Hi Troy, I'm interested in how you are doing monitoring on the security side of things. I'm aware of netforensics that can correlate FW/Router/IDS logs in real-time to tell you about attacks. My personal opinion of the product is that it's a beefed up syslog server with an oracle database in the backend to pump out reports. It's a good solution if you can afford it, otherwise you would have to develop your own scripts to pick out the syslog messages that is relevant.
I think the ideal way of responding to security alerts is through a 24x7 cover, and have someone make changes on firewalls where necessary. I'm not too sure about the IDS modifying the FW's ACL in real time, sounds it could potentially be used by someone to DOS. What are people's experience in this, I would be intersted to know? Yes, you're right that most of the security systems are used to stop script kiddies, since exploits that get released have already been known by the more 'elite' hacking/cracking community for weeks/months before it was released. So the best you can do is to do your best to stop the mass herd of script kiddies, and the rest is a numbers game. Regards, Albert -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, February 22, 2003 1:51 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Albert, We have 24x7 cover so that response time is pretty quick. (and a very well defined escalation procedure). However at the end of the day you are right, I believe that no systems are secure, what we do is try to stick up as many deterants as possible to make it not worth while, and for the cracker to try and find a more easily exploited system. Further more, the majority of cracking alerts are as a result of script kiddies, and if 10 other systems show up as exploitable before ours, then that is half the war won. Albert Lu wrote: > > Hi Troy, > > Must be some secure site, reason I was interested is that I had > a discussion > with someone else before in regards to multi-vendor IDS > solutions and how > effective they might be. > > So if you mostly rely on manual action, and an attack came in > after hours, > how quickly can you respond to your alerts? Since for some > attacks, a half > hour response time could cause your site to be down (eg. > slammer virus). If > that was the case, even if you had all the vendor's IDS, it > will be useless. > > Albert > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > As with most things, you need to way up costs againts your > requirements. IN > our case, security is absolutely essential, so having a > multivendor security > solutions (and indeed fully redundant) is costly, but we see it > as > justified. > > With regards to action during attacks etc. We mostly rely on > manual actions > as we dont want to inadvertently block legitimate traffic (for > example if an > attack came from a spoofed IP). For automatic action, you can > make use of > Ciso Policy manage, which has the ability to dynamically > rewrite ACL's, on > Pix's, Routers, and indeed Cat's. according to data from IDS. > So for > example, if you where really paraniod (like we are),. you could > have pix's > as the first firewall, with IDS on the inside / dmz etc (using > IDSM or > standalone IDS), tie these together with Policy manager .. then > taking a > further step into your network, a set of Nokia Fw1 NG, along > with further > Nokia IDS solutions on the inside, and tied together using the > enterprisef > software! > > > > Albert Lu wrote: > > > > Hi, > > > > I'm just curious about your multi-vendor solution. It must > cost > > quite alot > > in order to have 3 IDS running. What about redundancy, if you > > are using dual > > switch/router/fw/ids, you would have a total of 6 IDS. > > > > Being able to detect attacks with multiple IDS is one thing. > > What action can > > it take once the IDS detects an attack? Logging it into the > > syslog server is > > not enough. > > > > Albert > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Friday, February 21, 2003 7:53 PM > > To: [EMAIL PROTECTED] > > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > > > > Hi Sean, > > > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > > IDS, and > > Snort on the server themselves. You can never be paranoid > > enough about > > these sort of things. Each vendor has different exploits etc, > > so by > > implementing a multi vendor path to your critical servers, you > > protect > > yourself from any signle vendor specific exploit! > > > > > > > > > > Sean Kim wrote: > > > > > > Hello all, > > > > > > My company is thinking about installing an IDS (dedicated > > > appliance type) for our network. > > > As far as I know, the Real Secure and the Cisco IDS are two > > > biggest names out there. So I checked out the documents and > > > white papers provided by the each company, but I couldn't > > > really come up with what the differences are between them, > and > > > which one is better suited for our network. > > > > > > Can anyone voice their opinion about these two IDS? > > > > > > Thanks, > > > > > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63542&t=63461 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
