Any IDS Recommendations?

Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

G/Day Forum,

I currently in the process of evaluating a number of IDS solutions. This IDS
system will sit between an edge router (configured with ingress/egress
filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
only got a 2mb leased line to our ISP..

Whats important to us:
- ease of configuration and ongoing management
- cost effectiveness
- suitability to Industry (Financial)
- logging ability/high quality reports/audit trail

The products I'm currently looking at are:
- Tipping Point 50
- Cisco IDS 4215

Any ideas, opinions, guidance?

Regards,
Steve.
19 answers Last reply
More about recommendations
  1. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    From: "The Poster" <nospam@nospam_dontyoudare.net>

    | G/Day Forum,
    |
    | I currently in the process of evaluating a number of IDS solutions. This IDS
    | system will sit between an edge router (configured with ingress/egress
    | filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
    | only got a 2mb leased line to our ISP..
    |
    | Whats important to us:
    | - ease of configuration and ongoing management
    | - cost effectiveness
    | - suitability to Industry (Financial)
    | - logging ability/high quality reports/audit trail
    |
    | The products I'm currently looking at are:
    | - Tipping Point 50
    | - Cisco IDS 4215
    |
    | Any ideas, opinions, guidance?
    |
    | Regards,
    | Steve.
    |

    Fortress Tecnolgies
    http://www.fortresstech.com/news/press_details.asp?id=49

    Internet Security Systems
    http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=ISS&oid=14435

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  2. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Honestly, NIDS is nothing more than a waste of time and money IMO.

    Put HIDS on high value servers and workstations or other devices. Hackers
    don't want to "0wn" the network; they use it like dial tone to get to where
    they are really going, which is the host where data resides. The only
    exception to this is DDoS attacks, which aren't going to be prevented by
    NIDS in any event.

    Focus effort on the points where attackers want to get to, and less on the
    roads they use to get there with. If you operate from the worst assumption
    (i.e., they are already inside the network) then they will be using
    "trusted" paths to communicate with the intended targets. Most
    organizations do not monitor internal traffic going to other internal
    destination sets as they do the "perimeter" or remote access paths.

    You can spend the rest of your life trying to figure out what "normal" is on
    the network or especially the Internet; you darn sure ought to know what
    normal is on hosts that you manage though, and that battle can actually be
    won by the sysadmin. It's also higher-yield in that you have more
    information to conduct forensic analysis, etc.


    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > G/Day Forum,
    >
    > I currently in the process of evaluating a number of IDS solutions. This
    > IDS
    > system will sit between an edge router (configured with ingress/egress
    > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    > we've
    > only got a 2mb leased line to our ISP..
    >
    > Whats important to us:
    > - ease of configuration and ongoing management
    > - cost effectiveness
    > - suitability to Industry (Financial)
    > - logging ability/high quality reports/audit trail
    >
    > The products I'm currently looking at are:
    > - Tipping Point 50
    > - Cisco IDS 4215
    >
    > Any ideas, opinions, guidance?
    >
    > Regards,
    > Steve.
    >
    >
  3. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Hi there,

    I recommend Snort. The open source solution is used in at least one of
    Australian Big 5 banks. Alternatively, you can use SourceFire - they add
    nice management interface, "supportability" and price tag.

    Implementing NIDS in front of the external firewal - bad idea. You will have
    a lot of rubbish and chances are that you'll miss something important. DMZ
    is a different matter - port scan has to raise a legitimate alarm in there.
    On the corporate network implement your NIDS too, you must.

    --
    Svyatoslav Pidgorny, MS MVP - Security, MCSE
    -= F1 is the key =-

    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > G/Day Forum,
    >
    > I currently in the process of evaluating a number of IDS solutions. This
    IDS
    > system will sit between an edge router (configured with ingress/egress
    > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    we've
    > only got a 2mb leased line to our ISP..
    >
    > Whats important to us:
    > - ease of configuration and ongoing management
    > - cost effectiveness
    > - suitability to Industry (Financial)
    > - logging ability/high quality reports/audit trail
    >
    > The products I'm currently looking at are:
    > - Tipping Point 50
    > - Cisco IDS 4215
    >
    > Any ideas, opinions, guidance?
    >
    > Regards,
    > Steve.
    >
    >
  4. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Thanks Simon for the advice.

    Vendors recommend that the first IDS be placed in front of the edge router
    (I think I might have read that in a Cisco Safe white paper) - I've taken
    this a step further in placing it between the packet filtering router and
    the firewall. As I mentioned in my earlier post that we are running a Cisco
    based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
    much in the way (bar the IDS rule and a few common signatures) of IDS
    features. I do appreciate that alot of 'trash' will be reported, and most
    of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared to
    take.

    Snort - do you think its easy to configure? I don't. From the research that
    I've done to date Tipping Point seem to have the spot light on them, and are
    selling it on the basis that its easy to install and configure, and doesn't
    involve constant monitoring.

    Steve.

    "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
    news:edzjAj5hFHA.3936@TK2MSFTNGP10.phx.gbl...
    > Hi there,
    >
    > I recommend Snort. The open source solution is used in at least one of
    > Australian Big 5 banks. Alternatively, you can use SourceFire - they add
    > nice management interface, "supportability" and price tag.
    >
    > Implementing NIDS in front of the external firewal - bad idea. You will
    have
    > a lot of rubbish and chances are that you'll miss something important. DMZ
    > is a different matter - port scan has to raise a legitimate alarm in
    there.
    > On the corporate network implement your NIDS too, you must.
    >
    > --
    > Svyatoslav Pidgorny, MS MVP - Security, MCSE
    > -= F1 is the key =-
    >
    > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > > G/Day Forum,
    > >
    > > I currently in the process of evaluating a number of IDS solutions. This
    > IDS
    > > system will sit between an edge router (configured with ingress/egress
    > > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    > we've
    > > only got a 2mb leased line to our ISP..
    > >
    > > Whats important to us:
    > > - ease of configuration and ongoing management
    > > - cost effectiveness
    > > - suitability to Industry (Financial)
    > > - logging ability/high quality reports/audit trail
    > >
    > > The products I'm currently looking at are:
    > > - Tipping Point 50
    > > - Cisco IDS 4215
    > >
    > > Any ideas, opinions, guidance?
    > >
    > > Regards,
    > > Steve.
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
    news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
    > Honestly, NIDS is nothing more than a waste of time and money IMO.

