Re: Any IDS Recommendations?

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/16/05 

Date: Sat, 16 Jul 2005 15:15:12 GMT

On Fri, 15 Jul 2005 08:07:13 -0400, "Karl Levinson, mvp"
<levinson_k@despammed.com> wrote:

>It's true that as others have suggested, behind your firewall(s) is a
>popular location, as well as in DMZs and near valuable infrastructure
>targets are popular locations. This permits the IDS to detect and alert you
>when your defenses such as firewall have been breached. Internal Windows
>networks of workstations and servers are chatty and can cause a fair number
>of false alarms, but monitoring these can still be beneficial and the false
>alarms can be managed in a variety of ways. Your network architecture may
>define where you can and should place IDS, because if you only have one IDS,
>you probably want to place it in a location where it will be able to see the
>most network traffic. Naturally your IDS won't see traffic that doesn't
>traverse past its interfaces.
>
>Tipping point is also an IPS, which changes things like potential placement
>if you choose to use this functionality. Inline IPS in general is more like
>a firewall IMHO in that it can only monitor and protect one or a few network
>segments, whereas IDS can generally be used to span and monitor more
>networks. If you choose to use the device as an IPS, it might require the
>purchase of more devices to monitor the same percentage of your network.

But a counter to that is if this is for the compliance portion of
Visa/MC, this makes it a perfect choice. You don't want to monitor
the entire network, just the critical portions. That dramatically
cuts the background noise from your analysis. And I'd venture a guess
that the biggest problem with IDS, whether NIDS, IPS, NIPS or
whatever, is getting the ciritcal information out of the total
overload most of these options generate.

But again, this does depend a lot on your network architecture. You
may even find it advantageous to change some your architecture to
manage this even better.

Jeff

>"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>news:O$UzUgRiFHA.2152@TK2MSFTNGP14.phx.gbl...
>> Hi Karl,
>>
>> Thanks for your reply.
>>
>> Funny you mention Tripwire, its a product we intend rolling out in
>parallel
>> with our NIDS. So far I'm leaning towards the Tipping Point solution - and
>> 3Com have agreed to give me one on trial for a few weeks.
>>
>> Any thoughts re' best location for my NIDS?
>>
>> Regards,
>> Steve.
>>
>> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
>> news:eHIBp9AiFHA.576@TK2MSFTNGP15.phx.gbl...
>> >
>> > "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
>> > news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
>> > > Honestly, NIDS is nothing more than a waste of time and money IMO.
>> >
>> > NIDS is a tool that gives you something you can't easily get otherwise.
>> > It's grep for the network. It's true that some organizations probably
>> waste
>> > too much effort on IDS. But how much time you put into IDS is entirely
>up
>> > to you. You can automate a lot of it if you want.
>> >
>> > NIDS [that aren't NIPS] are just as much a waste of time IMHO. The
>> network
>> > portion is the most useful part of them, but it's easier and more cost
>> > effective to do that same network monitoring with a NIDS. Detecting
>file
>> > changes is useful, but is only a part of some NIDS, and is arguably
>better
>> > done with a file change checker like www.gfi.com Languard SIM, Osiris,
>> etc.
>> > There really aren't too many robust commercial file change checker
>> solutions
>> > IMHO, except maybe Tripwire for Windows, which I understand is pricey.
>> The
>> > main other thing most HIDS do is monitor the windows event log, but 1)
>you
>> > can do that with any number of other non-IDS products, 2) most HIDS are
>> > configured by default to give you way too many false alarms in the
>windows
>> > event logs, and 3) few NIDS I'm aware of give you an easy way to
>configure
>> > these events, you have to go back into Windows to manage this stuff.
>> >
>> > To the OP: A lot of people are running away from ISS due to their
>> > historically high prices and bad support in the past. Their prices may
>> have
>> > changed with their new line, I don't know. Their products in the past
>> have
>> > not been so easy to configure if you have a lot of devices, but OK if
>you
>> > have just one or two. A problem for me is that their signatures are
>> closed
>> > source, which would be useful information to know when trying to tell
>> false
>> > alarms from real events.
>> >
>> > www.enterasys.com Dragon is a popular and inexpensive IDS solution that
>is
>> > somewhat similar to Snort, but is probably easier to configure.
>> >
>> > www.netscreen.com has some attractive inexpensive low end devices that I
>> > understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
>> > bunch of other features. Their low end devices have all the exact same
>> > features as their high end enterprise devices.
>> >
>> > The tipping point IDS / IPS and cisco devices you mention are other
>> popular
>> > choices.
>> >
>> >
>> > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>> > > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
>> > > > G/Day Forum,
>> > > >
>> > > > I currently in the process of evaluating a number of IDS solutions.
>> This
>> > > > IDS
>> > > > system will sit between an edge router (configured with
>ingress/egress
>> > > > filtering) and a Cisco Firewall. Our throughput requirement is low,
>as
>> > > > we've
>> > > > only got a 2mb leased line to our ISP..
>> > > >
>> > > > Whats important to us:
>> > > > - ease of configuration and ongoing management
>> > > > - cost effectiveness
>> > > > - suitability to Industry (Financial)
>> > > > - logging ability/high quality reports/audit trail
>> > > >
>> > > > The products I'm currently looking at are:
>> > > > - Tipping Point 50
>> > > > - Cisco IDS 4215
>> > > >
>> > > > Any ideas, opinions, guidance?
>> > > >
>> > > > Regards,
>> > > > Steve.
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>