| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <008301c43a54$c7c07800$0100a8c0@cparena1consol>
From: cheekypeople at sec33.com (Lee)
Subject: Re: IDS/IPS Info
Debbie,
Maybe my viewpoint is different to what your looking for, but hey here's my 2 cents.
I am not an advocate of IDS/IPS, Personally and maybe I am stirring things up here, but I am not a fan of them, I view the products in the range as addons never something I would class as an primary piece of kit.
My thoughts behind this really come from my own background. I used to be a checkpoint firewall admin for some banks and pharma companies, I found any IDS/IPS we have from say cisco etc did the job of other systems I already had. I always looked at them to say "can this product do anything my systems cannot do now". That would force me to ahve an implistic view of my systems. For example, an IDS/IPS uses rules and signatures to spot code, it does this by analysing particular data and then acts as a radar at given perimeter or internal points. It would then alert a team to what it finds based on the signatres and rules.
As part of my job I always try to make the very best use of my current systems, not becuase as a team we couldnt afford a dedicated IDS/IPS, its just that by testing the boundaries and knowing what we had we achieved the same results, and in a existing window of an existing system (no "one more thing to monitor").
We used primary at first Checkpoint Firewall logs and inspect code. inspect code allows you to setup and catch with a log , particular traffic and then gain alerts, it does this by using its own derived signatures with bytes etc, which can be gained from ifnormation on a virus etc. Seeing any pattern here?
This then allowed us to isolate and amend direct rules live to combat the system.
Now dont get me wrong, this took some time, and we had to implement a HOWTO, but we implemented one based upon a current system which is familiar to the people using it, thus saving alot on external costings, while educated the current staff to use a product better.
Now dont get me wrong, my view is my own, and one taken in a particular environment, and hopefully others will give you their views on what they did, I expect it will be different , but that was the purpose my reply, not to say ours is better, just giving a different channel.
Snort I know is excellent, and I expect the cisco kit will be good (in a cicso DC hehehe)
But anyways food for thought, and have a pleasant weekend.
Regards
Knowledge is Power - Nam et ipsa scientia potestas est
- Francis Bacon (1561-1626)
Lee @ STS
http://www.seethrusec.co.uk
Building Knowledge and Security..
----- Original Message -----
From: Debbie
To: full-disclosure@...ts.netsys.com
Sent: Friday, May 14, 2004 8:27 PM
Subject: [Full-Disclosure] Re: IDS/IPS Info
Hi all,
I'm a student doing a research paper on the IDS/IPS industry, from the perspective of analyzing products - what works and what doesn't, and also analyzing vendors - who will succeed. Anyone had good/bad experiences with these vendors? (Your response will be kept strictly confidential.)
Thanks all for your help!
Network Associates
Sana Security
GreenBorder Tech
Argus Systems
Cisco
Intrusion Inc.
Tippingpoint Tech
Internet Security (ISSX)
Symantec
-Deborah
mangomartini2005@...oo.com
------------------------------------------------------------------------------
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040515/d7424934/attachment.html
Powered by blists - more mailing lists