    NIDS is a tool that gives you something you can't easily get otherwise.
    It's grep for the network. It's true that some organizations probably waste
    too much effort on IDS. But how much time you put into IDS is entirely up
    to you. You can automate a lot of it if you want.

    NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
    portion is the most useful part of them, but it's easier and more cost
    effective to do that same network monitoring with a NIDS. Detecting file
    changes is useful, but is only a part of some NIDS, and is arguably better
    done with a file change checker like www.gfi.com Languard SIM, Osiris, etc.
    There really aren't too many robust commercial file change checker solutions
    IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
    main other thing most HIDS do is monitor the windows event log, but 1) you
    can do that with any number of other non-IDS products, 2) most HIDS are
    configured by default to give you way too many false alarms in the windows
    event logs, and 3) few NIDS I'm aware of give you an easy way to configure
    these events, you have to go back into Windows to manage this stuff.

    To the OP: A lot of people are running away from ISS due to their
    historically high prices and bad support in the past. Their prices may have
    changed with their new line, I don't know. Their products in the past have
    not been so easy to configure if you have a lot of devices, but OK if you
    have just one or two. A problem for me is that their signatures are closed
    source, which would be useful information to know when trying to tell false
    alarms from real events.

    www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
    somewhat similar to Snort, but is probably easier to configure.

    www.netscreen.com has some attractive inexpensive low end devices that I
    understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
    bunch of other features. Their low end devices have all the exact same
    features as their high end enterprise devices.

    The tipping point IDS / IPS and cisco devices you mention are other popular
    choices.


    > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > > G/Day Forum,
    > >
    > > I currently in the process of evaluating a number of IDS solutions. This
    > > IDS
    > > system will sit between an edge router (configured with ingress/egress
    > > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    > > we've
    > > only got a 2mb leased line to our ISP..
    > >
    > > Whats important to us:
    > > - ease of configuration and ongoing management
    > > - cost effectiveness
    > > - suitability to Industry (Financial)
    > > - logging ability/high quality reports/audit trail
    > >
    > > The products I'm currently looking at are:
    > > - Tipping Point 50
    > > - Cisco IDS 4215
    > >
    > > Any ideas, opinions, guidance?
    > >
    > > Regards,
    > > Steve.
    > >
    > >
    >
    >
  6. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Please ignore this if your site is not a High Security site.

    If you are using SSL, then where is the End Point? IE where is the encrypted
    traffic decrypted?

    I would expect your auditors to have a hissy fit if the SSL traffic were
    dencrypted anywhere sniffable, snortable or IDS'able as that could lead to
    identity theft.

    For a high security site, logging SSL traffic is pointless, logging source
    ip, port, time is more useful. Logging decrypted SSL traffic is an outright
    danger.

    I am happy to be corrected if needs be.

    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > G/Day Forum,
    >
    > I currently in the process of evaluating a number of IDS solutions. This
    > IDS
    > system will sit between an edge router (configured with ingress/egress
    > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    > we've
    > only got a 2mb leased line to our ISP..
    >
    > Whats important to us:
    > - ease of configuration and ongoing management
    > - cost effectiveness
    > - suitability to Industry (Financial)
    > - logging ability/high quality reports/audit trail
    >
    > The products I'm currently looking at are:
    > - Tipping Point 50
    > - Cisco IDS 4215
    >
    > Any ideas, opinions, guidance?
    >
    > Regards,
    > Steve.
    >
    >
  7. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Ease of use is relative, but in this category your first requirement is to
    get an appliance-based IDS/IPS solution.

    This rules stuff out like Snort. Snort is one of the best IDS solutions by
    the way because it is highly configurable and very fast.

    SourceFire is the commercial company that the founder of Snort started. It
    is an appliance solution with a Web GUI that you manage. You do not have to
    install Linux or compile anything to get it working, it comes out of the box
    ready with an OS and Snort running, and you simply configure and manage it
    with your Browser.

    Also, with any signature based IDS, there is a learning curve and then there
    is another process which will require all admins to update and make specific
    judgements on which signatures to use or create based on their environment.

    You can simply install an IDS and not touch it. It will become out of date.
    Consider IDS like Antivirus, without the latest definition file, A/V is
    useless.

    If you want to get closer to a set it and forget it type of intrusion
    detection solution, I would also consider an anomaly/behavior-based solution
    such as Lancope, Tipping Point, and McAfee. I've seen implementations that
    have been profiled and left alone for a while, but still detecting odd
    network conditions and flagging that the links needs to be monitored.

    The IDS/IPS market is commodity right now, so what ever you choose from the
    vendors I pointed out above you should be good to go. Just know that you
    need to manage these systems or else they're useless.

    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
    > Thanks Simon for the advice.
    >
    > Vendors recommend that the first IDS be placed in front of the edge router
    > (I think I might have read that in a Cisco Safe white paper) - I've taken
    > this a step further in placing it between the packet filtering router and
    > the firewall. As I mentioned in my earlier post that we are running a
    > Cisco
    > based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
    > much in the way (bar the IDS rule and a few common signatures) of IDS
    > features. I do appreciate that alot of 'trash' will be reported, and most
    > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
    > to
    > take.
    >
    > Snort - do you think its easy to configure? I don't. From the research
    > that
    > I've done to date Tipping Point seem to have the spot light on them, and
    > are
    > selling it on the basis that its easy to install and configure, and
    > doesn't
    > involve constant monitoring.
    >
    > Steve.
    >
    >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    >> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    >> > G/Day Forum,
    >> >
    >> > I currently in the process of evaluating a number of IDS solutions.
    >> > This
    >> IDS
    >> > system will sit between an edge router (configured with ingress/egress
    >> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    >> we've
    >> > only got a 2mb leased line to our ISP..
    >> >
    >> > Whats important to us:
    >> > - ease of configuration and ongoing management
    >> > - cost effectiveness
    >> > - suitability to Industry (Financial)
    >> > - logging ability/high quality reports/audit trail
    >> >
    >> > The products I'm currently looking at are:
    >> > - Tipping Point 50
    >> > - Cisco IDS 4215
    >> >
    >> > Any ideas, opinions, guidance?
    >> >
    >> > Regards,
    >> > Steve.
    >> >
    >> >
    >>
    >>
    >
    >
  8. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    G'day,

    You've received some good replies so far.

