Re: Is snort an overkill for desktop only environment ?

[mojorising <moj0rising () aim com>]

Hi, Martin,

The answer to your question probably depends on what level of security
you need. If there isn't much in need of protection on those desktops,
then maybe you don't need an IDS so much at that office. Then again,
if that office is connected to the main office via VPN, maybe it is a
good idea to watch that net with Snort or similar since it could be a
way in to the good stuff at the other locations if it is a weak area
in your network's security.

One way to save money and management overhead with Snort might be to
install it on the firewall/router (if that gear happens to be running
some form of Unix and has enough muscle, bandwidth, and storage
capacity). Some small offices and homes handle this by installing
Snort on an OpenWRT router, perhaps another consideration for you.
Another option is to install it on a small, low-power machine since
you'd be deploying the system to a presumably relatively low-traffic
network -- maybe even an old laptop will do since this is a
non-essential service and it won't be a problem if the system fails.
You could even just go ahead and do this now (be sure to enable port
spanning/mirroring on the switch) for testing and evaluation so you
can see what Snort is like in action on this little branch network.

As for the rules, I think there is value in having a system without
the commercial rule subscription. Sure, it won't be able to catch
attacks only detectable by those newer-than-30-days-old subscriptions
but there are tons of attacks and anomolies (obviously many more)
covered by all the other rules out there that are over 30 days old.
Plus, as you mentioned, this is only a small branch net with no
servers. Perhaps if your experience with Snort on this net is
positive, you'll deploy it to the main office and be able to justify
the $500 for the rule subscription for that particular sensor. Then
you will be able to use those new rules where you need them most.

Hopefully that gives you something to chew on as you consider Snort. Have fun!


Mike



On 24/10/2009, martin <martiniscool () gmail com> wrote:
> anybody have any thoughts at all ?
>
>
> ---------- Forwarded message ----------
> From: martin <martiniscool () gmail com>
> Date: 2009/10/22
> Subject: Is snort an overkill for desktop only environment ?
> To: security-basics () securityfocus com
>
>
> Hi all
>
> I've been reading up on IDP recently, and particularly started looking
> at snort.  I'm considering suggesting to my boss that we install it at
> a small branch office I'm based at.  However, all that we have at the
> branch office are a few desktop PC's, a firewall, switch, and a
> printer.  Our DC, file server etc, is at head office and accessed
> using a VPN.
>
> Is it worth installing IDP in simplified environment such as this ?
> Or is it designed for more "complex" environments which have more
> resources such as file servers, web servers etc ??
>
> Also, currently we wouldn't have anything in the budget to pay for the
> $500 rule subscription for one sensor - so all the rules we would be
> getting would be 30 days old.  Is it worth having an IDP with rules
> that are this old ?  Are they still of any value ?  I'm thinking back
> to the conflicker threat last year - I know there was a Snort rule for
> it, but without the subscription, we wouldn't have gotten it for 30
> days.  So it would have been pretty much too late in that case.
>
> I know that we can write our own rules, but I don't think anybody
> would have time to do that.  So we'd be relying on what rules get
> downloaded
>
> Any feedback would be greatly appreciated
>
> thanks in advance
> M
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and how
> your customers can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on your Apache web
> server. Throughout, best practices for set-up are highlighted to help you
> ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------