Sign in with
Sign up | Sign in
Your question

Any IDS Recommendations?

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
July 13, 2005 2:01:55 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

G/Day Forum,

I currently in the process of evaluating a number of IDS solutions. This IDS
system will sit between an edge router (configured with ingress/egress
filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
only got a 2mb leased line to our ISP..

Whats important to us:
- ease of configuration and ongoing management
- cost effectiveness
- suitability to Industry (Financial)
- logging ability/high quality reports/audit trail

The products I'm currently looking at are:
- Tipping Point 50
- Cisco IDS 4215

Any ideas, opinions, guidance?

Regards,
Steve.

More about : ids recommendations

Anonymous
a b 8 Security
July 13, 2005 2:01:56 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

From: "The Poster" <nospam@nospam_dontyoudare.net>

| G/Day Forum,
|
| I currently in the process of evaluating a number of IDS solutions. This IDS
| system will sit between an edge router (configured with ingress/egress
| filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
| only got a 2mb leased line to our ISP..
|
| Whats important to us:
| - ease of configuration and ongoing management
| - cost effectiveness
| - suitability to Industry (Financial)
| - logging ability/high quality reports/audit trail
|
| The products I'm currently looking at are:
| - Tipping Point 50
| - Cisco IDS 4215
|
| Any ideas, opinions, guidance?
|
| Regards,
| Steve.
|

Fortress Tecnolgies
http://www.fortresstech.com/news/press_details.asp?id=4...

Internet Security Systems
http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?typ...

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
a b 8 Security
July 13, 2005 2:01:56 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Honestly, NIDS is nothing more than a waste of time and money IMO.

Put HIDS on high value servers and workstations or other devices. Hackers
don't want to "0wn" the network; they use it like dial tone to get to where
they are really going, which is the host where data resides. The only
exception to this is DDoS attacks, which aren't going to be prevented by
NIDS in any event.

Focus effort on the points where attackers want to get to, and less on the
roads they use to get there with. If you operate from the worst assumption
(i.e., they are already inside the network) then they will be using
"trusted" paths to communicate with the intended targets. Most
organizations do not monitor internal traffic going to other internal
destination sets as they do the "perimeter" or remote access paths.

You can spend the rest of your life trying to figure out what "normal" is on
the network or especially the Internet; you darn sure ought to know what
normal is on hosts that you manage though, and that battle can actually be
won by the sysadmin. It's also higher-yield in that you have more
information to conduct forensic analysis, etc.




"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
> IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>
Related resources
Anonymous
a b 8 Security
July 14, 2005 12:50:55 AM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Hi there,

I recommend Snort. The open source solution is used in at least one of
Australian Big 5 banks. Alternatively, you can use SourceFire - they add
nice management interface, "supportability" and price tag.

Implementing NIDS in front of the external firewal - bad idea. You will have
a lot of rubbish and chances are that you'll miss something important. DMZ
is a different matter - port scan has to raise a legitimate alarm in there.
On the corporate network implement your NIDS too, you must.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>
Anonymous
a b 8 Security
July 14, 2005 12:50:56 AM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Thanks Simon for the advice.

Vendors recommend that the first IDS be placed in front of the edge router
(I think I might have read that in a Cisco Safe white paper) - I've taken
this a step further in placing it between the packet filtering router and
the firewall. As I mentioned in my earlier post that we are running a Cisco
based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
much in the way (bar the IDS rule and a few common signatures) of IDS
features. I do appreciate that alot of 'trash' will be reported, and most
of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared to
take.

Snort - do you think its easy to configure? I don't. From the research that
I've done to date Tipping Point seem to have the spot light on them, and are
selling it on the basis that its easy to install and configure, and doesn't
involve constant monitoring.

Steve.

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:edzjAj5hFHA.3936@TK2MSFTNGP10.phx.gbl...
> Hi there,
>
> I recommend Snort. The open source solution is used in at least one of
> Australian Big 5 banks. Alternatively, you can use SourceFire - they add
> nice management interface, "supportability" and price tag.
>
> Implementing NIDS in front of the external firewal - bad idea. You will
have
> a lot of rubbish and chances are that you'll miss something important. DMZ
> is a different matter - port scan has to raise a legitimate alarm in
there.
> On the corporate network implement your NIDS too, you must.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> > G/Day Forum,
> >
> > I currently in the process of evaluating a number of IDS solutions. This
> IDS
> > system will sit between an edge router (configured with ingress/egress
> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> > only got a 2mb leased line to our ISP..
> >
> > Whats important to us:
> > - ease of configuration and ongoing management
> > - cost effectiveness
> > - suitability to Industry (Financial)
> > - logging ability/high quality reports/audit trail
> >
> > The products I'm currently looking at are:
> > - Tipping Point 50
> > - Cisco IDS 4215
> >
> > Any ideas, opinions, guidance?
> >
> > Regards,
> > Steve.
> >
> >
>
>
Anonymous
a b 8 Security
July 14, 2005 1:01:42 AM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
> Honestly, NIDS is nothing more than a waste of time and money IMO.

NIDS is a tool that gives you something you can't easily get otherwise.
It's grep for the network. It's true that some organizations probably waste
too much effort on IDS. But how much time you put into IDS is entirely up
to you. You can automate a lot of it if you want.

NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
portion is the most useful part of them, but it's easier and more cost
effective to do that same network monitoring with a NIDS. Detecting file
changes is useful, but is only a part of some NIDS, and is arguably better
done with a file change checker like www.gfi.com Languard SIM, Osiris, etc.
There really aren't too many robust commercial file change checker solutions
IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
main other thing most HIDS do is monitor the windows event log, but 1) you
can do that with any number of other non-IDS products, 2) most HIDS are
configured by default to give you way too many false alarms in the windows
event logs, and 3) few NIDS I'm aware of give you an easy way to configure
these events, you have to go back into Windows to manage this stuff.

To the OP: A lot of people are running away from ISS due to their
historically high prices and bad support in the past. Their prices may have
changed with their new line, I don't know. Their products in the past have
not been so easy to configure if you have a lot of devices, but OK if you
have just one or two. A problem for me is that their signatures are closed
source, which would be useful information to know when trying to tell false
alarms from real events.

www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
somewhat similar to Snort, but is probably easier to configure.

www.netscreen.com has some attractive inexpensive low end devices that I
understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
bunch of other features. Their low end devices have all the exact same
features as their high end enterprise devices.

The tipping point IDS / IPS and cisco devices you mention are other popular
choices.


> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> > G/Day Forum,
> >
> > I currently in the process of evaluating a number of IDS solutions. This
> > IDS
> > system will sit between an edge router (configured with ingress/egress
> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
> > we've
> > only got a 2mb leased line to our ISP..
> >
> > Whats important to us:
> > - ease of configuration and ongoing management
> > - cost effectiveness
> > - suitability to Industry (Financial)
> > - logging ability/high quality reports/audit trail
> >
> > The products I'm currently looking at are:
> > - Tipping Point 50
> > - Cisco IDS 4215
> >
> > Any ideas, opinions, guidance?
> >
> > Regards,
> > Steve.
> >
> >
>
>
July 14, 2005 4:12:00 AM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Please ignore this if your site is not a High Security site.

If you are using SSL, then where is the End Point? IE where is the encrypted
traffic decrypted?

I would expect your auditors to have a hissy fit if the SSL traffic were
dencrypted anywhere sniffable, snortable or IDS'able as that could lead to
identity theft.

For a high security site, logging SSL traffic is pointless, logging source
ip, port, time is more useful. Logging decrypted SSL traffic is an outright
danger.

I am happy to be corrected if needs be.

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
> IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>
Anonymous
a b 8 Security
July 14, 2005 4:59:15 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Ease of use is relative, but in this category your first requirement is to
get an appliance-based IDS/IPS solution.

This rules stuff out like Snort. Snort is one of the best IDS solutions by
the way because it is highly configurable and very fast.

SourceFire is the commercial company that the founder of Snort started. It
is an appliance solution with a Web GUI that you manage. You do not have to
install Linux or compile anything to get it working, it comes out of the box
ready with an OS and Snort running, and you simply configure and manage it
with your Browser.

Also, with any signature based IDS, there is a learning curve and then there
is another process which will require all admins to update and make specific
judgements on which signatures to use or create based on their environment.

You can simply install an IDS and not touch it. It will become out of date.
Consider IDS like Antivirus, without the latest definition file, A/V is
useless.

If you want to get closer to a set it and forget it type of intrusion
detection solution, I would also consider an anomaly/behavior-based solution
such as Lancope, Tipping Point, and McAfee. I've seen implementations that
have been profiled and left alone for a while, but still detecting odd
network conditions and flagging that the links needs to be monitored.

The IDS/IPS market is commodity right now, so what ever you choose from the
vendors I pointed out above you should be good to go. Just know that you
need to manage these systems or else they're useless.

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:o GG37w7hFHA.328@tk2msftngp13.phx.gbl...
> Thanks Simon for the advice.
>
> Vendors recommend that the first IDS be placed in front of the edge router
> (I think I might have read that in a Cisco Safe white paper) - I've taken
> this a step further in placing it between the packet filtering router and
> the firewall. As I mentioned in my earlier post that we are running a
> Cisco
> based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
> much in the way (bar the IDS rule and a few common signatures) of IDS
> features. I do appreciate that alot of 'trash' will be reported, and most
> of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> to
> take.
>
> Snort - do you think its easy to configure? I don't. From the research
> that
> I've done to date Tipping Point seem to have the spot light on them, and
> are
> selling it on the basis that its easy to install and configure, and
> doesn't
> involve constant monitoring.
>
> Steve.
>
>> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
>> > G/Day Forum,
>> >
>> > I currently in the process of evaluating a number of IDS solutions.
>> > This
>> IDS
>> > system will sit between an edge router (configured with ingress/egress
>> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
>> we've
>> > only got a 2mb leased line to our ISP..
>> >
>> > Whats important to us:
>> > - ease of configuration and ongoing management
>> > - cost effectiveness
>> > - suitability to Industry (Financial)
>> > - logging ability/high quality reports/audit trail
>> >
>> > The products I'm currently looking at are:
>> > - Tipping Point 50
>> > - Cisco IDS 4215
>> >
>> > Any ideas, opinions, guidance?
>> >
>> > Regards,
>> > Steve.
>> >
>> >
>>
>>
>
>
Anonymous
a b 8 Security
July 15, 2005 3:13:00 AM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

G'day,

You've received some good replies so far.

Rule #1: always challenge the vendors' recommendation. In my opinion, even
behind the filtering router, NIDS i next to useless. It's hard enough to
make sense of NIDS in DMZ and on corporate WAN.

