lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <433A9983.8020507@csuohio.edu>
Date: Wed Sep 28 14:25:57 2005
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: Suggestion for IDS

> Our company plan to install IDS to protect our resources, I'm already 
> read about snort as NIDS, but, that's software based. I'm interesting 
> with hardware based that will work transparently with our Cisco PIX, no 
> need to make changes in our firewall. What's your suggestion.

My first piece of advice on this is to ignore any company that says they 
deliver a "turnkey" solution. Such a thing doesn't exist.

Any IDS will work with any firewall .. unless, of course, you want to 
connect the two together (eg: dynamically ACL the PIX based on what the 
IDS sees). That, IMHO, is an invitation do DOS yourself (think .. I 
spoof a packet that --looks like an attack-- from your upstream router, 
or smtp server, etc). There's dozens of ways to do this, including free 
with snort.

You can also examine snort's "inline" mode in which you setup bridging 
between two interfaces, and let snort "decide" which packets to forward. 
In order to make such a thing redundant, be prepared to do some fancy 
H/A stuff with a pair of servers.

And don't forget .. an IDS is certianly not "fix and forget" .. it 
requires daily tinkering (new sigs come out daily .. and they're almost 
always noisy and require tuning). In most any decent sized network, 
having a dedicated admin to chase the IDS alerts and keep an eye on 
things is almost a given.

And as for having an IDS "protect" your network .. well .. forget that. 
An IDS is great for statistical research and forensics .. but with 
botnets and whatnot going SSL, you're time/resources are much better 
spent finding your vulnerabilities and patching your hosts.

My $0.02.


Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