Iintrusion Detection Solution

[merchantnetwork]

Hello!

I'm looking for a corporate wide intrusion detection solution. Not sure if I want it on the network device side (already have a firewall) or server/client side. Any suggestions. We have a mix of Novell and Windows servers. All network devices are Cisco (except the SPAM blocker which is Barracuda). I've been looking at Tripwire. I took a look at Snort, but didn't understand it. = (

Thanks!

 

[MichealC4]

Tripwire and Snort are for two different purposes. Tripwire is for monitoring file changes on a host (useful if a virus comes in, a user modifies system files, etc.). Snort on the other hand is for HIDS/NIDS. Host-based Intrusion Detection System/Network Intrusion Detection System. It monitors packets and throws an alert when a packet matches a particular filter. Useful for things such as Slammer, Windows lockouts, etc. Also, where you put it (for the NIDS device) depends on what you are looking to monitor. Are you looking to monitor user actions (ie, virus within your network), or are you looking to monitor incoming/outgoing traffic (ie, an attacker from the outside trying to come in)? In my opinion, you can't beat Snort, especially if it is on a *nix system as the recent versions of Snort include Snort-Inline, which is a *very* basic Intrusion Prevention System. However, Cisco also has some products as well.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt

 

[merchantnetwork]

So which is "better". We have a ThreatBox (NIDS), but no one knows anything about it... including me. I sent for the documentation CD so I can see what it can and can't do. Do we need something like Tripwire AND something like Snort/ThreatBox as well as a firewall and Proxy??? Do we need something on every server/PC? This is making my head spin!

Thanks again! = )

 

[MichealC4]

In my opinion, unless you have some reason require monitoring files on each pc (ie, problem users), I wouldn't worry about Tripwire on pc's. I would suggest Tripwire on servers however, as servers should be "setup and forget" as far as system changes go. So if changes are being made to system files and nobody is authorized (ie, one of your techs are making changes), that should be something you need to worry about. If you have ThreatBox (never heard of them to be honest), then you shouldn't need Snort. You might want to consider putting a HIDS on each machine, but that has to be weighed with user privacy (check company policies), load on the machine, and eventually load on the network if you want a central monitoring station, and finally the data you want. Generally speaking a NIDS is enough, unless you have a specific reason for a HIDS. Again, this is from my experience. You might want a second opinion.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt

 

[JoeBloggssss]

I think ISS RealSecure is the daddy, you can implement on Nokia IPSO, and integrate with Check Point as it is OPSEC certified.

 

[firestormsp1]

Second that Chris,

We use Nokia and Realsecure and keep passing pen-tests with flying colours.

 

[merchantnetwork]

Thanks!! I've been looking at Realsecure and it sounds like what the auditors are talking about. How many do I need though? Just one on the DMZ??? We are a smaller company and don't want to spend a fortune. Is it better to use the Nokia and not the Windows version? How hard is it to install and manage?

 

[JoeBloggssss]

If you are on a budget, then one is better than none, although redundency is a issue worth investing in, considering that most security solutions are first to be attacked.

Yes nokia provides the industry most secure operating system out of the box (FreeBSD, it can be managed via web browser so you don't have a real learning curve. And if you are implementing it behind a cisco router, you can go for a cheaper model and offload the routing etc. Windows is not a good choice of platform, and linux could create further administrative overhead for you.

It is not hard to install and manage, you set it up, then deply sensors to varous points in your network. It is a corporate solution aimed at big business, unlike Snort (which is a bitch to work with) it is tryng position itself as a solution which reduces business costs in training and deployment. The boys who designed the interface obvious learned a thing or two from checkpoint as it is very clean and easy to use while still maintaining full functionality.

One of the best feature is you can integrate it with checkpoint, netscreen etc. And have the IDS signatures detected alter the firewall ruleset to block possible attacks, this could be put to management as we did that it moves your company from a reactive model to a proactive taking steps to mitigate future unknown attacks perhaps might help you get the cash up.

Who knows might even get you a training course from ISS