Security Basics mailing list archives
Re: Recommending an IDS system
From: "Andy Cuff" <lists () securitywizardry com>
Date: Sat, 28 Feb 2004 10:20:37 -0000
Hi Mat, I was faced with the same dilemma some years back, my site below details the various technologies you can bring to bear. I also wrote an article for SecurityFocus regarding deploying IDS from a vendor neutral standpoint http://www.securityfocus.com/infocus/1754 I'd suggest starting simply and building up but always keep the defence in depth end goal in sight. Also, don't forget that in addition to detecting attacks you have to react to them also. If you need further advice offlist don't hesitate to ask. Finally, if you go down the Network IPS route there are 2 main varieties; rate based and content based, I refer to the former as Attack Mitigation Systems they fill an important role but IMHO are not IPS. Ideally you should have both varieties. There are some products that claim to do both, but ..... take care -andy Talisker Security Tools Directory http://www.securitywizardry.com ----- Original Message ----- From: "Matthew MacAulay" <matthew.macaulay () cobweb co uk> To: <security-basics () securityfocus com> Sent: Thursday, February 26, 2004 12:36 PM Subject: Recommending an IDS system
Hello, I have been tasked with looking at and recommending an IDS system for my company. I have been looking at open source products (Snort) which seems to be a very good system with a lot of community support. My problem is we are an ASP. We want connections to be able to reach our systems for the services we provide. I want to be able to monitor over 100 internet facing servers (behind Firewalls and load balancers) and alert / and possibly block non normal traffic / detected attack signatures. After doing some reading into different methods IDS v IPS, Host v Network, I favour a combination, we have at anyone time up to 50,000 concurrent connections to our systems so I have a problem of scale. One Snort box is just not going to cut it! Looking at how I can "tap" into the network traffic has been partially solved by using IDSVLANS which is supported by our Switch hardware. (Nortel 8600) So an IDSVLAN could be setup for each of our existing VLANS and a couple of load balanced IDS boxes per IDSVLAN to alert to a central server to produce reports / alert / wake people up.... Sounds great. Though I have not looked at it in as much detail as network based IDS, I expect I can get a hosts based IDS to also alert (SNMP or what ever) to a central server to again produce reports / alerts / wake people up. I am interested to here what systems you use to do IDS / IPS. Do you have in place IDS systems for platforms of a larger or similar scale? I would like to here from people have who have faced similar challenges. Questions I keep asking myself: Am I trying to do too much, should I just concentrate on host based IDS? Is network based IDS the right way to go? Or am I right in trying to do both? Should I be using an open source product to do ID? Are there commercial products which can do what I want? Your thoughts, recommendations and pointers to further reading are welcome. Regards, Mat. ---------------------------------------------------------------- The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this communication in error please return it to the sender, then delete and destroy any copies of it. ---------------------------------------------------------------- --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Recommending an IDS system Andy Cuff (Mar 01)
- RE: Recommending an IDS system Reza Kordi (Mar 01)
- <Possible follow-ups>
- RE: Recommending an IDS system Josh Mills (Mar 02)
- RE: Recommending an IDS system Daniel Cid (Mar 03)
- RE: Recommending an IDS system AJ Butcher, Information Systems and Computing (Mar 04)
- RE: Recommending an IDS system AJ Butcher, Information Systems and Computing (Mar 03)
- RE: Recommending an IDS system Daniel Cid (Mar 03)
- RE: Recommending an IDS system Dave Gonsalves (Mar 02)
- RE: Recommending an IDS system Buyer Jr, David (Mar 02)
- RE: Recommending an IDS system Josh Mills (Mar 03)
- RE: Recommending an IDS system Hoang, Binh P,,DMDCWEST (Mar 03)
- RE: Recommending an IDS system Buyer Jr, David (Mar 03)
(Thread continues...)