    Rule #1: always challenge the vendors' recommendation. In my opinion, even
    behind the filtering router, NIDS i next to useless. It's hard enough to
    make sense of NIDS in DMZ and on corporate WAN.

    Secondly: regarless of your chosen products, it's the people who'll be
    monitoring and supporting the solution in production. If you don't have
    dedicated team that knows the product and how to make changes and deploy new
    sensors quickly - you better don't invest. Without the right process,
    auditors won't approve your NIDS.

    And you have the right people, they don't necessarily need fancy GUI to get
    started with Snort. You'll have a solution at the right cost for NIDS -
    $0.00 per monitored IP address.

    One thing is really important: have your testing criteria defined, and do
    testing. Yes, you'll need traffic generators and all that, but some due
    diligence saves time, money and nerves to the project team

    --
    Svyatoslav Pidgorny, MS MVP - Security, MCSE
    -= F1 is the key =-


    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
    > Thanks Simon for the advice.
    >
    > Vendors recommend that the first IDS be placed in front of the edge router
    > (I think I might have read that in a Cisco Safe white paper) - I've taken
    > this a step further in placing it between the packet filtering router and
    > the firewall. As I mentioned in my earlier post that we are running a
    Cisco
    > based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
    > much in the way (bar the IDS rule and a few common signatures) of IDS
    > features. I do appreciate that alot of 'trash' will be reported, and most
    > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
    to
    > take.
    >
    > Snort - do you think its easy to configure? I don't. From the research
    that
    > I've done to date Tipping Point seem to have the spot light on them, and
    are
    > selling it on the basis that its easy to install and configure, and
    doesn't
    > involve constant monitoring.
    >
    > Steve.
    >
  9. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Some good posts indeed Simon.

    I agree with you in every point. I forgot to mention that the primary reason
    I'm installing the IDS is for compliancy with the PCI Data Security Standard
    (Visa/MasterCard).

    Its a simple scenario - if we don't have an IDS on our network generating
    'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
    with the auditors re. the 'best' location for the device, they were
    recommending I put it in my 'secure area' (a DMZ area where traffic and data
    is encrypted). And my argument was that this was useless - an IDS sniffing
    encrypted packets? A complete waste of Dollars or Euros in my case.......

    Steve.


    "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
    news:%23ayLGXHiFHA.3012@TK2MSFTNGP12.phx.gbl...
    > G'day,
    >
    > You've received some good replies so far.
    >
    > Rule #1: always challenge the vendors' recommendation. In my opinion, even
    > behind the filtering router, NIDS i next to useless. It's hard enough to
    > make sense of NIDS in DMZ and on corporate WAN.
    >
    > Secondly: regarless of your chosen products, it's the people who'll be
    > monitoring and supporting the solution in production. If you don't have
    > dedicated team that knows the product and how to make changes and deploy
    new
    > sensors quickly - you better don't invest. Without the right process,
    > auditors won't approve your NIDS.
    >
    > And you have the right people, they don't necessarily need fancy GUI to
    get
    > started with Snort. You'll have a solution at the right cost for NIDS -
    > $0.00 per monitored IP address.
    >
    > One thing is really important: have your testing criteria defined, and do
    > testing. Yes, you'll need traffic generators and all that, but some due
    > diligence saves time, money and nerves to the project team
    >
    > --
    > Svyatoslav Pidgorny, MS MVP - Security, MCSE
    > -= F1 is the key =-
    >
    >
    >
    > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
    > > Thanks Simon for the advice.
    > >
    > > Vendors recommend that the first IDS be placed in front of the edge
    router
    > > (I think I might have read that in a Cisco Safe white paper) - I've
    taken
    > > this a step further in placing it between the packet filtering router
    and
    > > the firewall. As I mentioned in my earlier post that we are running a
    > Cisco
    > > based firewall (PIX) - which as I'm sure you are aware of, doesn't
    provide
    > > much in the way (bar the IDS rule and a few common signatures) of IDS
    > > features. I do appreciate that alot of 'trash' will be reported, and
    most
    > > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
    > to
    > > take.
    > >
    > > Snort - do you think its easy to configure? I don't. From the research
    > that
    > > I've done to date Tipping Point seem to have the spot light on them, and
    > are
    > > selling it on the basis that its easy to install and configure, and
    > doesn't
    > > involve constant monitoring.
    > >
    > > Steve.
    > >
    >
    >
  10. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Excellent advise Phil...... I like the idea of Snort running on a 'plug and
    play' device - off which I'm going to investigate further.

    3Com have agreed to lend me a Tipping Point 50 system for a few weeks
    trial - a nice gesture. It proves that theye've got confidence in there
    product and are quite willing to lend it to me on a trial basis. Now all I
    need is some traffic generating software... :-)

    Out of interest - have you come across any of the devices you mentioned in
    PCI (Visa/MasterCard Credit Card Security Standard) based environments?
    Where topology wise were they placed?

    Steve.

