What is best for intrusion detection?

[KorpDeath]

Well adore, if you don't use software firewalls then why recommend something that you don't know works?

And as for you silentstalker, since when did you become the doer of good deeds, the righter of wrongs? Please.....

I've supported my claims in tests with software firewalls that I've conducted, if you don't like my opinion then that's fine, but I'm not going to stop recommending what I feel is the best for people who want it. If you want to debate my security then I;m all for it, but as far as I can see you haven't a leg to stand on, so I digress.

We've been over this here at AO far too many times for me to recap all that has been learned , if you don't believe me, set up a lab and then get someone who knows how to hack. It'sa that simple. I have a few scripts that crash Norton wide open, so to I have scripts for ZA. The mutex engine is not all it's cracked up to be.

Anything else?

[Mahakaal]

Can't we all just get along
Thanks for all the good advice ALL of you have given me.

[Tedob1]

snort combined with the BerkleyDB provides an IDS reporting system surpassed by none and although it's free, it's far beyond the abilities of the average win user to set-up and configure, just like any cisco product is. even updating the pix os is far more complecated than most can handle.(like, WTF is tftp?)

---------------------
it's hard to secure a box if u often install new software/games that needs access to the Net
---------------------

tiny would make your life a lot easier. like ZA, it pops up a warning that a program is trying to access the internet, but unlike ZA, on the pop-up is an option to configure a rule 'now'. when i say a rule, im talking, what ports on what ip address etc, full complete rules, not just allow or deny. its a little more complicated than norton but alot more configurable.

I haven't tried the newest ZA, i hear its more configurable, but as adore hinted at it reports back every chance it gets. i have the impression, although i could be mistaken, their related somehow to ZDnet (Ziff and Davis) who should be shot for their privacy infringments.

tiny supports port mapping and ip masquerading (in windows mind you)

havn't tried Agnitum Outpost but you make it sound pretty good Scorp666

[IchNiSan]

well, Mahakaal,

it really depends on what you are, and what you are looking for.

If you are simply a user who is concerned about their systems at home(one or plural) and are not particularly interested in technical details, then a program like Norton Internet Security, or several of the other personal firewall type applications are for you. Some are better than others, but, the best firewall for someone who doesnt want to spend a lot of time thinking about it, is a firewall that you will use, and that has passed some reasonable tests.

If an 3\/IL |-|4><0r with L33t sk1lls(and I dont mean script kiddies) targets you, there isnt really any way in the world that will abssolutley with out a doubt keep them out of your systems, expect for switching off the power.

Script kiddie types are much easier to keep out though, so almost any firewall will do for most personal uses.

IF you want to start talking about tracking folks down, or protecting critical corporate networks, then, intrusion detection, and absolutely top notch firewalls are key.

If I were to recommend a personal firewall, I would recommend Tiny Personal firewall. Because it is the best(for Windows OS's) personal software firewall with which I have worked. I would add to it a hardware device which does NAT so that external traffic doesnt even reach your computer unless you have specifically allowed it.

Intrusion detection is not really worth anything, if you are not interested enough to read the logs, and technically savvy enough to sort the wheat from the chaff. There are some which automatically message ISP about "SUSPICIOUS" traffic, which is not really suspicios at all.

If you are genuinely interested, then look at www.snort.org for intrusion detection.

If all you are interested in is a personal firewall for a windows machine, most of them will do the job for you, if you are at least reasonably carefull.

[draziw]

One of the things that I don't understand about this thread... the question was about intrusion detection but someone started spouting off about Cisco PIC Firewalls. In a purist's sense, they're not really the same thing at all... perhaps Mahakaal didn't quite phrase the question correctly.

But, for IDS, I like Snort (for the OpenSource Crowd) or, for an all-out awesome commercial implementation, NFR. Personally I'd stay away from ISS - you can drive caravans of trucks through it (guess that's where the host-based IDS comes in - but, the way I think, if your host-based IDS and/or honeypots trip before you N-IDS alarms, it's already too late).

[Mahakaal]

I'll get tiny and definitely look up Snort/Berkely DB that you mentioned Tedob1, thanks.
And I'm a personal home user, always interested in learning more about different OS and flaws, hence my joining AO So no, I'm not "technically savvy" enough yet IchNiSan, but I take good advice from people who know better like yourselves. Thanks.

[N2N]

Or... take that 486 that's now a doorstop or about ready for a Planter Conversion, throw BSD or SmoothWall on it and configure it to be a firewall/gateway.

SmoothWall is soon releasing SmoothWall Lite, no longer under GPL, but still cool.

http://www.smoothwall.org/community/...020424.01.html

N2N

[IchNiSan]

Mahakaal,

I dont think you took my meaning wrong, but I will clarify just the same.

Not being technically savvy is not a bad thing. If you are here, you are interested in securing your machine, and that benefits all of us by having one less machine on the internet which is at risk to code red, or klez, or whatever the next one is.

Wanting to keep your computer secure is a good thing, and there are lots of applications out there to do it.

Intrusion detection is another matter entirely. Most personal firewalls do a decent enough job. Are there ways to exploit them, sure, there probably are for most of them. Intrusion detection is very serious business, and not easy. There are several intrusion detection systems available from " big players " and most of them are just OK, or worse than OK. Intrusion detection is similar to virus detection, in that there are thousands of different patterns which can indicate attempted intrusions, just like there are thousands of different signatures to detect virii. Because virus detection has been a big deal for a lot longer than intrusion detection has been(from the standpoint of folks selling the product or service) virus detection is far more advanced interms of signatures than intrusion detection is.

For most users, intrusion detection is a waste of time. You could spend hours every day sending emails to abuse@randomISP.com for zero gain, and still never see the truly dangerous intrusion attempts because the development of signatures to detect them is so far behind what one would typically expect for say a company selling virus detection.

I hope I didnt come accross as putting you or anyone else like you down, but the impression I got from your post(mentioning that you used Symantec Internet Security kinda tipped me off) was that you were a home user concerned with protecting your own computer. I applaud that, but dont try to get to hard core with whatever solution you use. Intrusion detection is hardcore. There are people who do nothing but analyze data from intrusion detection systems. If you are using Symantec Internet Security, or Zone Alarm, or some other personal firewall solution which gives you alerts of possible malicious activity, that is fine, but true work with intrusion detection involves in depth knowledge of network protocols, and is not for the faint of heart.

Snort(open source intrusion detection system) available from www.snort.org , is a great system, but the number of false alarms is staggering, unless you are capable of (like I said above) sorting the wheat from the chaff. Of figuring out that this alert is harmless because of that reason, and this alert is serious because of some other reason.

I was in no way trying to put someone down, just trying to point out, that intrusion detection requires a lot of knowledge and effort, and the THE BEST SECURITY SYSTEM, IS A SYSTEM THAT YOU WILL USE.

Good Luck.

IchNiSan

[Mahakaal]

IchNiSan, I was being absolutely honest when I said ", but I take good advice from people who know better like yourselves." No offense was intended by me, and none was taken by me, by your ideas
My humble apologies for any misunderstanding.

[ammo]

Originally posted here by draziw
Personally I'd stay away from ISS - you can drive caravans of trucks through it

Doesn't AO use RealSecure (ISS)?

Ammo