Home page logo
/

basics logo Security Basics mailing list archives

RE: Recommending an IDS system
From: "Nero, Nick" <Nick.Nero () disney com>
Date: Wed, 10 Mar 2004 16:17:05 -0500

Holy cow stay away from ISS, man.  It is a horrible product.  Were I to do
it all over again, I would push for Snort over their solution.  We recently
had 20 tech support people from ISS onsite telling us that they still don't
know why it is crashing Win2k and Solaris boxes (core dumps!) after 1 year
of chasing bugs down on version 6.5.  And of course they are saying if we
upgrade to version 7.0 everything will be fine.  But they just had a
security hole in the agent for 7.0, so it doesn't look like they made that
much progress.  Seriously, we have it disabled on over half of our servers
because it was either crashing them outright (tclproc.exe likes to eat 100%
of the CPU), or it blocks traffic even when configured not to do so.

Stay away.  I hear Cisco's Okena/CSA is pretty awesome.

Nick Nero
CISSP, MCSE (2k3/2k/NT), CCNA
The Walt Disney Company
 
 

-----Original Message-----
From: D B [mailto:be281 () bfn org] 
Sent: Wednesday, March 10, 2004 7:54 AM
To: security-basics () securityfocus com
Subject: Re: Recommending an IDS system

In-Reply-To: <3BAFCFDABE11C64DA68B005B0682BB84BF1B18 () cnbmail cnb-waco com>

Last week I sent a bunch of people some of my information on Cisco and ISS
systems. Could someone post it here again or email me it. I have been
getting more requests for it and I dont want to write it up all over again.
I know, I should have saved it in the "sent mail" folder but it got deleted.
Thanks in advance.



David Buyer





Received: (qmail 15436 invoked from network); 9 Mar 2004 01:15:27 -0000

Received: from outgoing3.securityfocus.com (205.206.231.27)

 by mail.securityfocus.com with SMTP; 9 Mar 2004 01:15:27 -0000

Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])

      by outgoing3.securityfocus.com (Postfix) with QMQP

      id 8B749A3751; Mon,  8 Mar 2004 17:28:09 -0700 (MST)

Mailing-List: contact security-basics-help () securityfocus com; run by 
ezmlm

Precedence: bulk

List-Id: <security-basics.list-id.securityfocus.com>

List-Post: <mailto:security-basics () securityfocus com>

List-Help: <mailto:security-basics-help () securityfocus com>

List-Unsubscribe: 
<mailto:security-basics-unsubscribe () securityfocus com>

List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>

Delivered-To: mailing list security-basics () securityfocus com

Delivered-To: moderator for security-basics () securityfocus com

Received: (qmail 20107 invoked from network); 8 Mar 2004 16:37:04 -0000

content-class: urn:content-classes:message

MIME-Version: 1.0

Content-Type: text/plain;

      charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Subject: RE: Recommending an IDS system

X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1

Date: Mon, 8 Mar 2004 14:17:55 -0600

Message-ID: 
<3BAFCFDABE11C64DA68B005B0682BB84BF1B18 () cnbmail cnb-waco com>

X-MS-Has-Attach: 

X-MS-TNEF-Correlator: 

Thread-Topic: Recommending an IDS system

Thread-Index: AcQFShDFzrn8axlQRSKMnBaG6NqgzQAABqwA

From: "Josh Mills" <JMills () cnbwaco com>

To: "Buyer Jr, David" <DBuyer () KaleidaHealth Org>,

      <security-basics () securityfocus com>



I setup a dragon solution about a year ago and it seemed like it was =

very difficult to configure when compared to all the rest of the 
systems =

partially because of the way you had to go online and get a license for 
=

each service then download a key and try to load the key and make it 
all =

work together. This may have all changed by now but at the time i had a 
=

ton of trouble getting it installed.=20



-----Original Message-----

From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org]

Sent: Monday, March 08, 2004 6:59 AM

To: security-basics () securityfocus com

Subject: RE: Recommending an IDS system=20





Havent used that one but Enterasys is a pretty good company.



David Buyer







-----Original Message-----

From: eeefm [mailto:eeefm () singnet com sg]

Sent: Sunday, March 07, 2004 2:13 AM

To: 'Buyer Jr, David'; security-basics () securityfocus com

Subject: RE: Recommending an IDS system=20





What you think of Dragon ? Thank you.



-----Original Message-----

From: Buyer Jr, David [mailto:DBuyer () KaleidaHealth Org]=20

Sent: Wednesday, March 03, 2004 1:29 AM

To: 'security-basics () securityfocus com'

Subject: RE: Recommending an IDS system=20





We have been using Cisco IDS systems for a number of years and recently

switched over to the new ISS Proventia Series appliances. I have worked

with both extensively and I have to say that the ISS solution is MUCH

better than the Cisco solution. Some of the big differences are that 
the

ISS people get out a sig about 2 weeks before Cisco even touches it.

Also, the Cisco sensors don't have a way of automatically downloading

and installing the new sigs. Its all a manual process that is a pain in

the A** Reporting is much much better and faster on the ISS as well.

There are many more advantages of going with ISS so if you need anymore

info email me. I still have all my data sheets that I did when we were

testing all the solutions.



PS - go with the inline stuff (IPS). Snort also has an inline patch

available.



David Buyer







-----Original Message-----

From: Josh Mills [mailto:JMills () cnbwaco com]

Sent: Monday, March 01, 2004 6:19 PM

To: Reza Kordi; Andy Cuff; security-basics () securityfocus com

Subject: RE: Recommending an IDS system=20





I have implemented a new cisco ids solution and i am very pleased with

it! the signatures are highly tunable for a commercial package and it

seems to be pretty stable. the sensor itself runs on redhat so maybe it

isnt that much different than snort.



-----Original Message-----

From: Reza Kordi [mailto:rk () 4unet net]

Sent: Monday, March 01, 2004 2:03 PM

To: 'Andy Cuff'; security-basics () securityfocus com

Subject: RE: Recommending an IDS system=20





Hi Andy



How good can vendor independant IDS solutions (Specially Opensource)

work in an Enterprise Cisco Based network?



What do you think about Cisco IDS solutions?





Best Regards

Mit freundlichen Gr=FCssen

Meilleures Salutations

med vennlig hilsen

=20

Reza Kordi





-----Original Message-----

From: Andy Cuff [mailto:lists () securitywizardry com]=20

Sent: Samstag, 28. Februar 2004 11:21

To: Matthew MacAulay; security-basics () securityfocus com

Subject: Re: Recommending an IDS system=20

Importance: Low



Hi Mat,

I was faced with the same dilemma some years back, my site below 
details

the various technologies you can bring to bear.  I also wrote an 
article

for SecurityFocus regarding deploying IDS from a vendor neutral

standpoint http://wwwsecurityfocus.com/infocus/1754



I'd suggest starting simply and building up but always keep the defence

in depth end goal in sight.  Also, don't forget that in addition to

detecting attacks you have to react to them also.  If you need further

advice offlist don't hesitate to ask.



Finally, if you go down the Network IPS route there are 2 main

varieties; rate based and content based, I refer to the former as 
Attack

Mitigation Systems  they fill an important role but IMHO are not IPS.

Ideally you

should have both varieties.   There are some products that claim to do

both,

but .....



take care

-andy

Talisker Security Tools Directory http://www.securitywizardry.com

----- Original Message -----

From: "Matthew MacAulay" <matthew.macaulay () cobweb couk>

To: <security-basics () securityfocus com>

Sent: Thursday, February 26, 2004 12:36 PM

Subject: Recommending an IDS system







Hello,



I have been tasked with looking at and recommending an IDS system 
for=20

my company.



I have been looking at open source products (Snort) which seems to 
be=20

a very good system with a lot of community support. My problem is 
we=20

are an ASP We want connections to be able to reach our systems for=20

the services we provide. I want to be able to monitor over 100=20

internet facing servers (behind Firewalls and load balancers) and=20

alert / and possibly block non normal traffic / detected attack=20

signatures.



After doing some reading into different methods IDS v IPS, Host v=20

Network, I favour a combination, we have at anyone time up to 
50,000=20

concurrent connections to our systems so I have a problem of 
scale.=20

One Snort box is just not going to cut it!



Looking at how I can "tap" into the network traffic has been 
partially



solved by using IDSVLANS which is supported by our Switch 
hardware.=20

(Nortel 8600) So an IDSVLAN could be setup for each of our 
existing=20

VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert 
to=20

a central server to produce reports / alert / wake people up....=20

Sounds great.



Though I have not looked at it in as much detail as network based 
IDS,



I expect I can get a hosts based IDS to also alert (SNMP or what 
ever)



to a central server to again produce reports / alerts / wake 
people=20

up.



I am interested to here what systems you use to do IDS / IPS. Do 
you=20

have in place IDS systems for platforms of a larger or similar 
scale?=20

I would like to here from people have who have faced similar=20

challenges

-----------------------------------------------------------------------
-

---

Free 30-day trial: firewall with virus/spam protection, URL filtering,

VPN, wireless security



Protect your network against hackers, viruses, spam and other risks 
with

Astaro Security Linux, the comprehensive security solution that 
combines

six applications in one software solution for ease of use and lower

total cost of ownership.



Download your free trial at

http://www.securityfocus.com/sponsor/Astaro_security-basics_040301

-----------------------------------------------------------------------
-

----



CONFIDENTIALITY NOTICE:=20

This email transmission and any documents, files,=20

or previous e-mail messages attached to it are=20

confidential and intended solely for the use of the=20

individual or entity to whom they are addressed.=20

If you are not the intended recipient, or a person=20

responsible for delivering it to the intended recipient,=20

you are hereby notified that any further review,=20

disclosure, copying, dissemination, distribution, or=20

use of any of the information contained in or attached=20

to this e-mail transmission is strictly prohibited.=20

If you have received this message in error, please=20

notify the sender immediately by e-mail, discard=20

any paper copies, and delete all electronic files=20

of the message. If you are unable to contact the=20

sender or you are not sure as to whether you=20

are the intended recipient, please e-mail=20

ISTSEC () KaleidaHealth org or call (716) 859-7777.=20







-----------------------------------------------------------------------
--=

--

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 
=

off=20

any course! All of our class sizes are guaranteed to be 10 students or 
=

less=20

to facilitate one-on-one interaction with one of our expert 
instructors. =



Attend a course taught by an expert instructor with years of =

in-the-field=20

pen testing experience in our state of the art hacking lab. Master the 
=

skills=20

of an Ethical Hacker to better assess the security of your 
organization. =



Visit us at:=20

http://www.infosecinstitute.com/courses/ethical_hacking_training.html

-----------------------------------------------------------------------
--=

---





-----------------------------------------------------------------------
----

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 
off

any course! All of our class sizes are guaranteed to be 10 students or 
less

to facilitate


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Attachment: smime.p7s
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault