Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: IDS Design

  1. #1
    Junior Member
    Join Date
    Feb 2005
    Posts
    26

    IDS Design

    Dear all,

    I've been a member and viewer of Antionline for sometime now but until this point have not been inclined to participate (other than the obligatory 'Hi everyone I'm a new member' post) because 1 - I didn't really work in IT Security and 2 - Whenever someone asks a question they receive top drawer ‘articles’ (!) masquerading as fixes, advice and security mantras from the plethora of expert forum members. I just read the replies with my jaw wide open.

    Didn’t know whether to put this in the newbie or IDS forum but as I’m not entirely a newbie to security thought I would go for this one.

    The main reason I use the site & forum is to try and educate myself a little, an instructor on a Cisco PIX course pointed me to the site last year. Since then I've started the CCSP certification track and have passed the PIX and Secur exams.

    Anyway, my situation has recently changed a little and I am due to start a new position in my company's security practice which I am absolutely thrilled about. Well pleased anyway….

    I start in March and my only brief to this point is that I will be involved in IDS Design and Firewall Design. I was wondering if any of you guys or ladies could give me some advice on any preparation work I could do so I have a chance of hitting the ground running or at the very least limping. I don't have any IDS experience to date but during the last month (since I knew I had secured the role) I've gone through some of the Cisco IDS CCSP training guides to familiarise myself with that product. I've also got a couple of books on Snort and plan to install this myself on a lab at home to mess around with it and get used to this offering.

    I'm also aware that some of the networks that are currently supported by the organisation use the ISS RealSecure product so any advice on where I could learn about this would be appreciated.

    I’ve also gone through some Ethical Hacking computer based training which was absolutely fascinating and I would recommend to anyone working in security because looking at it from the other side of the firewall really opens your eyes and to quite honest is kind of ….sexy….. Sort of makes me feel like I’m a law abiding cop trying to keep out the underworld full of Russian hacking teams and International terrorists!

    I have more experience with Firewalls although I would still greatly appreciate any advice on the design aspect of these in a security solution. Until now I've been more of a support type person so now I'm getting the opportunity to move into design I want to cover all angles so any advice from the esteemed members of this forum would be gratefully received!

    So in short… Can anyone give me some advice on IDS Design and on Firewall design? Please?

    Thanks in advance, Goz.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Silly question....

    Unless your company is involved in the development of IDS' for sale why would you go about reinventing a wheel that is pretty much round already?

    Read the Snort source code.... It's out there for all to see.... That will give you some great insight into the design of an IDS.

    Reading the IPTables/Chains source code would do similar for firewalls.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    TS,

    Maybe I didn't explain myself well enough (see something I can improve on already!).

    We aren't involved in 'developing' IDS for sale, we are just a solution provider so would use an IDS product already on the market.

    So when I say IDS Design I mean designing a solution not the program. I guess in the same way that were I asked for a firewall solution design I would produce network diagrams etc…

    Until recently we have been implementing ISS RealSecure as part of the overall security solution but I have been asked to look at the marketplace and assess other products.

    So... I'm jsut asking for some general tips/help/advice on how to 'up' my knowledge levels in a short space of time and how one might go about 'designing' an IDS security solution.

    Cheers, James.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok... I think I see it now.... You are looking at it from an infrastructure POV rather than designing the IDS itself, right?

    I would take a womble through http://rr.sans.org in the IDS section. IIRC there are some nice papers on IDS infrastructure there. You might also look at http://www.snort.org since I believe they have some papers there on this too.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    Nice one, thanks.

  6. #6
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    ... advice from the esteemed members ...
    Uhm, I don't really think I fit in there, but ...

    As far as firewalls go, my suggestion would be to find out what is in use now and what services are needed, then deny all as default, only allow what is necessary. That sounds easy, but the later is not so. Could be near impossible depending on what is in use now and how it is implemented.

    ( I think it prudent to mention here, I think of firewalls as a second, third, or even fourth line of defense, and I am a proponent of firewalls. I know you've heard this before, but shutting down unnecessary services on each box, proper ACL's, proper AUPs, appropriate patching in a timely fashion, etc. are priorities. )

    As far as the rest, have you read The TAO of NETWORK SECURITY MONITORING Beyond Intrusion Detection or any of the other of the author's books ?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  7. #7
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    Funnily enough I came very close to ordering that book just last week before opting for 'Snort for Dummies' and 'Intrusion Detection with Snort (Jack Koziol)' because I found them very cheap on ebay!

    I'll definitely bear it in mind if you are recommending it....

  8. #8
    Member
    Join Date
    Sep 2005
    Posts
    77
    If I can suggest a book that will serve as both a great tutorial and reference, try:
    Network Intrusion Detection (3rd Edition) by Stephen Northcutt, Judy Novak
    *Have it sitting on my desk- very handy*

    Becoming familiar with Snort will definately help understand why the various alerts trigger.

    As for Cisco IDS, snort won't entirely help you out there... as their signatures I believe are proprietary.... spanning back from when they originally were NetRanger. But saying as how majority of the other IDS's on the market are based off snort... it will certainly help you.

    I prefer the Cisco IDS sensors. I realize this may not be economically feasible for your clients. Especially if they are going with the newer versions of firmware (5.x) and are using IPS functionality. Licensing costs get rediculous. Not to mention, the sensors themselves aren't cheap. Regardless, they are easy to manage, and provide a lot of information regarding the alerts...even packet captures.
    The following guide provides you with virtually everything you need to know for setting up cisco IDS sensors (4.x) and how to configure them:
    Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1

    Position of the IDS Sensor is important. When monitoring IDS systems, it can be slightly overwhelming if the sensor is positioned on an external/public interface.. you get to see all the nasty stuff floating about the internet banging on your door. Putting the IDS on the inside right behind the firewall will cut out a lot of the bogus alerts reported and will hopefully display more relevant results happening on the LAN.

    Tiger Shark made a GREAT recommendation and that was for the Sans Reading Room... lots of good info there.

    The info I have written above probably is a bit vague... Feel free to PM me if you want some more info (resources, good/bad experiences, techniques, or anything else that may help you). I don't want to bore everyone in the forum with some of that stuff
    %42%75%75%75%75%72%70%21%00

  9. #9
    Member
    Join Date
    Sep 2005
    Posts
    77
    Intrusion detection and prevention learning guide

    A pluthera of links for IDS/IPS:

    http://searchsecurity.techtarget.com...128383,00.html



    heheh...
    "Jefe, would you say I have a pluthera of piñatas?"
    %42%75%75%75%75%72%70%21%00

  10. #10
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    Excellent, thanks Eyecre. You've right about the SANS link, very useful, already printed off and read a couple of documents about the design and evaluation of IDS products.

    Looks like I have my reading cut out for me for the next 5 years now!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •