IDS/IPS Solutions
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: IDS/IPS Solutions

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    IDS/IPS Solutions

    If you have some time and care to share your opinions I would appreciate it. I am writing an article and looking for some input regarding IDS/IPS. Do you think that IDS is a necessity for companies or is it just marketing hype that is driving it? If you agree that companies should implement IDs or IPS on their networks what sort of justifications would you provide to get approval for the purchase?

    What do you feel are key issues for companies to consider when choosing an IDS/IPS solution and things they need to keep in mind in setting it up?

    Many devices seem to be Swiss-army knife solutions these days which incorporate firewalls, IDS, content filtering, IDS and more. Do all-in-one solutions make sense for companies with little to no budget? What sort of pitfalls or caveats do you think exist when looking at these solutions?

    Lastly- what about outsourcing it? Do you feel that outsourcing IDS is a viable option for small to medium companies rather than investing the resources to deploy and manage their own solution?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tony:

    Some form of IDS is absolutely necessary. They are the admin's eyes and ears if they are properly set up and managed/updated.

    Key Issues:

    1. Proper placement of the sensors
    2. Select a system that can centralize all the logs
    3. Sufficient disk space available to be able to properly log events
    4. An understanding of how the chosen IDS works and it's limitations.
    5. A system that allows the construction of custom rules by staff members.
    6. An understanding of the output and it's implications.
    7. A separate system that confirms connections alerted on by the IDS.

    Swiss army knives are average at a lot of things byut they aren't good at anything. Thus go such devices.

    Budget is practically irrelevant. If you don't have the staff with a level of competence to be able to set up snort boxes, manage them and understand the output then the high priced fancy boxes will do nothing for the company except provide a false sense of security.

    Outsourcing: See above.... and you are trusting someone else with your security.... Hope they don't disgruntle their employees 'cos it mught be your butt going on the line.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by Tiger Shark


    Budget is practically irrelevant. If you don't have the staff with a level of competence to be able to set up snort boxes, manage them and understand the output then the high priced fancy boxes will do nothing for the company except provide a false sense of security.

    Outsourcing: See above.... and you are trusting someone else with your security.... Hope they don't disgruntle their employees 'cos it mught be your butt going on the line.....
    Budget is 100% relevant. Every entity shopping for a security solution will not all have the same
    needs with respect to which configuration is correct. It is not an all or nothing proposition.
    IS/IT risk management does not dictate this approach and I feel it is a UTOPIAN notion at best.

    A small business can have properly configured systems and networking on a limited budget.
    Nothing is ever 100% secure but you can limit risk and exposure.
    I like to use the term "managed" instead of "outsourced".
    Managed firewalls and IDS implementations are a fine choice for a small business and an
    affordable/trustworthy management team can be found.

    The risk of using a bonded security management company is not much different than trusting the heart of a company to a disgruntled internal IT team member.

  4. #4
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Security is important now more than ever. Take for instance, Bagle.Ai is now pounding away at my ISP. While one cannot rely on IDS to fix there problems, it is a valuable tool that provides admins with a plethra of information which in turn can help make security tighter and intrusion harder for the average script kiddie. The only problem I have had with IDS is the illusion that it is smple to setup and maintain. There is a lot of work that goes into verifying false positives as well as examining which is a real attack, and what can be trusted. Definirtyl an asset worthy of the sys admins book of tricks, but not as easy as marketing lets you believe they are to operate effectivly.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  5. #5
    Member
    Join Date
    Mar 2004
    Posts
    94
    WIth the open source options available, it doesn't take much of a budget to set up an effective solution. I believe the key is how much time your company will allow IT to spend dealing with Intrusion Detection. It's one of those things that unless you have an intrusion, the executives may not understand the need. The way I went about it was to explain to them what *could* happen. I used the FBI's annual report to show them what the cost of such an intrusion is likely to be. Fear is a mighty motivator. Especially fear of downtime, losing money/competitive advantage/etc.

