Re: ISS Real Secure Vs Cisco IDS [7:63461]
One fact to take in account, Cisco's IDS can interact with a router or a Pix (assuming the said router/pix is between the IDS and the public network) and modify acl for incoming traffic to deny IP traffic from intruder's IP address, you can set up how much time the intruder's IP will be blocked. Regards, ""Sean Kim"" escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello all, > > My company is thinking about installing an IDS (dedicated appliance type) > for our network. > As far as I know, the Real Secure and the Cisco IDS are two biggest names > out there. So I checked out the documents and white papers provided by the > each company, but I couldn't really come up with what the differences are > between them, and which one is better suited for our network. > > Can anyone voice their opinion about these two IDS? > > Thanks, > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63467&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
I use ISS, NFR and Checkpoint for IDS stuff but am looking into doing Cisco IDS on CAT 6500 stuff. I would get all of 'em if you can afford it. Each has missed stuff and has faults in one way or another. I tried the Cisco stuff 2 years ago and thought it was at the bottom of the heap then. Am going to eval it next month for a month to see what it's like now. My IDS approach has been to stage NFR on the outside of the firewall, Checkpoint Firewall 1's IDS runs on the firewall, and have ISS after the firewall to wack anything else that get's through. Since ISS can tie into the firewall that works for some weird cases but, as a rule, I am very careful on how I use that feature as you can DOS yourself if you are not careful and the intruders can use it against you as well. I am thinking of using Cisco IDS on the CAT6500 ( core of network ) with little or not signatures at first and only put signatures on them when a situation occurs such as Code Red, SQL snake, etc., until network is clean and then remove it again or something in that line of thinking anyway. Anyway, that's my line of thought... YMMV ( Your Mileage May Vary ) and just my .02 worth, etc., etc., .. ;-) Scotty Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63474&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISS Real Secure Vs Cisco IDS [7:63461]
""Sean Kim"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello all, > > My company is thinking about installing an IDS (dedicated appliance type) > for our network. > As far as I know, the Real Secure and the Cisco IDS are two biggest names > out there. Actually, the biggest name of all when it comes to IDS is Snort, which is a freeware open-source product. >So I checked out the documents and white papers provided by the > each company, but I couldn't really come up with what the differences are > between them, and which one is better suited for our network. > > Can anyone voice their opinion about these two IDS? > > Thanks, > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63484&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Hi Sean, I currently use Cisco IDSM (IDS module for the Cat6500), Nokia IDS, and Snort on the server themselves. You can never be paranoid enough about these sort of things. Each vendor has different exploits etc, so by implementing a multi vendor path to your critical servers, you protect yourself from any signle vendor specific exploit! Sean Kim wrote: > > Hello all, > > My company is thinking about installing an IDS (dedicated > appliance type) for our network. > As far as I know, the Real Secure and the Cisco IDS are two > biggest names out there. So I checked out the documents and > white papers provided by the each company, but I couldn't > really come up with what the differences are between them, and > which one is better suited for our network. > > Can anyone voice their opinion about these two IDS? > > Thanks, > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63492&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Hi, I'm just curious about your multi-vendor solution. It must cost quite alot in order to have 3 IDS running. What about redundancy, if you are using dual switch/router/fw/ids, you would have a total of 6 IDS. Being able to detect attacks with multiple IDS is one thing. What action can it take once the IDS detects an attack? Logging it into the syslog server is not enough. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 7:53 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Sean, I currently use Cisco IDSM (IDS module for the Cat6500), Nokia IDS, and Snort on the server themselves. You can never be paranoid enough about these sort of things. Each vendor has different exploits etc, so by implementing a multi vendor path to your critical servers, you protect yourself from any signle vendor specific exploit! Sean Kim wrote: > > Hello all, > > My company is thinking about installing an IDS (dedicated > appliance type) for our network. > As far as I know, the Real Secure and the Cisco IDS are two > biggest names out there. So I checked out the documents and > white papers provided by the each company, but I couldn't > really come up with what the differences are between them, and > which one is better suited for our network. > > Can anyone voice their opinion about these two IDS? > > Thanks, > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63500&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! Albert Lu wrote: > > Hi, > > I'm just curious about your multi-vendor solution. It must cost > quite alot > in order to have 3 IDS running. What about redundancy, if you > are using dual > switch/router/fw/ids, you would have a total of 6 IDS. > > Being able to detect attacks with multiple IDS is one thing. > What action can > it take once the IDS detects an attack? Logging it into the > syslog server is > not enough. > > Albert > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 21, 2003 7:53 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > Hi Sean, > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > IDS, and > Snort on the server themselves. You can never be paranoid > enough about > these sort of things. Each vendor has different exploits etc, > so by > implementing a multi vendor path to your critical servers, you > protect > yourself from any signle vendor specific exploit! > > > > > Sean Kim wrote: > > > > Hello all, > > > > My company is thinking about installing an IDS (dedicated > > appliance type) for our network. > > As far as I know, the Real Secure and the Cisco IDS are two > > biggest names out there. So I checked out the documents and > > white papers provided by the each company, but I couldn't > > really come up with what the differences are between them, and > > which one is better suited for our network. > > > > Can anyone voice their opinion about these two IDS? > > > > Thanks, > > > > Sean Kim > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63501&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
You can span/mirror 2 ports into one so we only have one set at each ISP connection. Most of the action is manual with the exception of some fairly proven exploits that we use ISS "kills" to handle, such as Napster traffic ( not a big deal now that it's gone ), gnutella, code red, DNS I-queries, etc. If I turn all of the automatic stuff on, when a known signature match is made, whomever that was is no longer able to gain access as via OPSEC connections ( http://www.opsec.com/solutions/sec_intrusion_detection.html ) , that block that connection and future connections for that IP for a pre-determined time. Cisco have the same type of deal for controlling Cisco devices via the Cisco IDS but I don't like IDS doing too much automatically though. It's all kinda like virus protection though, you have to have a signature match to detect it. Which means you have to have a signature written before that attack can be recognized. It's all a "belt-and-suspenders" approach really. With a combination of ACL's on the ISP connection router and firewall rules and then ACL's on the router after the firewall, we get most of the stuff. Snort requires a hardare investment and a lot of tuning. It's not for the novice but it is on my list of yet another IDS at some point. Probably after we do the Cisco blades on the 6500's.. Scotty Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63506&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Hi Troy, Must be some secure site, reason I was interested is that I had a discussion with someone else before in regards to multi-vendor IDS solutions and how effective they might be. So if you mostly rely on manual action, and an attack came in after hours, how quickly can you respond to your alerts? Since for some attacks, a half hour response time could cause your site to be down (eg. slammer virus). If that was the case, even if you had all the vendor's IDS, it will be useless. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 21, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! Albert Lu wrote: > > Hi, > > I'm just curious about your multi-vendor solution. It must cost > quite alot > in order to have 3 IDS running. What about redundancy, if you > are using dual > switch/router/fw/ids, you would have a total of 6 IDS. > > Being able to detect attacks with multiple IDS is one thing. > What action can > it take once the IDS detects an attack? Logging it into the > syslog server is > not enough. > > Albert > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 21, 2003 7:53 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > Hi Sean, > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > IDS, and > Snort on the server themselves. You can never be paranoid > enough about > these sort of things. Each vendor has different exploits etc, > so by > implementing a multi vendor path to your critical servers, you > protect > yourself from any signle vendor specific exploit! > > > > > Sean Kim wrote: > > > > Hello all, > > > > My company is thinking about installing an IDS (dedicated > > appliance type) for our network. > > As far as I know, the Real Secure and the Cisco IDS are two > > biggest names out there. So I checked out the documents and > > white papers provided by the each company, but I couldn't > > really come up with what the differences are between them, and > > which one is better suited for our network. > > > > Can anyone voice their opinion about these two IDS? > > > > Thanks, > > > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63508&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISS Real Secure Vs Cisco IDS [7:63461]