Secondly: regarless of your chosen products, it's the people who'll be
monitoring and supporting the solution in production. If you don't have
dedicated team that knows the product and how to make changes and deploy new
sensors quickly - you better don't invest. Without the right process,
auditors won't approve your NIDS.

And you have the right people, they don't necessarily need fancy GUI to get
started with Snort. You'll have a solution at the right cost for NIDS -
$0.00 per monitored IP address.

One thing is really important: have your testing criteria defined, and do
testing. Yes, you'll need traffic generators and all that, but some due
diligence saves time, money and nerves to the project team

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-



"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:o GG37w7hFHA.328@tk2msftngp13.phx.gbl...
> Thanks Simon for the advice.
>
> Vendors recommend that the first IDS be placed in front of the edge router
> (I think I might have read that in a Cisco Safe white paper) - I've taken
> this a step further in placing it between the packet filtering router and
> the firewall. As I mentioned in my earlier post that we are running a
Cisco
> based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
> much in the way (bar the IDS rule and a few common signatures) of IDS
> features. I do appreciate that alot of 'trash' will be reported, and most
> of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
to
> take.
>
> Snort - do you think its easy to configure? I don't. From the research
that
> I've done to date Tipping Point seem to have the spot light on them, and
are
> selling it on the basis that its easy to install and configure, and
doesn't
> involve constant monitoring.
>
> Steve.
>
Anonymous
a b 8 Security
July 15, 2005 1:16:00 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Some good posts indeed Simon.

I agree with you in every point. I forgot to mention that the primary reason
I'm installing the IDS is for compliancy with the PCI Data Security Standard
(Visa/MasterCard).

Its a simple scenario - if we don't have an IDS on our network generating
'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
with the auditors re. the 'best' location for the device, they were
recommending I put it in my 'secure area' (a DMZ area where traffic and data
is encrypted). And my argument was that this was useless - an IDS sniffing
encrypted packets? A complete waste of Dollars or Euros in my case.......

Steve.


"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:%23ayLGXHiFHA.3012@TK2MSFTNGP12.phx.gbl...
> G'day,
>
> You've received some good replies so far.
>
> Rule #1: always challenge the vendors' recommendation. In my opinion, even
> behind the filtering router, NIDS i next to useless. It's hard enough to
> make sense of NIDS in DMZ and on corporate WAN.
>
> Secondly: regarless of your chosen products, it's the people who'll be
> monitoring and supporting the solution in production. If you don't have
> dedicated team that knows the product and how to make changes and deploy
new
> sensors quickly - you better don't invest. Without the right process,
> auditors won't approve your NIDS.
>
> And you have the right people, they don't necessarily need fancy GUI to
get
> started with Snort. You'll have a solution at the right cost for NIDS -
> $0.00 per monitored IP address.
>
> One thing is really important: have your testing criteria defined, and do
> testing. Yes, you'll need traffic generators and all that, but some due
> diligence saves time, money and nerves to the project team
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:o GG37w7hFHA.328@tk2msftngp13.phx.gbl...
> > Thanks Simon for the advice.
> >
> > Vendors recommend that the first IDS be placed in front of the edge
router
> > (I think I might have read that in a Cisco Safe white paper) - I've
taken
> > this a step further in placing it between the packet filtering router
and
> > the firewall. As I mentioned in my earlier post that we are running a
> Cisco
> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
provide
> > much in the way (bar the IDS rule and a few common signatures) of IDS
> > features. I do appreciate that alot of 'trash' will be reported, and
most
> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> to
> > take.
> >
> > Snort - do you think its easy to configure? I don't. From the research
> that
> > I've done to date Tipping Point seem to have the spot light on them, and
> are
> > selling it on the basis that its easy to install and configure, and
> doesn't
> > involve constant monitoring.
> >
> > Steve.
> >
>
>
Anonymous
a b 8 Security
July 15, 2005 1:27:04 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Excellent advise Phil...... I like the idea of Snort running on a 'plug and
play' device - off which I'm going to investigate further.

3Com have agreed to lend me a Tipping Point 50 system for a few weeks
trial - a nice gesture. It proves that theye've got confidence in there
product and are quite willing to lend it to me on a trial basis. Now all I
need is some traffic generating software... :-)

Out of interest - have you come across any of the devices you mentioned in
PCI (Visa/MasterCard Credit Card Security Standard) based environments?
Where topology wise were they placed?

Steve.

I do agree with you point (and Simons previous post) - that if you don't
maintain an IDS, then its worthless/useless and a complete waste of money.
"Phil Agcaoili" <nospam@spam.org> wrote in message
news:%23v$l5WJiFHA.2904@tk2msftngp13.phx.gbl...
> Ease of use is relative, but in this category your first requirement is to
> get an appliance-based IDS/IPS solution.
>
> This rules stuff out like Snort. Snort is one of the best IDS solutions by
> the way because it is highly configurable and very fast.
>
> SourceFire is the commercial company that the founder of Snort started. It
> is an appliance solution with a Web GUI that you manage. You do not have
to
> install Linux or compile anything to get it working, it comes out of the
box
> ready with an OS and Snort running, and you simply configure and manage it
> with your Browser.
>
> Also, with any signature based IDS, there is a learning curve and then
there
> is another process which will require all admins to update and make
specific
> judgements on which signatures to use or create based on their
environment.
>
> You can simply install an IDS and not touch it. It will become out of
date.
> Consider IDS like Antivirus, without the latest definition file, A/V is
> useless.
>
> If you want to get closer to a set it and forget it type of intrusion
> detection solution, I would also consider an anomaly/behavior-based
solution
> such as Lancope, Tipping Point, and McAfee. I've seen implementations
that
> have been profiled and left alone for a while, but still detecting odd
> network conditions and flagging that the links needs to be monitored.
>
> The IDS/IPS market is commodity right now, so what ever you choose from
the
> vendors I pointed out above you should be good to go. Just know that you
> need to manage these systems or else they're useless.
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:o GG37w7hFHA.328@tk2msftngp13.phx.gbl...
> > Thanks Simon for the advice.
> >
> > Vendors recommend that the first IDS be placed in front of the edge
router
> > (I think I might have read that in a Cisco Safe white paper) - I've
taken
> > this a step further in placing it between the packet filtering router
and
> > the firewall. As I mentioned in my earlier post that we are running a
> > Cisco
> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
provide
> > much in the way (bar the IDS rule and a few common signatures) of IDS
> > features. I do appreciate that alot of 'trash' will be reported, and
most
> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> > to
> > take.
> >
> > Snort - do you think its easy to configure? I don't. From the research
> > that
> > I've done to date Tipping Point seem to have the spot light on them, and
> > are
> > selling it on the basis that its easy to install and configure, and
> > doesn't
> > involve constant monitoring.
> >
> > Steve.
> >
> >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> >> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> >> > G/Day Forum,
> >> >
> >> > I currently in the process of evaluating a number of IDS solutions.
> >> > This
> >> IDS
> >> > system will sit between an edge router (configured with
ingress/egress
> >> > filtering) and a Cisco Firewall. Our throughput requirement is low,
as
> >> we've
> >> > only got a 2mb leased line to our ISP..
> >> >
> >> > Whats important to us:
> >> > - ease of configuration and ongoing management
> >> > - cost effectiveness
> >> > - suitability to Industry (Financial)
> >> > - logging ability/high quality reports/audit trail
> >> >
> >> > The products I'm currently looking at are:
> >> > - Tipping Point 50
> >> > - Cisco IDS 4215
> >> >
> >> > Any ideas, opinions, guidance?
> >> >
> >> > Regards,
> >> > Steve.
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
a b 8 Security
July 15, 2005 1:37:03 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Hi Karl,

Thanks for your reply.

Funny you mention Tripwire, its a product we intend rolling out in parallel
with our NIDS. So far I'm leaning towards the Tipping Point solution - and
3Com have agreed to give me one on trial for a few weeks.

Any thoughts re' best location for my NIDS?

Regards,
Steve.

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:eHIBp9AiFHA.576@TK2MSFTNGP15.phx.gbl...
>
> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
> > Honestly, NIDS is nothing more than a waste of time and money IMO.
>
> NIDS is a tool that gives you something you can't easily get otherwise.
> It's grep for the network. It's true that some organizations probably
waste
> too much effort on IDS. But how much time you put into IDS is entirely up
> to you. You can automate a lot of it if you want.
>
> NIDS [that aren't NIPS] are just as much a waste of time IMHO. The
network
> portion is the most useful part of them, but it's easier and more cost
> effective to do that same network monitoring with a NIDS. Detecting file
> changes is useful, but is only a part of some NIDS, and is arguably better
> done with a file change checker like www.gfi.com Languard SIM, Osiris,
etc.
> There really aren't too many robust commercial file change checker
solutions
> IMHO, except maybe Tripwire for Windows, which I understand is pricey.
The
> main other thing most HIDS do is monitor the windows event log, but 1) you
> can do that with any number of other non-IDS products, 2) most HIDS are
> configured by default to give you way too many false alarms in the windows
> event logs, and 3) few NIDS I'm aware of give you an easy way to configure
> these events, you have to go back into Windows to manage this stuff.
>
> To the OP: A lot of people are running away from ISS due to their
> historically high prices and bad support in the past. Their prices may
have
> changed with their new line, I don't know. Their products in the past
have
> not been so easy to configure if you have a lot of devices, but OK if you
> have just one or two. A problem for me is that their signatures are
closed
> source, which would be useful information to know when trying to tell
false
> alarms from real events.
>
> www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
> somewhat similar to Snort, but is probably easier to configure.
>
> www.netscreen.com has some attractive inexpensive low end devices that I
> understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
> bunch of other features. Their low end devices have all the exact same
> features as their high end enterprise devices.
>
> The tipping point IDS / IPS and cisco devices you mention are other
popular
> choices.
>
>
> > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> > > G/Day Forum,
> > >
> > > I currently in the process of evaluating a number of IDS solutions.
This
> > > IDS
> > > system will sit between an edge router (configured with ingress/egress
> > > filtering) and a Cisco Firewall. Our throughput requirement is low, as
> > > we've
> > > only got a 2mb leased line to our ISP..
> > >
> > > Whats important to us:
> > > - ease of configuration and ongoing management
> > > - cost effectiveness
> > > - suitability to Industry (Financial)
> > > - logging ability/high quality reports/audit trail
> > >
> > > The products I'm currently looking at are:
> > > - Tipping Point 50
> > > - Cisco IDS 4215
> > >
> > > Any ideas, opinions, guidance?
> > >
> > > Regards,
> > > Steve.
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
July 15, 2005 1:37:04 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

It's true that as others have suggested, behind your firewall(s) is a
popular location, as well as in DMZs and near valuable infrastructure
targets are popular locations. This permits the IDS to detect and alert you
when your defenses such as firewall have been breached. Internal Windows
networks of workstations and servers are chatty and can cause a fair number
of false alarms, but monitoring these can still be beneficial and the false
alarms can be managed in a variety of ways. Your network architecture may
define where you can and should place IDS, because if you only have one IDS,
you probably want to place it in a location where it will be able to see the
most network traffic. Naturally your IDS won't see traffic that doesn't
traverse past its interfaces.