  6. #6
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I stand where tigershark does.

    IDS is a wonderful thing to have, but in order for it to be effective, you must have it configured properly.


    While some people make enjoy the though of outsourcing to people that get paid $2 a hour, I would rather have all my information/ security in one place where all the other equipment is.

    I do agree that outsourcing could be cheaper than having to invest he money required to set up your system, but I still wouldn't truyst my data/security in someone elses hands half way across the globe.
    =

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    SS2: I respectfully disagree on the following points:-

    1.

    Budget is 100% relevant. Every entity shopping for a security solution will not all have the same needs with respect to which configuration is correct.
    We are talking about IDS' not firewalls etc. IDS' _must_ be entirely configurable by the end user or they are useless. The end user must be able to write their own rules, send the resultant alerts to an appropriate place and be able to have a system to parse them. If it isn't utterly flexible then it is utterly useless in the real world because every network is different and requires different allow/deny's in policy and practice. If the admin isn't capable of creating his own IDS system from open source software then he isn't going to be able to properly interpret the results. That being the case the only budget item the beancounters need to worry about is the cost of the admin since the cost of the hardware is minimal.

    It is not an all or nothing proposition. IS/IT risk management does not dictate this approach and I feel it is a UTOPIAN notion at best.
    Security is an "all or nothing proposition". You are either secure or you aren't.... period.

    Having said that, you accurately point out later that nothing is secure.... and you are quite right. But there's a fine line between being insecure and knowing when something has occurred that "wasn't right". That's what your IDS is for. Unless you are dealing with a complete zero day that subsequently communicates with the compromised machine in such a way that it won't alert any IDS then you will get some warning. The IDS is there to provide you with the information.... Your subsequent interpretation and investigation will determine your level of "security".

    I like to use the term "managed" instead of "outsourced". Managed firewalls and IDS implementations are a fine choice for a small business and an affordable/trustworthy management team can be found.
    Managed or outsourced..... Political correctness...... Yawn.... They mean the same thing.... It means you trust someone with your "Crown Jewels". That's fine if all you want is to not become a zombie in a virtual zombie army..... It's worthless if the disclosure of your "secrets" will bring the company down, (regardless of size). Take a deep look into the small print of that "managed" contract..... You'll find that they guarantee _nothing_.... Because they are as smart as you.... they realize that nothing can be truly secure...... Oooops.... They lose the contract..... Oh dear, they made all that nice money right up to the point you went out of business..... They, of course, have other customers still paying them and are still in business when you are looking for a new job..... Works for me.....

    The risk of using a bonded security management company is not much different than trusting the heart of a company to a disgruntled internal IT team member
    Oh, but it is different..... You know them intimately..... You know where they live and you know that they don't have a contract that exonerates them in case of a breach. If they are the bad boy then you know you can prosecute them... and they know it too.

    Bottom line.... manage your own security if you have anything worth protecting.... Trust someone else and you can wave goodbye to security. If your risk assessment says you have risk then you need to appreciate that it costs..... So go out and "buy" an admin who can set you up a perfectly good IDS and general defense strategy that fits with the risk assessment. The money the hardware and software costs is irrelevant at that point..... You _will_ be paying more than $15/hour......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Tiger Shark:

    You respectfully disagree yet you yawn. Interesting.
    -
    IDS and Firewalls can and often do interact with each other.
    -
    Making blanket statements without acknowledging that many small businesses need an Internet setup at the office that has a maximum degree protection that they can afford borders on pontification.

    What would you have them do? Unplug for good?

    Perhaps our perspectives are different but I don't think all or nothing is a reality.
    At least not in my world. We work very hard to create a balance of risk and functionality for
    small businesses. IDS is often part of that solution. Managed or Outsourced or whatever.
    -
    Knowing someone intimately? Where they live?
    If someone wants to stick their dick in your rear, they will in an instant.
    If you sign a crappy contract then you deserve what you get. There are honest contractors
    out there and many are worthy of their fees.
    -

    I appreciate your points but I think there are many degrees of circumstance to consider.
    While working toward a security ideal, I am confident there is a middle ground to live in.

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    IDS are only valuable if you have the staff resources to look after them.

    I don't believe that any IDS, no matter how advanced (bear in mind I have no real exposure to commercial solutions), can be entirely maintenance-free.

    An IDS is a high-maintenance system. Someone needs to read the alerts and make policy decisions based on them. That person (/ people) need to be sufficiently experienced, knowledgeable and/or resourceful to be able to find out more about alerts and act accordingly.

    An incorrectly configured IDS will just swamp any useful intruder info in a sea of false alarms.

    There is practically no value in detecting every intrusion attempt, when even a smallish installation sees many thousands of attacks per day, ALMOST ALL of which are a result of win32 worms running on compromised systems. There is no point in attempting to contact the owners of these compromised systems - even if you succeed, it will have minimal impact on the attacks and just waste everybody's time.

    If you haven't the resources to keep tabs on them, even if it's only 1/2 day per month, don't bother. No matter what any sleasy salesman will tell you, I don't think there is a maintenance free IDS.

    Mark

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    SS2:

    You respectfully disagree yet you yawn. Interesting.
    Sorry, the "yawn" was directed at political correctness in general, not at you personally. I'm just getting a bit fed up of political correctness.... A spade is still a spade no matter what you call it.

    IDS and Firewalls can and often do interact with each other.
    Undoubtledly, but screw it up and you will DoS yourself.... Been there....

    Making blanket statements without acknowledging that many small businesses need an Internet setup at the office that has a maximum degree protection that they can afford borders on pontification.
    Er.. The risk assessment should dictate the level of protection needed by a company and therefore it's cost. If we are talking about Joe's Bait Supply that has no "secrets" on the network, 4 workstations and no public services then an IDS is not warranted - A simple firewall blocking all external access is all that is really required along with automatic updating of patches immediately they come available and functional AV.

    You seem to be treating IDS an an essential item, which it is not. However, if it is warranted then the vast majority of the cost goes towards an admin capable of implementing, managing and interpreting the system. Fail to have that admin and the IDS becomes a nice anchor.

    Knowing someone intimately? Where they live?
    If someone wants to stick their dick in your rear, they will in an instant
    That's a given. But our supervisors see our employees daily. They inform me if they have concerns about any given employee and they go on the "Watch List". I can't see your employees managing my IDS. I have no idea whether they are happy or not and I sure as hell can't monitor their activity..... Even though they have all the information they need to compromise my network. Sorry, but that contravenes the most basic rule of any kind of security - limit access and knowledge to _only_ those who require it. If you have secrets worth keeping then, from a security standpoint, you are better off hiring in a specialist than outsourcing and giving them the "keys".

    If you sign a crappy contract then you deserve what you get. There are honest contractors out there and many are worthy of their fees.
    Even sending a technical contract to your lawyer does not guarantee that when they say "sign it" that they fully understood some of the technical implications held within it. Frankly, most people that outsource technical stuff do it on the basis of references rather than full comprehension of the contract they sign - and many simply do it on the word of the salesman. Most wouldn't think to have an independent risk assessment done and then act on the recommendations of that contractor. In fact most wouldn't know or understand a risk assessment if it jumped up and slapped them in the face.

    Yes, there are honest contractors out there and it sounds like you are one of them. But let's not confuse honest contractors with security. You are in the business to make money. I'm sure if you scrutinized all the contracts you hold and the implementations you have in place you would admit that there are a good proportion of customers who have been "over-sold" your products.... Because you could....

    In the final analysis you either have something worth protecting or you don't. If you do then a risk assessment must be carried out. The result of the risk assessment dictates the level of protection required and therefore the cost. If your secrets are of sufficient value to require the use of an IDS then you are better off, in the long run, employing an administrator that can implement, manage and interpret it for themselves.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •