Hmmm.... the Yugo or the Mercedes....
I'll tell you, I don't know about the "false positive" thing wherever you heard that..
I would be willing to bet there will be a hell of a lot more false positives on a
10,000 node network than on a 35 node network. You got a lot more stuff going on.
I am not a Black Ice authority, but it might do fine in a small environment... I would
probably be more inclined to look at NFR though (or Dragon if you have any *nix
expertise). Now I will probably be stepping all over toes and other appendages with
what I am about to say, but I feel ISS is better suited for the large enterprise. It
is definitely one of the best IDS's out there from a "number-of-signatures"
perspective, and has (IMHO) the best monitoring interface of any out there. It is
easy to deploy, and works like a champ.. however... it is expensive, and one of it's
REAL strengths is it's integration with their suite of products (SafeSuite). NFR is
nice in that it is also easy to deploy (put in the CD, turn on the PC, answer a few
questions, and it's running) and with the package from L0pht, they are getting to
where they look for about the same number of signatures as the other big systems. The
main areas of strength that I can see for NFR is: High volume network traffic (like
70% saturation on a 100Mb link), and ability to customize and build your own
signatures (but you have to learn the scripting language). Another product you may
want to eval is Axents Net Prowler. I do believe it is also cheaper than ISS and has
some features the others do not (i.e. monitor web content for changes in case your web
site gets hacked.. it will replace the hacked pages with originals).
As far as putting it behind the firewall.. do you mean on the private or public side??
It sounds like you are talking about public by the way you talked about ISS... being a
small company, I am sure you may be more $$$ conscious than someone like IBM or MS....
so, let your firewall protect you from the internet. It is nice to have an IDS out
there watching what hits your firewall and alerting you to attacks, but in your
situation I would just worry about the inside for 3 reasons: expense, roughly 80% of
attacks come from the inside, and it will catch what made it past your firewall.
I guess in sum, look at your network security policy (you have one of those, right?)
and pick the IDS that has the features to satisfy your security policy. If you are an
internet business, that Axent feature might really float your boat. If you don't have
a web site, or it's not critical, you probably don't care about that ability, see what
I mean?
Carric Dooley
Network Security Consultant
"A little inaccuracy sometimes saves a ton of explanation. "
- H. H. Munro (Saki) (1870-1916)
----- Original Message -----
From: Ron Morita <[EMAIL PROTECTED]>
To: Firewalls List Serve <[EMAIL PROTECTED]>
Sent: Thursday, March 02, 2000 10:30 PM
Subject: Intrusion detection- fact or fiction
> Can anybody point me to information about business solutions and real
> life experience with Intrusion Detection systems? We have about 35
> desktops, 4 servers. I've heard that false positives can make deploying
> this type of a solution impractical for a small sized business. Is that
> true?
>
> I'm considering the desktop and server based solution that I've read
> about from Network ICE. Their Black ICE agent seems to be popular for
> home use. They've got a console called ICECap which can give me
> visibility across all the desktops from my web browser, making it good
> for business. Alternatively there's a solution from ISS which is
> network based that sits promiscuously on the net behind the firewall.
> I'm not sure the threat is only from the Internet though.
>
> Any leads?
> Thanks
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