    I do agree with you point (and Simons previous post) - that if you don't
    maintain an IDS, then its worthless/useless and a complete waste of money.
    "Phil Agcaoili" <nospam@spam.org> wrote in message
    news:%23v$l5WJiFHA.2904@tk2msftngp13.phx.gbl...
    > Ease of use is relative, but in this category your first requirement is to
    > get an appliance-based IDS/IPS solution.
    >
    > This rules stuff out like Snort. Snort is one of the best IDS solutions by
    > the way because it is highly configurable and very fast.
    >
    > SourceFire is the commercial company that the founder of Snort started. It
    > is an appliance solution with a Web GUI that you manage. You do not have
    to
    > install Linux or compile anything to get it working, it comes out of the
    box
    > ready with an OS and Snort running, and you simply configure and manage it
    > with your Browser.
    >
    > Also, with any signature based IDS, there is a learning curve and then
    there
    > is another process which will require all admins to update and make
    specific
    > judgements on which signatures to use or create based on their
    environment.
    >
    > You can simply install an IDS and not touch it. It will become out of
    date.
    > Consider IDS like Antivirus, without the latest definition file, A/V is
    > useless.
    >
    > If you want to get closer to a set it and forget it type of intrusion
    > detection solution, I would also consider an anomaly/behavior-based
    solution
    > such as Lancope, Tipping Point, and McAfee. I've seen implementations
    that
    > have been profiled and left alone for a while, but still detecting odd
    > network conditions and flagging that the links needs to be monitored.
    >
    > The IDS/IPS market is commodity right now, so what ever you choose from
    the
    > vendors I pointed out above you should be good to go. Just know that you
    > need to manage these systems or else they're useless.
    >
    > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
    > > Thanks Simon for the advice.
    > >
    > > Vendors recommend that the first IDS be placed in front of the edge
    router
    > > (I think I might have read that in a Cisco Safe white paper) - I've
    taken
    > > this a step further in placing it between the packet filtering router
    and
    > > the firewall. As I mentioned in my earlier post that we are running a
    > > Cisco
    > > based firewall (PIX) - which as I'm sure you are aware of, doesn't
    provide
    > > much in the way (bar the IDS rule and a few common signatures) of IDS
    > > features. I do appreciate that alot of 'trash' will be reported, and
    most
    > > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
    > > to
    > > take.
    > >
    > > Snort - do you think its easy to configure? I don't. From the research
    > > that
    > > I've done to date Tipping Point seem to have the spot light on them, and
    > > are
    > > selling it on the basis that its easy to install and configure, and
    > > doesn't
    > > involve constant monitoring.
    > >
    > > Steve.
    > >
    > >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > >> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > >> > G/Day Forum,
    > >> >
    > >> > I currently in the process of evaluating a number of IDS solutions.
    > >> > This
    > >> IDS
    > >> > system will sit between an edge router (configured with
    ingress/egress
    > >> > filtering) and a Cisco Firewall. Our throughput requirement is low,
    as
    > >> we've
    > >> > only got a 2mb leased line to our ISP..
    > >> >
    > >> > Whats important to us:
    > >> > - ease of configuration and ongoing management
    > >> > - cost effectiveness
    > >> > - suitability to Industry (Financial)
    > >> > - logging ability/high quality reports/audit trail
    > >> >
    > >> > The products I'm currently looking at are:
    > >> > - Tipping Point 50
    > >> > - Cisco IDS 4215
    > >> >
    > >> > Any ideas, opinions, guidance?
    > >> >
    > >> > Regards,
    > >> > Steve.
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  11. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Hi Karl,

    Thanks for your reply.

    Funny you mention Tripwire, its a product we intend rolling out in parallel
    with our NIDS. So far I'm leaning towards the Tipping Point solution - and
    3Com have agreed to give me one on trial for a few weeks.

    Any thoughts re' best location for my NIDS?

    Regards,
    Steve.

    "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
    news:eHIBp9AiFHA.576@TK2MSFTNGP15.phx.gbl...
    >
    > "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
    > news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
    > > Honestly, NIDS is nothing more than a waste of time and money IMO.
    >
    > NIDS is a tool that gives you something you can't easily get otherwise.
    > It's grep for the network. It's true that some organizations probably
    waste
    > too much effort on IDS. But how much time you put into IDS is entirely up
    > to you. You can automate a lot of it if you want.
    >
    > NIDS [that aren't NIPS] are just as much a waste of time IMHO. The
    network
    > portion is the most useful part of them, but it's easier and more cost
    > effective to do that same network monitoring with a NIDS. Detecting file
    > changes is useful, but is only a part of some NIDS, and is arguably better
    > done with a file change checker like www.gfi.com Languard SIM, Osiris,
    etc.
    > There really aren't too many robust commercial file change checker
    solutions
    > IMHO, except maybe Tripwire for Windows, which I understand is pricey.
    The
    > main other thing most HIDS do is monitor the windows event log, but 1) you
    > can do that with any number of other non-IDS products, 2) most HIDS are
    > configured by default to give you way too many false alarms in the windows
    > event logs, and 3) few NIDS I'm aware of give you an easy way to configure
    > these events, you have to go back into Windows to manage this stuff.
    >
    > To the OP: A lot of people are running away from ISS due to their
    > historically high prices and bad support in the past. Their prices may
    have
    > changed with their new line, I don't know. Their products in the past
    have
    > not been so easy to configure if you have a lot of devices, but OK if you
    > have just one or two. A problem for me is that their signatures are
    closed
    > source, which would be useful information to know when trying to tell
    false
    > alarms from real events.
    >
    > www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
    > somewhat similar to Snort, but is probably easier to configure.
    >
    > www.netscreen.com has some attractive inexpensive low end devices that I
    > understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
    > bunch of other features. Their low end devices have all the exact same
    > features as their high end enterprise devices.
    >
    > The tipping point IDS / IPS and cisco devices you mention are other
    popular
    > choices.
    >
    >
    > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > > > G/Day Forum,
    > > >
    > > > I currently in the process of evaluating a number of IDS solutions.
    This
    > > > IDS
    > > > system will sit between an edge router (configured with ingress/egress
    > > > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    > > > we've
    > > > only got a 2mb leased line to our ISP..
    > > >
    > > > Whats important to us:
    > > > - ease of configuration and ongoing management
    > > > - cost effectiveness
    > > > - suitability to Industry (Financial)
    > > > - logging ability/high quality reports/audit trail
    > > >
    > > > The products I'm currently looking at are:
    > > > - Tipping Point 50
    > > > - Cisco IDS 4215
    > > >
    > > > Any ideas, opinions, guidance?
    > > >
    > > > Regards,
    > > > Steve.
    > > >
    > > >
    > >
    > >
    >
    >
  12. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    It's true that as others have suggested, behind your firewall(s) is a
    popular location, as well as in DMZs and near valuable infrastructure
    targets are popular locations. This permits the IDS to detect and alert you
    when your defenses such as firewall have been breached. Internal Windows
    networks of workstations and servers are chatty and can cause a fair number
    of false alarms, but monitoring these can still be beneficial and the false
    alarms can be managed in a variety of ways. Your network architecture may
    define where you can and should place IDS, because if you only have one IDS,
    you probably want to place it in a location where it will be able to see the
    most network traffic. Naturally your IDS won't see traffic that doesn't
    traverse past its interfaces.

