliancy with the PCI Data Security
Standard
> (Visa/MasterCard).
>
> Its a simple scenario - if we don't have an IDS on our network generating
> 'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
> with the auditors re. the 'best' location for the device, they were
> recommending I put it in my 'secure area' (a DMZ area where traffic and
data
> is encrypted). And my argument was that this was useless - an IDS sniffing
> encrypted packets? A complete waste of Dollars or Euros in my case.......
>
> Steve.
>
>
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:%23ayLGXHiFHA.3012@TK2MSFTNGP12.phx.gbl...
> > G'day,
> >
> > You've received some good replies so far.
> >
> > Rule #1: always challenge the vendors' recommendation. In my opinion,
even
> > behind the filtering router, NIDS i next to useless. It's hard enough to
> > make sense of NIDS in DMZ and on corporate WAN.
> >
> > Secondly: regarless of your chosen products, it's the people who'll be
> > monitoring and supporting the solution in production.  If you don't have
> > dedicated team that knows the product and how to make changes and deploy
> new
> > sensors quickly - you better don't invest. Without the right process,
> > auditors won't approve your NIDS.
> >
> > And you have the right people, they don't necessarily need fancy GUI to
> get
> > started with Snort. You'll have a solution at the right cost for NIDS -
> > $0.00 per monitored IP address.
> >
> > One thing is really important: have your testing criteria defined, and
do
> > testing. Yes, you'll need traffic generators and all that, but some due
> > diligence saves time, money and nerves to the project team
> >
> > -- 
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
> >
> >
> >
> > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> > news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
> > > Thanks Simon for the advice.
> > >
> > > Vendors recommend that the first IDS be placed in front of the edge
> router
> > > (I think I might have read that in a Cisco Safe white paper) - I've
> taken
> > > this a step further in placing it between the packet filtering router
> and
> > > the firewall. As I mentioned in my earlier post that we are running a
> > Cisco
> > > based firewall (PIX) - which as I'm sure you are aware of, doesn't
> provide
> > > much in the way (bar the IDS rule and a few common signatures) of IDS
> > > features.  I do appreciate that alot of 'trash' will be reported, and
> most
> > > of that trash will be SSL/IPSec traffic - but thats the hit I'm
prepared
> > to
> > > take.
> > >
> > > Snort - do you think its easy to configure? I don't. From the research
> > that
> > > I've done to date Tipping Point seem to have the spot light on them,
and
> > are
> > > selling it on the basis that its easy to install and configure, and
> > doesn't
> > > involve constant monitoring.
> > >
> > > Steve.
> > >
> >
> >
>
>

Relevant Pages

  • RE: IDS and Spywares
    ... > a network based security control has better visibility than a host based ... Just as we do in IDS and network traffic analysis. ... > made spyware, or trojan, or any other kind of malware where you can install ...
    (Focus-IDS)
  • RE: Recommending an IDS system
    ... Not trying to make this a Cisco commercial, but I too am very satisfied with Cisco. ... We implemented an IDSM2, sensor device, and Cisco Security Agent for Host Intrusion Prevention. ... Subject: Recommending an IDS system ...
    (Security-Basics)
  • Re: ASIC-based vs. Software-based Security Platform
    ... >Several security companies have been touting that ASIC (Application ... >the future direction of IDS. ... new ASICs, however, there is a LOT of resistance to put anything ... some NIDS will see things, ...
    (Focus-IDS)
  • Re: Any IDS Recommendations?
    ... Procedures to manage IDS riles ... I see you have managed to convince the auditors that DMZ isn't the best ... the next IT security audit will require that anyway. ... NIDS i next to useless. ...
    (microsoft.public.security)
  • Re: Any IDS Recommendations?
    ... Procedures to manage IDS riles ... I see you have managed to convince the auditors that DMZ isn't the best ... the next IT security audit will require that anyway. ... NIDS i next to useless. ...
    (microsoft.public.security.virus)