RE: The devil's in the details

[Kyle Starkey <KSTARKEY () altera com>]

Hi Folks,
I am currently looking at a solution that I think is currently the best
thing on the Market for those of us using switched netowrks.  My coporate
network is COMPLETELY Switched so you get very little info off the wire.
What I found was ODS Networks Secure Detector and CMDS systems.  Basically
what this is, is a combination of Host Based (servers only) and Network
Based (Tap the important lines and sniff their) solution.  I am in the
process of getting a quote form the Vendor in hopes that it will be cheaper
than implementing a Cisco Solution over the whole campus.  My Unix Ops group
wanted me to use Trip Wire, my Net Ops group wanted me to use the Cisco
solution, and the NT Ops group didn't want to do anything.  I have found
that CMDS has agents for Solaris, NT and many other platforms.  The Vendor
has said it can monitor my NT servers, my Solaris servers and also gather
information from the Central Cisco Syslog Server.  I am hoping ot get a
trial version for testing in the next few weeks so I will try ot keep people
updated as to how it ACTUALLY works.  I am a optimisitc at this point, but
mostly because I have not seen anything else out their that will monitor and
report on all three platforms.

--Kyle Starkey
Information Security Group
Altera Corporation

-----Original Message-----
From: David Lang [mailto:dlang () diginsite com]
Sent: Tuesday, July 13, 1999 9:20 AM
To: Matt Dunn
Cc: firewall-wizards () nfr net
Subject: Re: The devil's in the details


-----BEGIN PGP SIGNED MESSAGE-----

I am in a similar situation and decided that the only way to do IDS was to
bite the bullet and put host-based IDS on each of my internal servers.
this will not protect one desktop from being hacked by another, but will
protect my servers (and yes it can get VERY expensive)

David Lang

On Tue, 13 Jul 1999, Matt Dunn wrote:

> Hi all, 
>
> I'm doing some preliminary planning for a security configuration, and I
> have what may be a silly question about setting up an IDS. I looked around
> a bit, and even asked a couple people (who laughed, but it didn't sound
> like it was because the question was silly, more of a 'good luck' kind of
> laugh..)
>
> My problem is that a couple of my networks involve switches, which, as
part
> of the new and improved security policy, will involve VLANs.
>
> I could throw the IDS on a hub with the firewall and connect that to the
> switch, but that doesn't do anything for internal threats (which are what
> is necessitating the VLANs.)
>
> Has anyone figured out a good way to set something like this up? Ideally,
> some switch manufacturer would have thought of this ahead of time, and
made
> a port on the switch that dumped all the packets, but then you're dealing
> with packet loss unless that one port is significantly faster than the
rest
> of the switch. I could try to figure out some policy based configuration,
> but I don't want to go buy a gigabit plane for each of my switches, and it
> doesn't sit right with me to depend on the switch management elements for
> the completeness of my security data.
>
> Any responses would be appreciated.
>
> -Matt

"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy." 
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA
'97)

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBN4tnGT7msCGEppcbAQG+FAgAoq/iczreRMMY29ozFKi4jqliDAG+K//r
UgzYwq6kofSYeKiIESqwI+5FjnO0OyuA5pdEkCKw05Nk5ZabvpUyLzFtdz8Gg4bW
w4E1x9lQ76axPxiLZ+r98AhvF2KA4GEpov8croTaNW8OqwkOAf8T4Gvbe+8YQPlI
WnXXYa0aW8A9jjb/J+mUP0mbQfO+H1umSWNMacHD617mzkdXJEnGBLMODTTqkjgI
xK0F5ys+pDI9kBH1xVDtAxRLNxnTaokQpmZwCwDfYKezOfHTpepoxk1X9EnypWZY
LaB3s2Pn2jq5siCxQHNhDn9MHsxg6O+h1x+1IOMp7E2KMTd+lWjB2Q==
=HNV4
-----END PGP SIGNATURE-----