    Tipping point is also an IPS, which changes things like potential placement
    if you choose to use this functionality. Inline IPS in general is more like
    a firewall IMHO in that it can only monitor and protect one or a few network
    segments, whereas IDS can generally be used to span and monitor more
    networks. If you choose to use the device as an IPS, it might require the
    purchase of more devices to monitor the same percentage of your network.


    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:O$UzUgRiFHA.2152@TK2MSFTNGP14.phx.gbl...
    > Hi Karl,
    >
    > Thanks for your reply.
    >
    > Funny you mention Tripwire, its a product we intend rolling out in
    parallel
    > with our NIDS. So far I'm leaning towards the Tipping Point solution - and
    > 3Com have agreed to give me one on trial for a few weeks.
    >
    > Any thoughts re' best location for my NIDS?
    >
    > Regards,
    > Steve.
    >
    > "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
    > news:eHIBp9AiFHA.576@TK2MSFTNGP15.phx.gbl...
    > >
    > > "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
    > > news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
    > > > Honestly, NIDS is nothing more than a waste of time and money IMO.
    > >
    > > NIDS is a tool that gives you something you can't easily get otherwise.
    > > It's grep for the network. It's true that some organizations probably
    > waste
    > > too much effort on IDS. But how much time you put into IDS is entirely
    up
    > > to you. You can automate a lot of it if you want.
    > >
    > > NIDS [that aren't NIPS] are just as much a waste of time IMHO. The
    > network
    > > portion is the most useful part of them, but it's easier and more cost
    > > effective to do that same network monitoring with a NIDS. Detecting
    file
    > > changes is useful, but is only a part of some NIDS, and is arguably
    better
    > > done with a file change checker like www.gfi.com Languard SIM, Osiris,
    > etc.
    > > There really aren't too many robust commercial file change checker
    > solutions
    > > IMHO, except maybe Tripwire for Windows, which I understand is pricey.
    > The
    > > main other thing most HIDS do is monitor the windows event log, but 1)
    you
    > > can do that with any number of other non-IDS products, 2) most HIDS are
    > > configured by default to give you way too many false alarms in the
    windows
    > > event logs, and 3) few NIDS I'm aware of give you an easy way to
    configure
    > > these events, you have to go back into Windows to manage this stuff.
    > >
    > > To the OP: A lot of people are running away from ISS due to their
    > > historically high prices and bad support in the past. Their prices may
    > have
    > > changed with their new line, I don't know. Their products in the past
    > have
    > > not been so easy to configure if you have a lot of devices, but OK if
    you
    > > have just one or two. A problem for me is that their signatures are
    > closed
    > > source, which would be useful information to know when trying to tell
    > false
    > > alarms from real events.
    > >
    > > www.enterasys.com Dragon is a popular and inexpensive IDS solution that
    is
    > > somewhat similar to Snort, but is probably easier to configure.
    > >
    > > www.netscreen.com has some attractive inexpensive low end devices that I
    > > understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
    > > bunch of other features. Their low end devices have all the exact same
    > > features as their high end enterprise devices.
    > >
    > > The tipping point IDS / IPS and cisco devices you mention are other
    > popular
    > > choices.
    > >
    > >
    > > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > > > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > > > > G/Day Forum,
    > > > >
    > > > > I currently in the process of evaluating a number of IDS solutions.
    > This
    > > > > IDS
    > > > > system will sit between an edge router (configured with
    ingress/egress
    > > > > filtering) and a Cisco Firewall. Our throughput requirement is low,
    as
    > > > > we've
    > > > > only got a 2mb leased line to our ISP..
    > > > >
    > > > > Whats important to us:
    > > > > - ease of configuration and ongoing management
    > > > > - cost effectiveness
    > > > > - suitability to Industry (Financial)
    > > > > - logging ability/high quality reports/audit trail
    > > > >
    > > > > The products I'm currently looking at are:
    > > > > - Tipping Point 50
    > > > > - Cisco IDS 4215
    > > > >
    > > > > Any ideas, opinions, guidance?
    > > > >
    > > > > Regards,
    > > > > Steve.
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >
  13. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    On Fri, 15 Jul 2005 09:27:04 +0100, "The Poster"
    <nospam@nospam_dontyoudare.net> wrote:

    >Excellent advise Phil...... I like the idea of Snort running on a 'plug and
    >play' device - off which I'm going to investigate further.
    >
    >3Com have agreed to lend me a Tipping Point 50 system for a few weeks
    >trial - a nice gesture. It proves that theye've got confidence in there
    >product and are quite willing to lend it to me on a trial basis. Now all I
    >need is some traffic generating software... :-)

    First, you won't go wrong with a Tipping Point or Cisco solution. You
    may overpay, you may not get the best results, but you'll meet your
    compliance needs. I'll leave out that I think most of the compliance
    rules are for covering some collective butts and not real security.
    :)

    Also, I've found that most IDS vendors will lend you a box to try. So
    try them all. I happen to also prefer Snort, and a SourceFire box
    goes a long way toward making management feel better. You might also
    look at a managed IDS though, offload both the workload and the
    responsibility to someone else.

