Re: Any IDS Recommendations?

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/16/05

  • Next message: Jeff Cochran: "Re: Any IDS Recommendations?" 
    Date: Sat, 16 Jul 2005 15:09:28 GMT

    On Fri, 15 Jul 2005 09:27:04 +0100, "The Poster"
    <nospam@nospam_dontyoudare.net> wrote:

    >Excellent advise Phil...... I like the idea of Snort running on a 'plug and
    >play' device - off which I'm going to investigate further.
    >
    >3Com have agreed to lend me a Tipping Point 50 system for a few weeks
    >trial - a nice gesture. It proves that theye've got confidence in there
    >product and are quite willing to lend it to me on a trial basis. Now all I
    >need is some traffic generating software... :-)

    First, you won't go wrong with a Tipping Point or Cisco solution. You
    may overpay, you may not get the best results, but you'll meet your
    compliance needs. I'll leave out that I think most of the compliance
    rules are for covering some collective butts and not real security.
    :)

    Also, I've found that most IDS vendors will lend you a box to try. So
    try them all. I happen to also prefer Snort, and a SourceFire box
    goes a long way toward making management feel better. You might also
    look at a managed IDS though, offload both the workload and the
    responsibility to someone else.

    Now, here's what I've found critical about choosing an IDS:

    Pretty much, they all work. Some have features that make them better
    for a specfic set of requirements, but any decent one does fine if
    properly managed and maintained. So it comes down to which solution
    fits your organization and your comfort level as much as anything
    else. Pick the one that "feels" right and make sure you stay current
    with it.

    Jeff

    >
    >Out of interest - have you come across any of the devices you mentioned in
    >PCI (Visa/MasterCard Credit Card Security Standard) based environments?
    >Where topology wise were they placed?
    >
    >Steve.
    >
    >I do agree with you point (and Simons previous post) - that if you don't
    >maintain an IDS, then its worthless/useless and a complete waste of money.
    >"Phil Agcaoili" <nospam@spam.org> wrote in message
    >news:%23v$l5WJiFHA.2904@tk2msftngp13.phx.gbl...
    >> Ease of use is relative, but in this category your first requirement is to
    >> get an appliance-based IDS/IPS solution.
    >>
    >> This rules stuff out like Snort. Snort is one of the best IDS solutions by
    >> the way because it is highly configurable and very fast.
    >>
    >> SourceFire is the commercial company that the founder of Snort started. It
    >> is an appliance solution with a Web GUI that you manage. You do not have
    >to
    >> install Linux or compile anything to get it working, it comes out of the
    >box
    >> ready with an OS and Snort running, and you simply configure and manage it
    >> with your Browser.
    >>
    >> Also, with any signature based IDS, there is a learning curve and then
    >there
    >> is another process which will require all admins to update and make
    >specific
    >> judgements on which signatures to use or create based on their
    >environment.
    >>
    >> You can simply install an IDS and not touch it. It will become out of
    >date.
    >> Consider IDS like Antivirus, without the latest definition file, A/V is
    >> useless.
    >>
    >> If you want to get closer to a set it and forget it type of intrusion
    >> detection solution, I would also consider an anomaly/behavior-based
    >solution
    >> such as Lancope, Tipping Point, and McAfee. I've seen implementations
    >that
    >> have been profiled and left alone for a while, but still detecting odd
    >> network conditions and flagging that the links needs to be monitored.
    >>
    >> The IDS/IPS market is commodity right now, so what ever you choose from
    >the
    >> vendors I pointed out above you should be good to go. Just know that you
    >> need to manage these systems or else they're useless.
    >>
    >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    >> news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
    >> > Thanks Simon for the advice.
    >> >
    >> > Vendors recommend that the first IDS be placed in front of the edge
    >router
    >> > (I think I might have read that in a Cisco Safe white paper) - I've
    >taken
    >> > this a step further in placing it between the packet filtering router
    >and
    >> > the firewall. As I mentioned in my earlier post that we are running a
    >> > Cisco
    >> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
    >provide
    >> > much in the way (bar the IDS rule and a few common signatures) of IDS
    >> > features. I do appreciate that alot of 'trash' will be reported, and
    >most
    >> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
    >> > to
    >> > take.
    >> >
    >> > Snort - do you think its easy to configure? I don't. From the research
    >> > that
    >> > I've done to date Tipping Point seem to have the spot light on them, and
    >> > are
    >> > selling it on the basis that its easy to install and configure, and
    >> > doesn't
    >> > involve constant monitoring.
    >> >
    >> > Steve.
    >> >
    >> >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    >> >> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    >> >> > G/Day Forum,
    >> >> >
    >> >> > I currently in the process of evaluating a number of IDS solutions.
    >> >> > This
    >> >> IDS
    >> >> > system will sit between an edge router (configured with
    >ingress/egress
    >> >> > filtering) and a Cisco Firewall. Our throughput requirement is low,
    >as
    >> >> we've
    >> >> > only got a 2mb leased line to our ISP..
    >> >> >
    >> >> > Whats important to us:
    >> >> > - ease of configuration and ongoing management
    >> >> > - cost effectiveness
    >> >> > - suitability to Industry (Financial)
    >> >> > - logging ability/high quality reports/audit trail
    >> >> >
    >> >> > The products I'm currently looking at are:
    >> >> > - Tipping Point 50
    >> >> > - Cisco IDS 4215
    >> >> >
    >> >> > Any ideas, opinions, guidance?
    >> >> >
    >> >> > Regards,
    >> >> > Steve.
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >

  • Next message: Jeff Cochran: "Re: Any IDS Recommendations?"