What is best for intrusion detection?

[draziw]

Originally posted here by ammo
Doesn't AO use RealSecure (ISS)?

I think that is one of the things they use, yes.

[wackie]

As a user of ZA I was just wondering could someone be more specific about the issues with that application that Adore was on about?

[Scorp666]

I stress you to Get Agnitum Outpost instead of TPF, in my opinion it is far better AND it has nice plugins for ActiveX control, Attachment screening and a few other interesting things

http://www.agnitum.com/products/outpost/

[souleman]

SilentStalker> You wanted links for zone alarm and Norton.....

Norton -> http://lists.insecure.org/firewall-w.../Apr/0077.html

ZA ------> http://www.ultraviolet.org/mail-arch...2000/0402.html

[almorga]

Hey Korp do you know of a good tutorial of iptables/ipchains and what is the difference between the two???

[KorpDeath]

question 1: Ipchains - http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html
iptables: http://www.linuxguruz.org/iptables/h...les-HOWTO.html

question 2: As far as the difference, iptables replaces ipchains in the 2.4 linux kernel. It's setup better and it has many more features.

If you want to know more. Ask www.google.com

[El Diablo]

hmmm, I wonder why I haven't seen anyone mention TripWire when talking about IDS. I know it's a bit off subject, but I'm still curious.

Anyone here, other than me of course, have experience with TripWire's products?






El Diablo

[draziw]

TripWire isn't really an IDS - at least in my mind, it's in the wrong space to be considered such. Tripwire gives mechanisms by which you can detect changes in "known" parts of the filesystem and, in most people's hands, is really too complicated to be useful (and the sample configurations they give are enough to give management (and ignorant admins) the warm and fuzzies). All in all, managing and updating the thing is a pain in the butt (and even their commercial version, last I saw, doesn't really completely fix that - admitedly, it's been a while since I've let one of their sales people take me to lunch or something).

Basically the only thing tripwire does well for me is to let me know when I need to break someone's fingers - but there's really too many opportunities for misconfiguration of the thing and, thusly, it's usefulness is rather limited in my opinion. (though, on the flip side, I think it's a good idea and a worthwhile thing (as I think I've said in previous threads, actually) - that is, as long as you are ready to invest the time in to it).

[mphilipp]

Originally posted here by Mahakaal
Could I get something better? And also is there any benefit in using multiple firewalls at the same time?

I have a little Smoothwall (www.smoothwall.org) box serving as a gateway (lan to ADSL). Smoothwall features Snort for intrusion detection and acts as a firewall. There are a few boxes behing my Smoothie and one of them is a (burb) WinXP box. Since that is my main workhorse, I have Norton Internet Security 2003 (since a couple of days). So I use a double firewall and the Norton firewall has not much to do, but I like to have control over software accessing the internet, as well as the anti-virus stuff. Call me paranoid, but I like it this way.
For my situation, the double firewall is beneficial but in all honesty...the second firewall doesn't do anything 'cause Smoothie does a good job keeping the bad guys out. It also seems that my Alcatel ADSL modem does something firewall-ish. Not sure though...

Maybe my setup is a little over the top, but I still need NIS to keep banners away, privacy control and anti-virus, so it's not entirely useless. And I'm not a security expert so I follow the 'better safe than sorry' policy...