    Now, here's what I've found critical about choosing an IDS:

    Pretty much, they all work. Some have features that make them better
    for a specfic set of requirements, but any decent one does fine if
    properly managed and maintained. So it comes down to which solution
    fits your organization and your comfort level as much as anything
    else. Pick the one that "feels" right and make sure you stay current
    with it.

    Jeff


    >
    >Out of interest - have you come across any of the devices you mentioned in
    >PCI (Visa/MasterCard Credit Card Security Standard) based environments?
    >Where topology wise were they placed?
    >
    >Steve.
    >
    >I do agree with you point (and Simons previous post) - that if you don't
    >maintain an IDS, then its worthless/useless and a complete waste of money.
    >"Phil Agcaoili" <nospam@spam.org> wrote in message
    >news:%23v$l5WJiFHA.2904@tk2msftngp13.phx.gbl...
    >> Ease of use is relative, but in this category your first requirement is to
    >> get an appliance-based IDS/IPS solution.
    >>
    >> This rules stuff out like Snort. Snort is one of the best IDS solutions by
    >> the way because it is highly configurable and very fast.
    >>
    >> SourceFire is the commercial company that the founder of Snort started. It
    >> is an appliance solution with a Web GUI that you manage. You do not have
    >to
    >> install Linux or compile anything to get it working, it comes out of the
    >box
    >> ready with an OS and Snort running, and you simply configure and manage it
    >> with your Browser.
    >>
    >> Also, with any signature based IDS, there is a learning curve and then
    >there
    >> is another process which will require all admins to update and make
    >specific
    >> judgements on which signatures to use or create based on their
    >environment.
    >>
    >> You can simply install an IDS and not touch it. It will become out of
    >date.
    >> Consider IDS like Antivirus, without the latest definition file, A/V is
    >> useless.
    >>
    >> If you want to get closer to a set it and forget it type of intrusion
    >> detection solution, I would also consider an anomaly/behavior-based
    >solution
    >> such as Lancope, Tipping Point, and McAfee. I've seen implementations
    >that
    >> have been profiled and left alone for a while, but still detecting odd
    >> network conditions and flagging that the links needs to be monitored.
    >>
    >> The IDS/IPS market is commodity right now, so what ever you choose from
    >the
    >> vendors I pointed out above you should be good to go. Just know that you
    >> need to manage these systems or else they're useless.
    >>
    >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    >> news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
    >> > Thanks Simon for the advice.
    >> >
    >> > Vendors recommend that the first IDS be placed in front of the edge
    >router
    >> > (I think I might have read that in a Cisco Safe white paper) - I've
    >taken
    >> > this a step further in placing it between the packet filtering router
    >and
    >> > the firewall. As I mentioned in my earlier post that we are running a
    >> > Cisco
    >> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
    >provide
    >> > much in the way (bar the IDS rule and a few common signatures) of IDS
    >> > features. I do appreciate that alot of 'trash' will be reported, and
    >most
    >> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
    >> > to
    >> > take.
    >> >
    >> > Snort - do you think its easy to configure? I don't. From the research
    >> > that
    >> > I've done to date Tipping Point seem to have the spot light on them, and
    >> > are
    >> > selling it on the basis that its easy to install and configure, and
    >> > doesn't
    >> > involve constant monitoring.
    >> >
    >> > Steve.
    >> >
    >> >> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    >> >> news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    >> >> > G/Day Forum,
    >> >> >
    >> >> > I currently in the process of evaluating a number of IDS solutions.
    >> >> > This
    >> >> IDS
    >> >> > system will sit between an edge router (configured with
    >ingress/egress
    >> >> > filtering) and a Cisco Firewall. Our throughput requirement is low,
    >as
    >> >> we've
    >> >> > only got a 2mb leased line to our ISP..
    >> >> >
    >> >> > Whats important to us:
    >> >> > - ease of configuration and ongoing management
    >> >> > - cost effectiveness
    >> >> > - suitability to Industry (Financial)
    >> >> > - logging ability/high quality reports/audit trail
    >> >> >
    >> >> > The products I'm currently looking at are:
    >> >> > - Tipping Point 50
    >> >> > - Cisco IDS 4215
    >> >> >
    >> >> > Any ideas, opinions, guidance?
    >> >> >
    >> >> > Regards,
    >> >> > Steve.
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
  14. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    On Fri, 15 Jul 2005 08:07:13 -0400, "Karl Levinson, mvp"
    <levinson_k@despammed.com> wrote:

    >It's true that as others have suggested, behind your firewall(s) is a
    >popular location, as well as in DMZs and near valuable infrastructure
    >targets are popular locations. This permits the IDS to detect and alert you
    >when your defenses such as firewall have been breached. Internal Windows
    >networks of workstations and servers are chatty and can cause a fair number
    >of false alarms, but monitoring these can still be beneficial and the false
    >alarms can be managed in a variety of ways. Your network architecture may
    >define where you can and should place IDS, because if you only have one IDS,
    >you probably want to place it in a location where it will be able to see the
    >most network traffic. Naturally your IDS won't see traffic that doesn't
    >traverse past its interfaces.
    >
    >Tipping point is also an IPS, which changes things like potential placement
    >if you choose to use this functionality. Inline IPS in general is more like
    >a firewall IMHO in that it can only monitor and protect one or a few network
    >segments, whereas IDS can generally be used to span and monitor more
    >networks. If you choose to use the device as an IPS, it might require the
    >purchase of more devices to monitor the same percentage of your network.

    But a counter to that is if this is for the compliance portion of
    Visa/MC, this makes it a perfect choice. You don't want to monitor
    the entire network, just the critical portions. That dramatically
    cuts the background noise from your analysis. And I'd venture a guess
    that the biggest problem with IDS, whether NIDS, IPS, NIPS or
    whatever, is getting the ciritcal information out of the total
    overload most of these options generate.

    But again, this does depend a lot on your network architecture. You
    may even find it advantageous to change some your architecture to
    manage this even better.

    Jeff


    >"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    >news:O$UzUgRiFHA.2152@TK2MSFTNGP14.phx.gbl...
    >> Hi Karl,
    >>
    >> Thanks for your reply.
    >>
    >> Funny you mention Tripwire, its a product we intend rolling out in
    >parallel
    >> with our NIDS. So far I'm leaning towards the Tipping Point solution - and
    >> 3Com have agreed to give me one on trial for a few weeks.
    >>
    >> Any thoughts re' best location for my NIDS?
    >>
    >> Regards,
    >> Steve.
    >>
    >> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
    >> news:eHIBp9AiFHA.576@TK2MSFTNGP15.phx.gbl...
    >> >
    >> > "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
    >> > news:uc6E7v8hFHA.1968@TK2MSFTNGP14.phx.gbl...
    >> > > Honestly, NIDS is nothing more than a waste of time and money IMO.
    >> >
    >> > NIDS is a tool that gives you something you can't easily get otherwise.
    >> > It's grep for the network. It's true that some organizations probably
    >> waste
    >> > too much effort on IDS. But how much time you put into IDS is entirely
    >up
    >> > to you. You can automate a lot of it if you want.
    >> >
    >> > NIDS [that aren't NIPS] are just as much a waste of time IMHO. The
    >> network
    >> > portion is the most useful part of them, but it's easier and more cost
    >> > effective to do that same network monitoring with a NIDS. Detecting
    >file
    >> > changes is useful, but is only a part of some NIDS, and is arguably
    >better
    >> > done with a file change checker like www.gfi.com Languard SIM, Osiris,
    >> etc.
    >> > There really aren't too many robust commercial file change checker
    >> solutions
    >> > IMHO, except maybe Tripwire for Windows, which I understand is pricey.
    >> The
    >> > main other thing most HIDS do is monitor the windows event log, but 1)
    >you
    >> > can do that with any number of other non-IDS products, 2) most HIDS are
    >> > configured by default to give you way too many false alarms in the
    >windows
    >> > event logs, and 3) few NIDS I'm aware of give you an easy way to
    >configure
    >> > these events, you have to go back into Windows to manage this stuff.
    >> >
    >> > To the OP: A lot of people are running away from ISS due to their
    >> > historically high prices and bad support in the past. Their prices may
    >> have
    >> > changed with their new line, I don't know. Their products in the past
    >> have
    >> > not been so easy to configure if you have a lot of devices, but OK if
    >you
    >> > have just one or two. A problem for me is that their signatures are
    >> closed
    >> > source, which would be useful information to know when trying to tell
    >> false
    >> > alarms from real events.
    >> >
    >> > www.enterasys.com Dragon is a popular and inexpensive IDS solution that
    >is
    >> > somewhat similar to Snort, but is probably easier to configure.
    >> >
    >> > www.netscreen.com has some attractive inexpensive low end devices that I
    >> > understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
    >> > bunch of other features. Their low end devices have all the exact same
    >> > features as their high end enterprise devices.
    >> >
    >> > The tipping point IDS / IPS and cisco devices you mention are other
    >> popular
    >> > choices.
    >> >
    >> >
    >> > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    >> > > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    >> > > > G/Day Forum,
    >> > > >
    >> > > > I currently in the process of evaluating a number of IDS solutions.
    >> This
    >> > > > IDS
    >> > > > system will sit between an edge router (configured with
    >ingress/egress
    >> > > > filtering) and a Cisco Firewall. Our throughput requirement is low,
    >as
    >> > > > we've
    >> > > > only got a 2mb leased line to our ISP..
    >> > > >
    >> > > > Whats important to us:
    >> > > > - ease of configuration and ongoing management
    >> > > > - cost effectiveness
    >> > > > - suitability to Industry (Financial)
    >> > > > - logging ability/high quality reports/audit trail
    >> > > >
    >> > > > The products I'm currently looking at are:
    >> > > > - Tipping Point 50
    >> > > > - Cisco IDS 4215
    >> > > >
    >> > > > Any ideas, opinions, guidance?
    >> > > >
    >> > > > Regards,
    >> > > > Steve.
    >> > > >
    >> > > >
    >> > >
    >> > >
    >> >
    >> >
    >>
    >>
    >
  15. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
    news:42e221e3.38690218@msnews.microsoft.com...

    > goes a long way toward making management feel better. You might also
    > look at a managed IDS though, offload both the workload and the
    > responsibility to someone else.

    I have been very very unsatisifed with outsourcing IDS to someone else.
    Most of them seem to really skimp on getting skilled workers [and
    admittedly, it seems like you're almost never going to be able to get
    someone with solid IDS experience on the second and third shifts], and I
    question how most firms configure and monitor the IDS or whether the
    configuration is adequately customized to your individual network. But I
    suppose if you don't have the time and skill to do IDS, you've got little
    choice.
  16. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    G'day,

    For audit compliance, you must have:

    * IDS in place
    * Procedures to manage IDS riles (signatures and heuristics)
    * Procedures to manage alerts - that is, your Emergency Response
    * Reports done regularly
    * Testing of the IDS/Emergency response done
    * (depending on the auditors' paranoia level) - plan to cover all corporate
    network with IDS sensors

    I see you have managed to convince the auditors that DMZ isn't the best
    place to install the sensors because all traffic there is encrypted. However
    I might suggest that this creates and excellent opportunity to come up with
    tight IDS rule set: everything that is not on the list of (encrypted)
    protocols is potential security breach. And seriously consider internal
    network: first of all, NIDS will generate a lot of interesting information -
    like curious grads that believe they're h@x0rz and stuff like that. Secndly,
    the next IT security audit will require that anyway.

    And please - call me Slavko, or Slav. Simon is too Die Hard-ish for me.

    --
    Svyatoslav Pidgorny, MS MVP - Security, MCSE
    -= F1 is the key =-

    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:eYhHkURiFHA.576@TK2MSFTNGP15.phx.gbl...
    > Some good posts indeed Simon.
    >
    > I agree with you in every point. I forgot to mention that the primary
    reason
    > I'm installing the IDS is for compliancy with the PCI Data Security
    Standard
    > (Visa/MasterCard).
    >
    > Its a simple scenario - if we don't have an IDS on our network generating
    > 'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
    > with the auditors re. the 'best' location for the device, they were
    > recommending I put it in my 'secure area' (a DMZ area where traffic and
    data
    > is encrypted). And my argument was that this was useless - an IDS sniffing
    > encrypted packets? A complete waste of Dollars or Euros in my case.......
    >
    > Steve.
    >
    >
    > "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
    > news:%23ayLGXHiFHA.3012@TK2MSFTNGP12.phx.gbl...
    > > G'day,
    > >
    > > You've received some good replies so far.
    > >
    > > Rule #1: always challenge the vendors' recommendation. In my opinion,
    even
    > > behind the filtering router, NIDS i next to useless. It's hard enough to
    > > make sense of NIDS in DMZ and on corporate WAN.
    > >
    > > Secondly: regarless of your chosen products, it's the people who'll be
    > > monitoring and supporting the solution in production. If you don't have
    > > dedicated team that knows the product and how to make changes and deploy
    > new
    > > sensors quickly - you better don't invest. Without the right process,
    > > auditors won't approve your NIDS.
    > >
    > > And you have the right people, they don't necessarily need fancy GUI to
    > get
    > > started with Snort. You'll have a solution at the right cost for NIDS -
    > > $0.00 per monitored IP address.
    > >
    > > One thing is really important: have your testing criteria defined, and
    do
    > > testing. Yes, you'll need traffic generators and all that, but some due
    > > diligence saves time, money and nerves to the project team
    > >
    > > --
    > > Svyatoslav Pidgorny, MS MVP - Security, MCSE
    > > -= F1 is the key =-
    > >
    > >
    > >
    > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > > news:OGG37w7hFHA.328@tk2msftngp13.phx.gbl...
    > > > Thanks Simon for the advice.
    > > >
    > > > Vendors recommend that the first IDS be placed in front of the edge
    > router
    > > > (I think I might have read that in a Cisco Safe white paper) - I've
    > taken
    > > > this a step further in placing it between the packet filtering router
    > and
    > > > the firewall. As I mentioned in my earlier post that we are running a
    > > Cisco
    > > > based firewall (PIX) - which as I'm sure you are aware of, doesn't
    > provide
    > > > much in the way (bar the IDS rule and a few common signatures) of IDS
    > > > features. I do appreciate that alot of 'trash' will be reported, and
    > most
    > > > of that trash will be SSL/IPSec traffic - but thats the hit I'm
    prepared
    > > to
    > > > take.
    > > >
    > > > Snort - do you think its easy to configure? I don't. From the research
    > > that
    > > > I've done to date Tipping Point seem to have the spot light on them,
    and
    > > are
    > > > selling it on the basis that its easy to install and configure, and
    > > doesn't
    > > > involve constant monitoring.
    > > >
    > > > Steve.
    > > >
    > >
    > >
    >
    >
  17. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
    news:uaJrYUeiFHA.2904@tk2msftngp13.phx.gbl...

    > I see you have managed to convince the auditors that DMZ isn't the best
    > place to install the sensors because all traffic there is encrypted.
    However
    > I might suggest that this creates and excellent opportunity to come up
    with
    > tight IDS rule set: everything that is not on the list of (encrypted)
    > protocols is potential security breach. And seriously consider internal
    > network: first of all, NIDS will generate a lot of interesting
    information -
    > like curious grads that believe they're h@x0rz and stuff like that.
    Secndly,
    > the next IT security audit will require that anyway.

    Note that internal networks can be as challenging to monitor and give as
    many false alarms as putting sensors outside your firewall.

    And encrypted traffic does not necessarily have to be impossible to monitor.
    There are solutions that will let you unencrypt and monitor encrypted
    traffic, if you feel it is in your best interest to do so.
  18. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Checkpoint RLZ.

    "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > G/Day Forum,
    >
    > I currently in the process of evaluating a number of IDS solutions. This
    IDS
    > system will sit between an edge router (configured with ingress/egress
    > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    we've
    > only got a 2mb leased line to our ISP..
    >
    > Whats important to us:
    > - ease of configuration and ongoing management
    > - cost effectiveness
    > - suitability to Industry (Financial)
    > - logging ability/high quality reports/audit trail
    >
    > The products I'm currently looking at are:
    > - Tipping Point 50
    > - Cisco IDS 4215
    >
    > Any ideas, opinions, guidance?
    >
    > Regards,
    > Steve.
    >
    >
  19. Archived from groups: microsoft.public.isa,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.networking (More info?)

    Checkpoint what? :)

    --
    Svyatoslav Pidgorny, MS MVP - Security, MCSE
    -= F1 is the key =-

    "André Fagundes" <andre.fagundes@constat.com.br> wrote in message
    news:uPrLnJ5iFHA.3012@TK2MSFTNGP12.phx.gbl...
    > Checkpoint RLZ.
    >
    > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
    > news:uTuR$k4hFHA.2644@TK2MSFTNGP09.phx.gbl...
    > > G/Day Forum,
    > >
    > > I currently in the process of evaluating a number of IDS solutions. This
    > IDS
    > > system will sit between an edge router (configured with ingress/egress
    > > filtering) and a Cisco Firewall. Our throughput requirement is low, as
    > we've
    > > only got a 2mb leased line to our ISP..
    > >
    > > Whats important to us:
    > > - ease of configuration and ongoing management
    > > - cost effectiveness
    > > - suitability to Industry (Financial)
    > > - logging ability/high quality reports/audit trail
    > >
    > > The products I'm currently looking at are:
    > > - Tipping Point 50
    > > - Cisco IDS 4215
    > >
    > > Any ideas, opinions, guidance?
    > >
    > > Regards,
    > > Steve.
    > >
    > >
    >
    >
Ask a new question

Read More

Security Internet Service Providers Microsoft Windows