Any IDS Recommendations?

G/Day Forum,

I currently in the process of evaluating a number of IDS solutions. This IDS
system will sit between an edge router (configured with ingress/egress
filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
only got a 2mb leased line to our ISP..

Whats important to us:
- ease of configuration and ongoing management
- cost effectiveness
- suitability to Industry (Financial)
- logging ability/high quality reports/audit trail

The products I'm currently looking at are:
- Tipping Point 50
- Cisco IDS 4215

Any ideas, opinions, guidance?

Regards,
Steve.

Hi there,

I recommend Snort. The open source solution is used in at least one of
Australian Big 5 banks. Alternatively, you can use SourceFire - they add
nice management interface, "supportability" and price tag.

Implementing NIDS in front of the external firewal - bad idea. You will have
a lot of rubbish and chances are that you'll miss something important. DMZ
is a different matter - port scan has to raise a legitimate alarm in there.
On the corporate network implement your NIDS too, you must.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$(E-Mail Removed)...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>

Please ignore this if your site is not a High Security site.

If you are using SSL, then where is the End Point? IE where is the encrypted
traffic decrypted?

I would expect your auditors to have a hissy fit if the SSL traffic were
dencrypted anywhere sniffable, snortable or IDS'able as that could lead to
identity theft.

For a high security site, logging SSL traffic is pointless, logging source
ip, port, time is more useful. Logging decrypted SSL traffic is an outright
danger.

I am happy to be corrected if needs be.

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$(E-Mail Removed)...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
> IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>

From: "The Poster" <nospam@nospam_dontyoudare.net>

| G/Day Forum,
|
| I currently in the process of evaluating a number of IDS solutions. This IDS
| system will sit between an edge router (configured with ingress/egress
| filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
| only got a 2mb leased line to our ISP..
|
| Whats important to us:
| - ease of configuration and ongoing management
| - cost effectiveness
| - suitability to Industry (Financial)
| - logging ability/high quality reports/audit trail
|
| The products I'm currently looking at are:
| - Tipping Point 50
| - Cisco IDS 4215
|
| Any ideas, opinions, guidance?
|
| Regards,
| Steve.
|

Fortress Tecnolgies
http://www.fortresstech.com/news/pre...ails.asp?id=49

Internet Security Systems
http://bvlive01.iss.net/issEn/delive...=ISS&oid=14435

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thanks Simon for the advice.

Vendors recommend that the first IDS be placed in front of the edge router
(I think I might have read that in a Cisco Safe white paper) - I've taken
this a step further in placing it between the packet filtering router and
the firewall. As I mentioned in my earlier post that we are running a Cisco
based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
much in the way (bar the IDS rule and a few common signatures) of IDS
features. I do appreciate that alot of 'trash' will be reported, and most
of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared to
take.

Snort - do you think its easy to configure? I don't. From the research that
I've done to date Tipping Point seem to have the spot light on them, and are
selling it on the basis that its easy to install and configure, and doesn't
involve constant monitoring.

Steve.

"S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi there,
>
> I recommend Snort. The open source solution is used in at least one of
> Australian Big 5 banks. Alternatively, you can use SourceFire - they add
> nice management interface, "supportability" and price tag.
>
> Implementing NIDS in front of the external firewal - bad idea. You will
have
> a lot of rubbish and chances are that you'll miss something important. DMZ
> is a different matter - port scan has to raise a legitimate alarm in
there.
> On the corporate network implement your NIDS too, you must.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:uTuR$(E-Mail Removed)...
> > G/Day Forum,
> >
> > I currently in the process of evaluating a number of IDS solutions. This
> IDS
> > system will sit between an edge router (configured with ingress/egress
> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> > only got a 2mb leased line to our ISP..
> >
> > Whats important to us:
> > - ease of configuration and ongoing management
> > - cost effectiveness
> > - suitability to Industry (Financial)
> > - logging ability/high quality reports/audit trail
> >
> > The products I'm currently looking at are:
> > - Tipping Point 50
> > - Cisco IDS 4215
> >
> > Any ideas, opinions, guidance?
> >
> > Regards,
> > Steve.
> >
> >
>
>

Honestly, NIDS is nothing more than a waste of time and money IMO.

Put HIDS on high value servers and workstations or other devices. Hackers
don't want to "0wn" the network; they use it like dial tone to get to where
they are really going, which is the host where data resides. The only
exception to this is DDoS attacks, which aren't going to be prevented by
NIDS in any event.

Focus effort on the points where attackers want to get to, and less on the
roads they use to get there with. If you operate from the worst assumption
(i.e., they are already inside the network) then they will be using
"trusted" paths to communicate with the intended targets. Most
organizations do not monitor internal traffic going to other internal
destination sets as they do the "perimeter" or remote access paths.

You can spend the rest of your life trying to figure out what "normal" is on
the network or especially the Internet; you darn sure ought to know what
normal is on hosts that you manage though, and that battle can actually be
won by the sysadmin. It's also higher-yield in that you have more
information to conduct forensic analysis, etc.




