mailing list archives
RE: Recommending an IDS system
From: "Buyer Jr, David" <DBuyer () KaleidaHealth Org>
Date: Tue, 2 Mar 2004 12:29:01 -0500
We have been using Cisco IDS systems for a number of years and recently
switched over to the new ISS Proventia Series appliances. I have worked with
both extensively and I have to say that the ISS solution is MUCH better than
the Cisco solution. Some of the big differences are that the ISS people get
out a sig about 2 weeks before Cisco even touches it. Also, the Cisco
sensors don't have a way of automatically downloading and installing the new
sigs. Its all a manual process that is a pain in the A** Reporting is much
much better and faster on the ISS as well. There are many more advantages of
going with ISS so if you need anymore info email me. I still have all my
data sheets that I did when we were testing all the solutions.
PS - go with the inline stuff (IPS). Snort also has an inline patch
From: Josh Mills [mailto:JMills () cnbwaco com]
Sent: Monday, March 01, 2004 6:19 PM
To: Reza Kordi; Andy Cuff; security-basics () securityfocus com
Subject: RE: Recommending an IDS system
I have implemented a new cisco ids solution and i am very pleased with it!
the signatures are highly tunable for a commercial package and it seems to
be pretty stable. the sensor itself runs on redhat so maybe it isnt that
much different than snort.
From: Reza Kordi [mailto:rk () 4unet net]
Sent: Monday, March 01, 2004 2:03 PM
To: 'Andy Cuff'; security-basics () securityfocus com
Subject: RE: Recommending an IDS system
How good can vendor independant IDS solutions (Specially Opensource) work in
an Enterprise Cisco Based network?
What do you think about Cisco IDS solutions?
Mit freundlichen Grüssen
med vennlig hilsen
From: Andy Cuff [mailto:lists () securitywizardry com]
Sent: Samstag, 28. Februar 2004 11:21
To: Matthew MacAulay; security-basics () securityfocus com
Subject: Re: Recommending an IDS system
I was faced with the same dilemma some years back, my site below details the
various technologies you can bring to bear. I also wrote an article for
SecurityFocus regarding deploying IDS from a vendor neutral standpoint
I'd suggest starting simply and building up but always keep the defence in
depth end goal in sight. Also, don't forget that in addition to detecting
attacks you have to react to them also. If you need further advice offlist
don't hesitate to ask.
Finally, if you go down the Network IPS route there are 2 main varieties;
rate based and content based, I refer to the former as Attack Mitigation
Systems they fill an important role but IMHO are not IPS. Ideally you
should have both varieties. There are some products that claim to do both,
Talisker Security Tools Directory
----- Original Message -----
From: "Matthew MacAulay" <matthew.macaulay () cobweb couk>
To: <security-basics () securityfocus com>
Sent: Thursday, February 26, 2004 12:36 PM
Subject: Recommending an IDS system
I have been tasked with looking at and recommending an IDS system for my
I have been looking at open source products (Snort) which seems to be a
very good system with a lot of community support. My problem is we are
an ASP. We want connections to be able to reach our systems for the
services we provide. I want to be able to monitor over 100 internet
facing servers (behind Firewalls and load balancers) and alert / and
possibly block non normal traffic / detected attack signatures.
After doing some reading into different methods IDS v IPS, Host v
Network, I favour a combination, we have at anyone time up to 50,000
concurrent connections to our systems so I have a problem of scale. One
Snort box is just not going to cut it!
Looking at how I can "tap" into the network traffic has been partially
solved by using IDSVLANS which is supported by our Switch hardware.
(Nortel 8600) So an IDSVLAN could be setup for each of our existing
VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to a
central server to produce reports / alert / wake people up.... Sounds
Though I have not looked at it in as much detail as network based IDS, I
expect I can get a hosts based IDS to also alert (SNMP or what ever) to
a central server to again produce reports / alerts / wake people up.
I am interested to here what systems you use to do IDS / IPS. Do you
have in place IDS systems for platforms of a larger or similar scale? I
would like to here from people have who have faced similar challenges
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
Download your free trial at