There are some papers comparing IDS solution (Cisco, ISS, Snort, etc) on NSS. The did a good job. http://www.nss.co.uk/ Paulo Roque Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63510&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Hi Albert, We have 24x7 cover so that response time is pretty quick. (and a very well defined escalation procedure). However at the end of the day you are right, I believe that no systems are secure, what we do is try to stick up as many deterants as possible to make it not worth while, and for the cracker to try and find a more easily exploited system. Further more, the majority of cracking alerts are as a result of script kiddies, and if 10 other systems show up as exploitable before ours, then that is half the war won. Albert Lu wrote: > > Hi Troy, > > Must be some secure site, reason I was interested is that I had > a discussion > with someone else before in regards to multi-vendor IDS > solutions and how > effective they might be. > > So if you mostly rely on manual action, and an attack came in > after hours, > how quickly can you respond to your alerts? Since for some > attacks, a half > hour response time could cause your site to be down (eg. > slammer virus). If > that was the case, even if you had all the vendor's IDS, it > will be useless. > > Albert > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 21, 2003 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > As with most things, you need to way up costs againts your > requirements. IN > our case, security is absolutely essential, so having a > multivendor security > solutions (and indeed fully redundant) is costly, but we see it > as > justified. > > With regards to action during attacks etc. We mostly rely on > manual actions > as we dont want to inadvertently block legitimate traffic (for > example if an > attack came from a spoofed IP). For automatic action, you can > make use of > Ciso Policy manage, which has the ability to dynamically > rewrite ACL's, on > Pix's, Routers, and indeed Cat's. according to data from IDS. > So for > example, if you where really paraniod (like we are),. you could > have pix's > as the first firewall, with IDS on the inside / dmz etc (using > IDSM or > standalone IDS), tie these together with Policy manager .. then > taking a > further step into your network, a set of Nokia Fw1 NG, along > with further > Nokia IDS solutions on the inside, and tied together using the > enterprisef > software! > > > > Albert Lu wrote: > > > > Hi, > > > > I'm just curious about your multi-vendor solution. It must > cost > > quite alot > > in order to have 3 IDS running. What about redundancy, if you > > are using dual > > switch/router/fw/ids, you would have a total of 6 IDS. > > > > Being able to detect attacks with multiple IDS is one thing. > > What action can > > it take once the IDS detects an attack? Logging it into the > > syslog server is > > not enough. > > > > Albert > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, February 21, 2003 7:53 PM > > To: [EMAIL PROTECTED] > > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > > > > Hi Sean, > > > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > > IDS, and > > Snort on the server themselves. You can never be paranoid > > enough about > > these sort of things. Each vendor has different exploits etc, > > so by > > implementing a multi vendor path to your critical servers, you > > protect > > yourself from any signle vendor specific exploit! > > > > > > > > > > Sean Kim wrote: > > > > > > Hello all, > > > > > > My company is thinking about installing an IDS (dedicated > > > appliance type) for our network. > > > As far as I know, the Real Secure and the Cisco IDS are two > > > biggest names out there. So I checked out the documents and > > > white papers provided by the each company, but I couldn't > > > really come up with what the differences are between them, > and > > > which one is better suited for our network. > > > > > > Can anyone voice their opinion about these two IDS? > > > > > > Thanks, > > > > > > Sean Kim > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63511&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISS Real Secure Vs Cisco IDS [7:63461]
""Albert Lu"" wrote in message news:[EMAIL PROTECTED] > how quickly can you respond to your alerts? Since for some attacks, a half > hour response time could cause your site to be down (eg. slammer virus). If > that was the case, even if you had all the vendor's IDS, it will be useless. Just to soapbox a bit on the current flare so many networking and security folks have for IDS's Using anything that only did detection would have let SQL slammer in. It is a single packet attack, by the time you saw one(and had vulnerable systems) it would have been too late for that host. Lets think about if you had super-double-secret AI to build a rule based the change in traffic behaviour of the (now infected) server and push this rule toward the "outside" or policy enforcement locations. Your would still have an infected server and any other vulnerable SQL server inside the nearest policy enforcement location would quickly also be infected. So now weeks later if you have vulnerable systems an IDS, with perfectly valid signatures, STILL does you no good. You would have already needed to deploy proper filtering, which was the case on day0, day10, and on day(-365). IDS's are nice tools, but like firewalls they don't do much for any network JUST becuase they were purchased and installed. Darrell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63540&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Hi Troy, I'm interested in how you are doing monitoring on the security side of things. I'm aware of netforensics that can correlate FW/Router/IDS logs in real-time to tell you about attacks. My personal opinion of the product is that it's a beefed up syslog server with an oracle database in the backend to pump out reports. It's a good solution if you can afford it, otherwise you would have to develop your own scripts to pick out the syslog messages that is relevant. I think the ideal way of responding to security alerts is through a 24x7 cover, and have someone make changes on firewalls where necessary. I'm