Tipping point is also an IPS, which changes things like potential placement
if you choose to use this functionality. Inline IPS in general is more like
a firewall IMHO in that it can only monitor and protect one or a few network
segments, whereas IDS can generally be used to span and monitor more
networks. If you choose to use the device as an IPS, it might require the
purchase of more devices to monitor the same percentage of your network.


"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:o $UzUgRiFHA.2152@TK2MSFTNGP14.phx.gbl...
> Hi Karl,
>
> Thanks for your reply.
>
> Funny you mention Tripwire, its a product we intend rolling out in
parallel
> with our NIDS. So far I'm leaning towards the Tipping Point solution - and
> 3Com have agreed to give me one on trial for a few weeks.
>
> Any thoughts re' best location for my NIDS?
>
> Regards,
> Steve.
>
> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> news:eHIBp9AiFHA.576@TK2MSFTNGP15.phx.gbl...
> >
> > "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> > news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
> > > Honestly, NIDS is nothing more than a waste of time and money IMO.
> >
> > NIDS is a tool that gives you something you can't easily get otherwise.
> > It's grep for the network. It's true that some organizations probably
> waste
> > too much effort on IDS. But how much time you put into IDS is entirely
up
> > to you. You can automate a lot of it if you want.
> >
> > NIDS [that aren't NIPS] are just as much a waste of time IMHO. The
> network
> > portion is the most useful part of them, but it's easier and more cost
> > effective to do that same network monitoring with a NIDS. Detecting
file
> > changes is useful, but is only a part of some NIDS, and is arguably
better
> > done with a file change checker like www.gfi.com Languard SIM, Osiris,
> etc.
> > There really aren't too many robust commercial file change checker
> solutions
> > IMHO, except maybe Tripwire for Windows, which I understand is pricey.
> The
> > main other thing most HIDS do is monitor the windows event log, but 1)
you
> > can do that with any number of other non-IDS products, 2) most HIDS are
> > configured by default to give you way too many false alarms in the
windows
> > event logs, and 3) few NIDS I'm aware of give you an easy way to
configure
> > these events, you have to go back into Windows to manage this stuff.
> >
> > To the OP: A lot of people are running away from ISS due to their
> > historically high prices and bad support in the past. Their prices may
> have
> > changed with their new line, I don't know. Their products in the past
> have
> > not been so easy to configure if you have a lot of devices, but OK if
you
> > have just one or two. A problem for me is that their signatures are
> closed
> > source, which would be useful information to know when trying to tell
> false
> > alarms from real events.
> >
> > www.enterasys.com Dragon is a popular and inexpensive IDS solution that
is
> > somewhat similar to Snort, but is probably easier to configure.
> >
> > www.netscreen.com has some attractive inexpensive low end devices that I
> > understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
> > bunch of other features. Their low end devices have all the exact same
> > features as their high end enterprise devices.
> >
> > The tipping point IDS / IPS and cisco devices you mention are other
> popular
> > choices.
> >
> >
> > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> > > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> > > > G/Day Forum,
> > > >
> > > > I currently in the process of evaluating a number of IDS solutions.
> This
> > > > IDS
> > > > system will sit between an edge router (configured with
ingress/egress
> > > > filtering) and a Cisco Firewall. Our throughput requirement is low,
as
> > > > we've
> > > > only got a 2mb leased line to our ISP..
> > > >
> > > > Whats important to us:
> > > > - ease of configuration and ongoing management
> > > > - cost effectiveness
> > > > - suitability to Industry (Financial)
> > > > - logging ability/high quality reports/audit trail
> > > >
> > > > The products I'm currently looking at are:
> > > > - Tipping Point 50
> > > > - Cisco IDS 4215
> > > >
> > > > Any ideas, opinions, guidance?
> > > >
> > > > Regards,
> > > > Steve.
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
July 16, 2005 7:09:28 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

On Fri, 15 Jul 2005 09:27:04 +0100, "The Poster"
<nospam@nospam_dontyoudare.net> wrote:

>Excellent advise Phil...... I like the idea of Snort running on a 'plug and
>play' device - off which I'm going to investigate further.
>
>3Com have agreed to lend me a Tipping Point 50 system for a few weeks
>trial - a nice gesture. It proves that theye've got confidence in there
>product and are quite willing to lend it to me on a trial basis. Now all I
>need is some traffic generating software... :-)

First, you won't go wrong with a Tipping Point or Cisco solution. You
may overpay, you may not get the best results, but you'll meet your
compliance needs. I'll leave out that I think most of the compliance
rules are for covering some collective butts and not real security.
:) 

Also, I've found that most IDS vendors will lend you a box to try. So
try them all. I happen to also prefer Snort, and a SourceFire box
goes a long way toward making management feel better. You might also
look at a managed IDS though, offload both the workload and the
responsibility to someone else.

Now, here's what I've found critical about choosing an IDS:

Pretty much, they all work. Some have features that make them better
for a specfic set of requirements, but any decent one does fine if
properly managed and maintained. So it comes down to which solution
fits your organization and your comfort level as much as anything
else. Pick the one that "feels" right and make sure you stay current
with it.

Jeff


>
>Out of interest - have you come across any of the devices you mentioned in
>PCI (Visa/MasterCard Credit Card Security Standard) based environments?
>Where topology wise were they placed?
>
>Steve.
>
>I do agree with you point (and Simons previous post) - that if you don't
>maintain an IDS, then its worthless/useless and a complete waste of money.
>"Phil Agcaoili" <nospam@spam.org> wrote in message
>news:%23v$l5WJiFHA.2904@tk2msftngp13.phx.gbl...
>> Ease of use is relative, but in this category your first requirement is to
>> get an appliance-based IDS/IPS solution.
>>
>> This rules stuff out like Snort. Snort is one of the best IDS solutions by
>> the way because it is highly configurable and very fast.
>>
>> SourceFire is the commercial company that the founder of Snort started. It
>> is an appliance solution with a Web GUI that you manage. You do not have
>to
>> install Linux or compile anything to get it working, it comes out of the
>box
>> ready with an OS and Snort running, and you simply configure and manage it
>> with your Browser.
>>
>> Also, with any signature based IDS, there is a learning curve and then
>there
>> is another process which will require all admins to update and make
>specific
>> judgements on which signatures to use or create based on their
>environment.
>>
>> You can simply install an IDS and not touch it. It will become out of
>date.
>> Consider IDS like Antivirus, without the latest definition file, A/V is
>> useless.
>>
>> If you want to get closer to a set it and forget it type of intrusion
>> detection solution, I would also consider an anomaly/behavior-based
>solution
>> such as Lancope, Tipping Point, and McAfee. I've seen implementations
>that
>> have been profiled and left alone for a while, but still detecting odd
>> network conditions and flagging that the links needs to be monitored.
>>
>> The IDS/IPS market is commodity right now, so what ever you choose from
>the
>> vendors I pointed out above you should be good to go. Just know that you
>> need to manage these systems or else they're useless.
>>
>> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>> news:o GG37w7hFHA.328@tk2msftngp13.phx.gbl...
>> > Thanks Simon for the advice.
>> >
>> > Vendors recommend that the first IDS be placed in front of the edge
>router
>> > (I think I might have read that in a Cisco Safe white paper) - I've
>taken
>> > this a step further in placing it between the packet filtering router
>and
>> > the firewall. As I mentioned in my earlier post that we are running a
>> > Cisco
>> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
>provide
>> > much in the way (bar the IDS rule and a few common signatures) of IDS
>> > features. I do appreciate that alot of 'trash' will be reported, and
>most
>> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
>> > to
>> > take.
>> >
>> > Snort - do you think its easy to configure? I don't. From the research
>> > that
>> > I've done to date Tipping Point seem to have the spot light on them, and
>> > are
>> > selling it on the basis that its easy to install and configure, and
>> > doesn't
>> > involve constant monitoring.
>> >
>> > Steve.
>> >
>> >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>> >> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
>> >> > G/Day Forum,
>> >> >
>> >> > I currently in the process of evaluating a number of IDS solutions.
>> >> > This
>> >> IDS
>> >> > system will sit between an edge router (configured with
>ingress/egress
>> >> > filtering) and a Cisco Firewall. Our throughput requirement is low,
>as
>> >> we've
>> >> > only got a 2mb leased line to our ISP..
>> >> >
>> >> > Whats important to us:
>> >> > - ease of configuration and ongoing management
>> >> > - cost effectiveness
>> >> > - suitability to Industry (Financial)
>> >> > - logging ability/high quality reports/audit trail
>> >> >
>> >> > The products I'm currently looking at are:
>> >> > - Tipping Point 50
>> >> > - Cisco IDS 4215
>> >> >
>> >> > Any ideas, opinions, guidance?
>> >> >
>> >> > Regards,
>> >> > Steve.
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
Anonymous
a b 8 Security
July 16, 2005 7:15:12 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

On Fri, 15 Jul 2005 08:07:13 -0400, "Karl Levinson, mvp"
<levinson_k@despammed.com> wrote:

>It's true that as others have suggested, behind your firewall(s) is a
>popular location, as well as in DMZs and near valuable infrastructure
>targets are popular locations. This permits the IDS to detect and alert you
>when your defenses such as firewall have been breached. Internal Windows
>networks of workstations and servers are chatty and can cause a fair number
>of false alarms, but monitoring these can still be beneficial and the false
>alarms can be managed in a variety of ways. Your network architecture may
>define where you can and should place IDS, because if you only have one IDS,
>you probably want to place it in a location where it will be able to see the
>most network traffic. Naturally your IDS won't see traffic that doesn't
>traverse past its interfaces.
>
>Tipping point is also an IPS, which changes things like potential placement
>if you choose to use this functionality. Inline IPS in general is more like
>a firewall IMHO in that it can only monitor and protect one or a few network
>segments, whereas IDS can generally be used to span and monitor more
>networks. If you choose to use the device as an IPS, it might require the
>purchase of more devices to monitor the same percentage of your network.