"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:uTuR$(E-Mail Removed)...
> G/Day Forum,
>
> I currently in the process of evaluating a number of IDS solutions. This
> IDS
> system will sit between an edge router (configured with ingress/egress
> filtering) and a Cisco Firewall. Our throughput requirement is low, as
> we've
> only got a 2mb leased line to our ISP..
>
> Whats important to us:
> - ease of configuration and ongoing management
> - cost effectiveness
> - suitability to Industry (Financial)
> - logging ability/high quality reports/audit trail
>
> The products I'm currently looking at are:
> - Tipping Point 50
> - Cisco IDS 4215
>
> Any ideas, opinions, guidance?
>
> Regards,
> Steve.
>
>

"Steve Clark [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Honestly, NIDS is nothing more than a waste of time and money IMO.

NIDS is a tool that gives you something you can't easily get otherwise.
It's grep for the network. It's true that some organizations probably waste
too much effort on IDS. But how much time you put into IDS is entirely up
to you. You can automate a lot of it if you want.

NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
portion is the most useful part of them, but it's easier and more cost
effective to do that same network monitoring with a NIDS. Detecting file
changes is useful, but is only a part of some NIDS, and is arguably better
done with a file change checker like www.gfi.com Languard SIM, Osiris, etc.
There really aren't too many robust commercial file change checker solutions
IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
main other thing most HIDS do is monitor the windows event log, but 1) you
can do that with any number of other non-IDS products, 2) most HIDS are
configured by default to give you way too many false alarms in the windows
event logs, and 3) few NIDS I'm aware of give you an easy way to configure
these events, you have to go back into Windows to manage this stuff.

To the OP: A lot of people are running away from ISS due to their
historically high prices and bad support in the past. Their prices may have
changed with their new line, I don't know. Their products in the past have
not been so easy to configure if you have a lot of devices, but OK if you
have just one or two. A problem for me is that their signatures are closed
source, which would be useful information to know when trying to tell false
alarms from real events.

www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
somewhat similar to Snort, but is probably easier to configure.

www.netscreen.com has some attractive inexpensive low end devices that I
understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
bunch of other features. Their low end devices have all the exact same
features as their high end enterprise devices.

The tipping point IDS / IPS and cisco devices you mention are other popular
choices.


> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:uTuR$(E-Mail Removed)...
> > G/Day Forum,
> >
> > I currently in the process of evaluating a number of IDS solutions. This
> > IDS
> > system will sit between an edge router (configured with ingress/egress
> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
> > we've
> > only got a 2mb leased line to our ISP..
> >
> > Whats important to us:
> > - ease of configuration and ongoing management
> > - cost effectiveness
> > - suitability to Industry (Financial)
> > - logging ability/high quality reports/audit trail
> >
> > The products I'm currently looking at are:
> > - Tipping Point 50
> > - Cisco IDS 4215
> >
> > Any ideas, opinions, guidance?
> >
> > Regards,
> > Steve.
> >
> >
>
>

G'day,

You've received some good replies so far.

Rule #1: always challenge the vendors' recommendation. In my opinion, even
behind the filtering router, NIDS i next to useless. It's hard enough to
make sense of NIDS in DMZ and on corporate WAN.

Secondly: regarless of your chosen products, it's the people who'll be
monitoring and supporting the solution in production. If you don't have
dedicated team that knows the product and how to make changes and deploy new
sensors quickly - you better don't invest. Without the right process,
auditors won't approve your NIDS.

And you have the right people, they don't necessarily need fancy GUI to get
started with Snort. You'll have a solution at the right cost for NIDS -
$0.00 per monitored IP address.

One thing is really important: have your testing criteria defined, and do
testing. Yes, you'll need traffic generators and all that, but some due
diligence saves time, money and nerves to the project team

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-



"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:(E-Mail Removed)...
> Thanks Simon for the advice.
>
> Vendors recommend that the first IDS be placed in front of the edge router
> (I think I might have read that in a Cisco Safe white paper) - I've taken
> this a step further in placing it between the packet filtering router and
> the firewall. As I mentioned in my earlier post that we are running a
Cisco
> based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
> much in the way (bar the IDS rule and a few common signatures) of IDS
> features. I do appreciate that alot of 'trash' will be reported, and most
> of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
to
> take.
>
> Snort - do you think its easy to configure? I don't. From the research
that
> I've done to date Tipping Point seem to have the spot light on them, and
are
> selling it on the basis that its easy to install and configure, and
doesn't
> involve constant monitoring.
>
> Steve.
>

Ease of use is relative, but in this category your first requirement is to
get an appliance-based IDS/IPS solution.

This rules stuff out like Snort. Snort is one of the best IDS solutions by
the way because it is highly configurable and very fast.

SourceFire is the commercial company that the founder of Snort started. It
is an appliance solution with a Web GUI that you manage. You do not have to
install Linux or compile anything to get it working, it comes out of the box
ready with an OS and Snort running, and you simply configure and manage it
with your Browser.