not too sure about the IDS modifying the FW's ACL in real time, sounds it could potentially be used by someone to DOS. What are people's experience in this, I would be intersted to know? Yes, you're right that most of the security systems are used to stop script kiddies, since exploits that get released have already been known by the more 'elite' hacking/cracking community for weeks/months before it was released. So the best you can do is to do your best to stop the mass herd of script kiddies, and the rest is a numbers game. Regards, Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, February 22, 2003 1:51 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Albert, We have 24x7 cover so that response time is pretty quick. (and a very well defined escalation procedure). However at the end of the day you are right, I believe that no systems are secure, what we do is try to stick up as many deterants as possible to make it not worth while, and for the cracker to try and find a more easily exploited system. Further more, the majority of cracking alerts are as a result of script kiddies, and if 10 other systems show up as exploitable before ours, then that is half the war won. Albert Lu wrote: > > Hi Troy, > > Must be some secure site, reason I was interested is that I had > a discussion > with someone else before in regards to multi-vendor IDS > solutions and how > effective they might be. > > So if you mostly rely on manual action, and an attack came in > after hours, > how quickly can you respond to your alerts? Since for some > attacks, a half > hour response time could cause your site to be down (eg. > slammer virus). If > that was the case, even if you had all the vendor's IDS, it > will be useless. > > Albert > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > As with most things, you need to way up costs againts your > requirements. IN > our case, security is absolutely essential, so having a > multivendor security > solutions (and indeed fully redundant) is costly, but we see it > as > justified. > > With regards to action during attacks etc. We mostly rely on > manual actions > as we dont want to inadvertently block legitimate traffic (for > example if an > attack came from a spoofed IP). For automatic action, you can > make use of > Ciso Policy manage, which has the ability to dynamically > rewrite ACL's, on > Pix's, Routers, and indeed Cat's. according to data from IDS. > So for > example, if you where really paraniod (like we are),. you could > have pix's > as the first firewall, with IDS on the inside / dmz etc (using > IDSM or > standalone IDS), tie these together with Policy manager .. then > taking a > further step into your network, a set of Nokia Fw1 NG, along > with further > Nokia IDS solutions on the inside, and tied together using the > enterprisef > software! > > > > Albert Lu wrote: > > > > Hi, > > > > I'm just curious about your multi-vendor solution. It must > cost > > quite alot > > in order to have 3 IDS running. What about redundancy, if you > > are using dual > > switch/router/fw/ids, you would have a total of 6 IDS. > > > > Being able to detect attacks with multiple IDS is one thing. > > What action can > > it take once the IDS detects an attack? Logging it into the > > syslog server is > > not enough. > > > > Albert > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Friday, February 21, 2003 7:53 PM > > To: [EMAIL PROTECTED] > > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > > > > Hi Sean, > > > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > > IDS, and > > Snort on the server themselves. You can never be paranoid &
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Hi Albert, Very good point. Which brings me to this question - how can one measure the security of a network? It almost always is an after-the-fact response whichever vendor you choose. As you pointed out in your example regarding the slammer virus, have you heard any vendor claiming immunity from this? Is "detecting" synonymous with "preventing"? I'm also interested in this topic due to the fact that the pricing structure from almost ALL the major players in the IDS/Firewall market is astronomical. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Lu Sent: Friday, February 21, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Troy, Must be some secure site, reason I was interested is that I had a discussion with someone else before in regards to multi-vendor IDS solutions and how effective they might be. So if you mostly rely on manual action, and an attack came in after hours, how quickly can you respond to your alerts? Since for some attacks, a half hour response time could cause your site to be down (eg. slammer virus). If that was the case, even if you had all the vendor's IDS, it will be useless. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! Albert Lu wrote: > > Hi, > > I'm just curious about your multi-vendor solution. It must cost > quite alot > in order to have 3 IDS running. What about redundancy, if you > are using dual > switch/router/fw/ids, you would have a total of 6 IDS. > > Being able to detect attacks with multiple IDS is one thing. > What action can > it take once the IDS detects an attack? Logging it into the > syslog server is > not enough. > > Albert > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 7:53 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > Hi Sean, > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > IDS, and > Snort on the server themselves. You can never be paranoid > enough about > these sort of things. Each vendor has different exploits etc, > so by > implementing a multi vendor path to your critical servers, you > protect > yourself from any signle vendor specific exploit! > > > > > Sean Kim wrote: > > > > Hello all, > > > > My company is thinking about installing an IDS (dedicated > > appliance type) for our network. > > As far as I know, the Real Secure and the Cisco IDS are two > > biggest names out there. So I checked out the documents and > > white papers provided by the each company, but I couldn't > > really come up with what the differences are between them, and > > which one is better suited for our network. > > > > Can anyone voice their opinion about these two IDS? > > > > Thanks, > > > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63544&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Come on now, the slammer worm? If you are security conscious this shouldn't have had any effect on you. Microsoft released a patch last summer. Security is a best effort solution. It is about layers and maintenance. You cannot eliminate risk, you can only reduce risk. An IDSs responsibility is to pick up attacks on the wire, not prevent them. I personally don't believe in allowing my IDS to respond to an attack. -Original Message- From: cebuano [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 8:22 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Albert, Very good point. Which brings me to this question - how can one measure the security of a network? It almost always is an after-the-fact response whichever vendor you choose. As you pointed out in your example regarding the slammer virus, have you heard any vendor claiming immunity from this? Is "detecting" synonymous with "preventing"? I'm also interested in this topic due to the fact that the pricing structure from almost ALL the major players in the IDS/Firewall market is astronomical. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Lu Sent: Friday, February 21, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Troy, Must be some secure site, reason I was interested is that I had a discussion with someone else before in regards to multi-vendor IDS solutions and how effective they might be. So if you mostly rely on manual action, and an attack came in after hours, how quickly can you respond to your alerts? Since for some attacks, a half hour response time could cause your site to be down (eg. slammer virus). If that was the case, even if you had all the vendor's IDS, it will be useless. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! Albert Lu wrote: > > Hi, > > I'm just curious about your multi-vendor solution. It must cost > quite alot > in order to have 3 IDS running. What about redundancy, if you > are using dual > switch/router/fw/ids, you would have a total of 6 IDS. > > Being able to detect attacks with multiple IDS is one thing. > What action can > it take once the IDS detects an attack? Logging it into the > syslog server is > not enough. > > Albert > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 7:53 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > Hi Sean, > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > IDS, and > Snort on the server themselves. You can never be paranoid > enough about > these sort of things. Each vendor has different exploits etc, > so by > implementing a multi vendor path to your critical servers, you > protect > yourself from any signle vendor specific exploit! > > > > > Sean Kim wrote: > > > > Hello all, > > > > My company is thinking about installing an IDS (dedicated > > appliance type) for our network. > > As far as I know, the Real Secure and the Cisco IDS are two > > biggest names out there. So I checked out the documents and > > white papers provided by the each company, but I couldn't > > really come up with what the differences are between them, and > > which one is better suited for our network. > > > > Can anyone voice their opinion about these two IDS? > > > > Thanks, > > > > Sean Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63548&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISS Real Secure Vs Cisco IDS [7:63461]
You are correct. That's why security should be a "belt and suspenders" approach. For the Code red stuff, SQL slammer, etc, we just used NBAR on Cisco to drop the packets. http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#1 ISS gets some stuff, Checkpoint is good at getting some other stuff, etc., I also don't allow much UDP in. It's blocked by an inbound ACL, as it's not statefully inspected. UDP 53 ( DNS ) and some host to host special allow's and that's it. Everything else is TCP. Scotty Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63551&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
Thank you very much everybody. I think I have received some valuable info/background to get myself started. Sean Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63608&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]
A good, relevant quote from one of the SANS instructors: (Eric Cole, IIRC) "Prevention is ideal, but detection is a must" I.e. - stopping the attack altogether is the best possible outcome, but failing that you must be able to know that something -has- happened or -is- happening. Otherwise, you have nothing ... (quite literally) Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Jim Brown [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 11:27 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Come on now, the slammer worm? If you are security conscious this shouldn't have had any effect on you. Microsoft released a patch last summer. Security is a best effort solution. It is about layers and maintenance. You cannot eliminate risk, you can only reduce risk. An IDSs responsibility is to pick up attacks on the wire, not prevent them. I personally don't believe in allowing my IDS to respond to an attack. -Original Message- From: cebuano [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 8:22 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Albert, Very good point. Which brings me to this question - how can one measure the security of a network? It almost always is an after-the-fact response whichever vendor you choose. As you pointed out in your example regarding the slammer virus, have you heard any vendor claiming immunity from this? Is "detecting" synonymous with "preventing"? I'm also interested in this topic due to the fact that the pricing structure from almost ALL the major players in the IDS/Firewall market is astronomical. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Lu Sent: Friday, February 21, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Troy, Must be some secure site, reason I was interested is that I had a discussion with someone else before in regards to multi-vendor IDS solutions and how effective they might be. So if you mostly rely on manual action, and an attack came in after hours, how quickly can you respond to your alerts? Since for some attacks, a half hour response time could cause your site to be down (eg. slammer virus). If that was the case, even if you had all the vendor's IDS, it will be useless. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! Albert Lu wrote: > > Hi, > > I'm just curious about your multi-vendor solution. It must cost > quite alot > in order to have 3 IDS running. What about redundancy, if you > are using dual > switch/router/fw/ids, you would have a total of 6 IDS. > > Being able to detect attacks with multiple IDS is one thing. > What action can > it take once the IDS detects an attack? Logging it into the > syslog server is > not enough. > > Albert > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 7:53 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > Hi Sean, > > I currently use Cisco IDSM (IDS module for the Cat6500), Nokia > IDS, and > Snort on the server themselves. You can never be paranoid > enough about > these sort of things. Each vendor has different exploits etc, > so by > implementing a multi vendor path to your critical servers, you > protect > yourself from any signle vendor specific exploit! > > > > > Sean Kim wrote: > > > > Hello all, > > > > My company is thinking about installing an IDS (dedicated > > appliance type) for our network. > > As far as I know, the
RE: ISS Real Secure Vs Cisco IDS [7:63461]-Automat [7:63560]
This is my point exactly. I don't allow my IDS to respond to attacks for the very reason you stated. It could easily force a DoS. I think a lot of people don't take this into consideration. The vendors push automatic response as a sexy feature when it really could be a major nuisance. Let each piece of the puzzle do what it was designed for, no crossover. The "D" in IDS stands for detection, I didn't install and IDRS. *The "R" is for response if anyone missed that. I try to use the most cost effective measures in a layered approach to security. Anyone who throws up a firewall and thinks they are secure is usually in for a big surprise. The most cost effective and easy approach to security is just to keep your systems patched! This is simple and would probably fight off 98% of all problems. The SQL Slammer worm is a perfect example. The patch was available months ago! Security is a VERY dynamic process. I use and IDS to help identify problem IPs, what type of attacks do I need to make sure I protected against, and auditing. The problem with an IDS is it can only identify attacks in progress on the wire. An IDS does NOT acknowledge if attacks were successful. This is where the layered approach comes in and the most important piece of the whole puzzle is so basic a clearly defined corporate security policy with teeth. How many individuals realize 80% of all attacks and problems are not from external threats but from employees? I take security very seriously. I worked for a company once who was about to throw up an E-commerce site that generated $1.5M the first year behind a Microsoft Proxy Server. I had to scream, complain, and scare the hell out of the executives before the coughed up the bucks for an adequate security implementation. An IDS is a tool, a mere piece of the security pie. NEVER put all of your security eggs into one basket or there sure to get cracked. That's pretty catchy. I need to remember that one. -Original Message- From: Carroll Kong [mailto:[EMAIL PROTECTED] Sent: Saturday, February 22, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]-Automated IDS [7:63557] I cut out some of the other messages to concentrate on one issue, automated IDS responses. If your automated IDS responses result in a "automated" packet filter of any sort, I think you are doing yourself a disservice. You might stop some kiddies, but you are just leaving yourself wide open to professionals who can DoS you very easily. I suppose if everyone just started filtering at the edge to help prevent spoofing, but alas, that is not the reality of today's networks. It should be trivial for the attacker to DoS your systems beyond compare. For example, what if he spoofs a trusted host? Now your trusted host cannot have access anymore. Ok, so what if you have exceptions for the trusted host? Now he has a host worth spoofing for, DoS trusted host, assume trusted host's identity. Easier said than done and you can mitigate the risk with stuff like mac address port locking, anti-spoofing acls, but just to give you some ideas that automated IDS responses can be particularly dangerous. Not even factoring the possibility you can lose accessibility to many systems, but most firewall products have some pitiful limitations (one can easily blow out any stateful firewall), and you can be assured your acls will grow to be so big your firewall just might keel over. I hope you got default-closed systems. ;) But I suppose it won't matter at that point, your network will be down, or your IDS might be filled with so much "garbage" that you might not see the real attack come through for your "forensics" team to discover which hosts have been compromised. > Come on now, the slammer worm? If you are security conscious this > shouldn't have had any effect on you. Microsoft released a patch last > summer. Security is a best effort solution. It is about layers and > maintenance. You cannot eliminate risk, you can only reduce risk. > > An IDSs responsibility is to pick up attacks on the wire, not prevent > them. I personally don't believe in allowing my IDS to respond to an > attack. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Albert Lu > Sent: Friday, February 21, 2003 9:19 AM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > Hi Troy, > > Must be some secure site, reason I was interested is that I had a > discussion > with someone else before in regards to multi-vendor IDS solutions and > how > effective they might be. > > So if you mostly rely on manual action, and an attack came in after > hours, > how quickly can you respond to your alerts? Since for some attacks, a > half > hour re
RE: ISS Real Secure Vs Cisco IDS [7:63461]-Automated IDS [7:63557]
I cut out some of the other messages to concentrate on one issue, automated IDS responses. If your automated IDS responses result in a "automated" packet filter of any sort, I think you are doing yourself a disservice. You might stop some kiddies, but you are just leaving yourself wide open to professionals who can DoS you very easily. I suppose if everyone just started filtering at the edge to help prevent spoofing, but alas, that is not the reality of today's networks. It should be trivial for the attacker to DoS your systems beyond compare. For example, what if he spoofs a trusted host? Now your trusted host cannot have access anymore. Ok, so what if you have exceptions for the trusted host? Now he has a host worth spoofing for, DoS trusted host, assume trusted host's identity. Easier said than done and you can mitigate the risk with stuff like mac address port locking, anti-spoofing acls, but just to give you some ideas that automated IDS responses can be particularly dangerous. Not even factoring the possibility you can lose accessibility to many systems, but most firewall products have some pitiful limitations (one can easily blow out any stateful firewall), and you can be assured your acls will grow to be so big your firewall just might keel over. I hope you got default-closed systems. ;) But I suppose it won't matter at that point, your network will be down, or your IDS might be filled with so much "garbage" that you might not see the real attack come through for your "forensics" team to discover which hosts have been compromised. > Come on now, the slammer worm? If you are security conscious this > shouldn't have had any effect on you. Microsoft released a patch last > summer. Security is a best effort solution. It is about layers and > maintenance. You cannot eliminate risk, you can only reduce risk. > > An IDSs responsibility is to pick up attacks on the wire, not prevent > them. I personally don't believe in allowing my IDS to respond to an > attack. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Albert Lu > Sent: Friday, February 21, 2003 9:19 AM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > Hi Troy, > > Must be some secure site, reason I was interested is that I had a > discussion > with someone else before in regards to multi-vendor IDS solutions and > how > effective they might be. > > So if you mostly rely on manual action, and an attack came in after > hours, > how quickly can you respond to your alerts? Since for some attacks, a > half > hour response time could cause your site to be down (eg. slammer virus). > If > that was the case, even if you had all the vendor's IDS, it will be > useless. > > Albert > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > As with most things, you need to way up costs againts your requirements. > IN > our case, security is absolutely essential, so having a multivendor > security > solutions (and indeed fully redundant) is costly, but we see it as > justified. > > With regards to action during attacks etc. We mostly rely on manual > actions > as we dont want to inadvertently block legitimate traffic (for example > if an > attack came from a spoofed IP). For automatic action, you can make use > of > Ciso Policy manage, which has the ability to dynamically rewrite ACL's, > on > Pix's, Routers, and indeed Cat's. according to data from IDS. So for > example, if you where really paraniod (like we are),. you could have > pix's > as the first firewall, with IDS on the inside / dmz etc (using IDSM or > standalone IDS), tie these together with Policy manager .. then taking a > further step into your network, a set of Nokia Fw1 NG, along with > further > Nokia IDS solutions on the inside, and tied together using the > enterprisef > software! > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63557&t=63557 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