But a counter to that is if this is for the compliance portion of
Visa/MC, this makes it a perfect choice. You don't want to monitor
the entire network, just the critical portions. That dramatically
cuts the background noise from your analysis. And I'd venture a guess
that the biggest problem with IDS, whether NIDS, IPS, NIPS or
whatever, is getting the ciritcal information out of the total
overload most of these options generate.

But again, this does depend a lot on your network architecture. You
may even find it advantageous to change some your architecture to
manage this even better.

Jeff



>"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>news:o $UzUgRiFHA.2152@TK2MSFTNGP14.phx.gbl...
>> Hi Karl,
>>
>> Thanks for your reply.
>>
>> Funny you mention Tripwire, its a product we intend rolling out in
>parallel
>> with our NIDS. So far I'm leaning towards the Tipping Point solution - and
>> 3Com have agreed to give me one on trial for a few weeks.
>>
>> Any thoughts re' best location for my NIDS?
>>
>> Regards,
>> Steve.
>>
>> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
>> news:eHIBp9AiFHA.576@TK2MSFTNGP15.phx.gbl...
>> >
>> > "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
>> > news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
>> > > Honestly, NIDS is nothing more than a waste of time and money IMO.
>> >
>> > NIDS is a tool that gives you something you can't easily get otherwise.
>> > It's grep for the network. It's true that some organizations probably
>> waste
>> > too much effort on IDS. But how much time you put into IDS is entirely
>up
>> > to you. You can automate a lot of it if you want.
>> >
>> > NIDS [that aren't NIPS] are just as much a waste of time IMHO. The
>> network
>> > portion is the most useful part of them, but it's easier and more cost
>> > effective to do that same network monitoring with a NIDS. Detecting
>file
>> > changes is useful, but is only a part of some NIDS, and is arguably
>better
>> > done with a file change checker like www.gfi.com Languard SIM, Osiris,
>> etc.
>> > There really aren't too many robust commercial file change checker
>> solutions
>> > IMHO, except maybe Tripwire for Windows, which I understand is pricey.
>> The
>> > main other thing most HIDS do is monitor the windows event log, but 1)
>you
>> > can do that with any number of other non-IDS products, 2) most HIDS are
>> > configured by default to give you way too many false alarms in the
>windows
>> > event logs, and 3) few NIDS I'm aware of give you an easy way to
>configure
>> > these events, you have to go back into Windows to manage this stuff.
>> >
>> > To the OP: A lot of people are running away from ISS due to their
>> > historically high prices and bad support in the past. Their prices may
>> have
>> > changed with their new line, I don't know. Their products in the past
>> have
>> > not been so easy to configure if you have a lot of devices, but OK if
>you
>> > have just one or two. A problem for me is that their signatures are
>> closed
>> > source, which would be useful information to know when trying to tell
>> false
>> > alarms from real events.
>> >
>> > www.enterasys.com Dragon is a popular and inexpensive IDS solution that
>is
>> > somewhat similar to Snort, but is probably easier to configure.
>> >
>> > www.netscreen.com has some attractive inexpensive low end devices that I
>> > understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
>> > bunch of other features. Their low end devices have all the exact same
>> > features as their high end enterprise devices.
>> >
>> > The tipping point IDS / IPS and cisco devices you mention are other
>> popular
>> > choices.
>> >
>> >
>> > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>> > > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
>> > > > G/Day Forum,
>> > > >
>> > > > I currently in the process of evaluating a number of IDS solutions.
>> This
>> > > > IDS
>> > > > system will sit between an edge router (configured with
>ingress/egress
>> > > > filtering) and a Cisco Firewall. Our throughput requirement is low,
>as
>> > > > we've
>> > > > only got a 2mb leased line to our ISP..
>> > > >
>> > > > Whats important to us:
>> > > > - ease of configuration and ongoing management
>> > > > - cost effectiveness
>> > > > - suitability to Industry (Financial)
>> > > > - logging ability/high quality reports/audit trail
>> > > >
>> > > > The products I'm currently looking at are:
>> > > > - Tipping Point 50
>> > > > - Cisco IDS 4215
>> > > >
>> > > > Any ideas, opinions, guidance?
>> > > >
>> > > > Regards,
>> > > > Steve.
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
Anonymous
a b 8 Security
July 16, 2005 7:31:10 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:42e221e3.38690218@msnews.microsoft.com...

> goes a long way toward making management feel better. You might also
> look at a managed IDS though, offload both the workload and the
> responsibility to someone else.

I have been very very unsatisifed with outsourcing IDS to someone else.
Most of them seem to really skimp on getting skilled workers [and
admittedly, it seems like you're almost never going to be able to get
someone with solid IDS experience on the second and third shifts], and I
question how most firms configure and monitor the IDS or whether the
configuration is adequately customized to your individual network. But I
suppose if you don't have the time and skill to do IDS, you've got little
choice.
Anonymous
a b 8 Security
July 16, 2005 11:02:23 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

G'day,

For audit compliance, you must have:

* IDS in place
* Procedures to manage IDS riles (signatures and heuristics)
* Procedures to manage alerts - that is, your Emergency Response
* Reports done regularly
* Testing of the IDS/Emergency response done
* (depending on the auditors' paranoia level) - plan to cover all corporate
network with IDS sensors

I see you have managed to convince the auditors that DMZ isn't the best
place to install the sensors because all traffic there is encrypted. However
I might suggest that this creates and excellent opportunity to come up with
tight IDS rule set: everything that is not on the list of (encrypted)
protocols is potential security breach. And seriously consider internal
network: first of all, NIDS will generate a lot of interesting information -
like curious grads that believe they're h@x0rz and stuff like that. Secndly,
the next IT security audit will require that anyway.

And please - call me Slavko, or Slav. Simon is too Die Hard-ish for me.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:eYhHkURiFHA.576@TK2MSFTNGP15.phx.gbl...
> Some good posts indeed Simon.
>
> I agree with you in every point. I forgot to mention that the primary
reason
> I'm installing the IDS is for compliancy with the PCI Data Security
Standard
> (Visa/MasterCard).
>
> Its a simple scenario - if we don't have an IDS on our network generating
> 'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
> with the auditors re. the 'best' location for the device, they were
> recommending I put it in my 'secure area' (a DMZ area where traffic and
data
> is encrypted). And my argument was that this was useless - an IDS sniffing
> encrypted packets? A complete waste of Dollars or Euros in my case.......
>
> Steve.
>
>
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:%23ayLGXHiFHA.3012@TK2MSFTNGP12.phx.gbl...
> > G'day,
> >
> > You've received some good replies so far.
> >
> > Rule #1: always challenge the vendors' recommendation. In my opinion,
even
> > behind the filtering router, NIDS i next to useless. It's hard enough to
> > make sense of NIDS in DMZ and on corporate WAN.
> >
> > Secondly: regarless of your chosen products, it's the people who'll be
> > monitoring and supporting the solution in production. If you don't have
> > dedicated team that knows the product and how to make changes and deploy
> new
> > sensors quickly - you better don't invest. Without the right process,
> > auditors won't approve your NIDS.
> >
> > And you have the right people, they don't necessarily need fancy GUI to
> get
> > started with Snort. You'll have a solution at the right cost for NIDS -
> > $0.00 per monitored IP address.
> >
> > One thing is really important: have your testing criteria defined, and
do
> > testing. Yes, you'll need traffic generators and all that, but some due
> > diligence saves time, money and nerves to the project team
> >
> > --
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
> >
> >
> >
> > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> > news:o GG37w7hFHA.328@tk2msftngp13.phx.gbl...
> > > Thanks Simon for the advice.
> > >
> > > Vendors recommend that the first IDS be placed in front of the edge
> router
> > > (I think I might have read that in a Cisco Safe white paper) - I've
> taken
> > > this a step further in placing it between the packet filtering router
> and
> > > the firewall. As I mentioned in my earlier post that we are running a
> > Cisco
> > > based firewall (PIX) - which as I'm sure you are aware of, doesn't
> provide
> > > much in the way (bar the IDS rule and a few common signatures) of IDS
> > > features. I do appreciate that alot of 'trash' will be reported, and
> most
> > > of that trash will be SSL/IPSec traffic - but thats the hit I'm
prepared
> > to
> > > take.
> > >
> > > Snort - do you think its easy to configure? I don't. From the research
> > that
> > > I've done to date Tipping Point seem to have the spot light on them,
and
> > are
> > > selling it on the basis that its easy to install and configure, and
> > doesn't
> > > involve constant monitoring.
> > >
> > > Steve.
> > >
> >
> >
>
>
Anonymous
a b 8 Security
July 16, 2005 11:02:24 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:uaJrYUeiFHA.2904@tk2msftngp13.phx.gbl...

> I see you have managed to convince the auditors that DMZ isn't the best
> place to install the sensors because all traffic there is encrypted.
However
> I might suggest that this creates and excellent opportunity to come up
with
> tight IDS rule set: everything that is not on the list of (encrypted)
> protocols is potential security breach. And seriously consider internal
> network: first of all, NIDS will generate a lot of interesting
information -
> like curious grads that believe they're h@x0rz and stuff like that.
Secndly,
> the next IT security audit will require that anyway.

Note that internal networks can be as challenging to monitor and give as
many false alarms as putting sensors outside your firewall.

And encrypted traffic does not necessarily have to be impossible to monitor.
There are solutions that will let you unencrypt and monitor encrypted
traffic, if you feel it is in your best interest to do so.
Anonymous
a b 8 Security
July 18, 2005 1:19:33 PM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Checkpoint RLZ.

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>
Anonymous
a b 8 Security
July 21, 2005 1:18:58 AM

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

Checkpoint what? :) 

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"André Fagundes" <andre.fagundes@constat.com.br> wrote in message
news:uPrLnJ5iFHA.3012@TK2MSFTNGP12.phx.gbl...
> Checkpoint RLZ.
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
> > G/Day Forum,
> >
> > I currently in the process of evaluating a number of IDS solutions. This
> IDS
> > system will sit between an edge router (configured with ingress/egress
> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> > only got a 2mb leased line to our ISP..
> >
> > Whats important to us:
> > - ease of configuration and ongoing management
> > - cost effectiveness
> > - suitability to Industry (Financial)
> > - logging ability/high quality reports/audit trail
> >
> > The products I'm currently looking at are:
> > - Tipping Point 50
> > - Cisco IDS 4215
> >
> > Any ideas, opinions, guidance?
> >
> > Regards,
> > Steve.
> >
> >
>
>
!