Hi Albert, Very good point. Which brings me to this question - how can one measure the security of a network? It almost always is an after-the-fact response whichever vendor you choose. As you pointed out in your example regarding the slammer virus, have you heard any vendor claiming immunity from this? Is "detecting" synonymous with "preventing"? I'm also interested in this topic due to the fact that the pricing structure from almost ALL the major players in the IDS/Firewall market is astronomical.
Elmer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Lu Sent: Friday, February 21, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Troy, Must be some secure site, reason I was interested is that I had a discussion with someone else before in regards to multi-vendor IDS solutions and how effective they might be. So if you mostly rely on manual action, and an attack came in after hours, how quickly can you respond to your alerts? Since for some attacks, a half hour response time could cause your site to be down (eg. slammer virus). If that was the case, even if you had all the vendor's IDS, it will be useless. Albert -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! Albert Lu wrote: > > Hi, > > I'm just curious about your multi-vendor solution. It must cost > quite alot > in order to have 3 IDS running. What about redundancy, if you > are using dual > switch/router/fw/ids, you would have a total of 6 IDS. > > Being able to detect attacks with multiple IDS is one thing. > What action can > it take once the IDS detects an attack? Logging it into the > syslog server is > not enough. > > Albert > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 7:53 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > Hi Sean, > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > IDS, and > Snort on the server themselves. You can never be paranoid > enough about > these sort of things. Each vendor has different exploits etc, > so by > implementing a multi vendor path to your critical servers, you > protect > yourself from any signle vendor specific exploit! > > > > > Sean Kim wrote: > > > > Hello all, > > > > My company is thinking about installing an IDS (dedicated > > appliance type) for our network. > > As far as I know, the Real Secure and the Cisco IDS are two > > biggest names out there. So I checked out the documents and > > white papers provided by the each company, but I couldn't > > really come up with what the differences are between them, and > > which one is better suited for our network. > > > > Can anyone voice their opinion about these two IDS? > > > > Thanks, > > > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63544&t=63461 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