Also, with any signature based IDS, there is a learning curve and then there
is another process which will require all admins to update and make specific
judgements on which signatures to use or create based on their environment.

You can simply install an IDS and not touch it. It will become out of date.
Consider IDS like Antivirus, without the latest definition file, A/V is
useless.

If you want to get closer to a set it and forget it type of intrusion
detection solution, I would also consider an anomaly/behavior-based solution
such as Lancope, Tipping Point, and McAfee. I've seen implementations that
have been profiled and left alone for a while, but still detecting odd
network conditions and flagging that the links needs to be monitored.

The IDS/IPS market is commodity right now, so what ever you choose from the
vendors I pointed out above you should be good to go. Just know that you
need to manage these systems or else they're useless.

"The Poster" <nospam@nospam_dontyoudare.net> wrote in message
news:(E-Mail Removed)...
> Thanks Simon for the advice.
>
> Vendors recommend that the first IDS be placed in front of the edge router
> (I think I might have read that in a Cisco Safe white paper) - I've taken
> this a step further in placing it between the packet filtering router and
> the firewall. As I mentioned in my earlier post that we are running a
> Cisco
> based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
> much in the way (bar the IDS rule and a few common signatures) of IDS
> features. I do appreciate that alot of 'trash' will be reported, and most
> of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> to
> take.
>
> Snort - do you think its easy to configure? I don't. From the research
> that
> I've done to date Tipping Point seem to have the spot light on them, and
> are
> selling it on the basis that its easy to install and configure, and
> doesn't
> involve constant monitoring.
>
> Steve.
>
>> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
>> news:uTuR$(E-Mail Removed)...
>> > G/Day Forum,
>> >
>> > I currently in the process of evaluating a number of IDS solutions.
>> > This
>> IDS
>> > system will sit between an edge router (configured with ingress/egress
>> > filtering) and a Cisco Firewall. Our throughput requirement is low, as
>> we've
>> > only got a 2mb leased line to our ISP..
>> >
>> > Whats important to us:
>> > - ease of configuration and ongoing management
>> > - cost effectiveness
>> > - suitability to Industry (Financial)
>> > - logging ability/high quality reports/audit trail
>> >
>> > The products I'm currently looking at are:
>> > - Tipping Point 50
>> > - Cisco IDS 4215
>> >
>> > Any ideas, opinions, guidance?
>> >
>> > Regards,
>> > Steve.
>> >
>> >
>>
>>
>
>

Some good posts indeed Simon.

I agree with you in every point. I forgot to mention that the primary reason
I'm installing the IDS is for compliancy with the PCI Data Security Standard
(Visa/MasterCard).

Its a simple scenario - if we don't have an IDS on our network generating
'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
with the auditors re. the 'best' location for the device, they were
recommending I put it in my 'secure area' (a DMZ area where traffic and data
is encrypted). And my argument was that this was useless - an IDS sniffing
encrypted packets? A complete waste of Dollars or Euros in my case.......

Steve.


"S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> G'day,
>
> You've received some good replies so far.
>
> Rule #1: always challenge the vendors' recommendation. In my opinion, even
> behind the filtering router, NIDS i next to useless. It's hard enough to
> make sense of NIDS in DMZ and on corporate WAN.
>
> Secondly: regarless of your chosen products, it's the people who'll be
> monitoring and supporting the solution in production. If you don't have
> dedicated team that knows the product and how to make changes and deploy
new
> sensors quickly - you better don't invest. Without the right process,
> auditors won't approve your NIDS.
>
> And you have the right people, they don't necessarily need fancy GUI to
get
> started with Snort. You'll have a solution at the right cost for NIDS -
> $0.00 per monitored IP address.
>
> One thing is really important: have your testing criteria defined, and do
> testing. Yes, you'll need traffic generators and all that, but some due
> diligence saves time, money and nerves to the project team
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>
>
> "The Poster" <nospam@nospam_dontyoudare.net> wrote in message
> news:(E-Mail Removed)...
> > Thanks Simon for the advice.
> >
> > Vendors recommend that the first IDS be placed in front of the edge
router
> > (I think I might have read that in a Cisco Safe white paper) - I've
taken
> > this a step further in placing it between the packet filtering router
and
> > the firewall. As I mentioned in my earlier post that we are running a
> Cisco
> > based firewall (PIX) - which as I'm sure you are aware of, doesn't
provide
> > much in the way (bar the IDS rule and a few common signatures) of IDS
> > features. I do appreciate that alot of 'trash' will be reported, and
most
> > of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared
> to
> > take.
> >
> > Snort - do you think its easy to configure? I don't. From the research
> that
> > I've done to date Tipping Point seem to have the spot light on them, and
> are
> > selling it on the basis that its easy to install and configure, and
> doesn't
> > involve constant monitoring.
> >
> > Steve.
> >
>
>