[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: IDS/IPS Info
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Re: IDS/IPS Info
- From: "Lee" <cheekypeople@xxxxxxxxx>
- Date: Sat, 15 May 2004 09:14:56 +0100
Debbie,
Maybe my viewpoint is different to what your looking for, but hey here's my 2
cents.
I am not an advocate of IDS/IPS, Personally and maybe I am stirring things up
here, but I am not a fan of them, I view the products in the range as addons
never something I would class as an primary piece of kit.
My thoughts behind this really come from my own background. I used to be a
checkpoint firewall admin for some banks and pharma companies, I found any
IDS/IPS we have from say cisco etc did the job of other systems I already had.
I always looked at them to say "can this product do anything my systems cannot
do now". That would force me to ahve an implistic view of my systems. For
example, an IDS/IPS uses rules and signatures to spot code, it does this by
analysing particular data and then acts as a radar at given perimeter or
internal points. It would then alert a team to what it finds based on the
signatres and rules.
As part of my job I always try to make the very best use of my current systems,
not becuase as a team we couldnt afford a dedicated IDS/IPS, its just that by
testing the boundaries and knowing what we had we achieved the same results,
and in a existing window of an existing system (no "one more thing to monitor").
We used primary at first Checkpoint Firewall logs and inspect code. inspect
code allows you to setup and catch with a log , particular traffic and then
gain alerts, it does this by using its own derived signatures with bytes etc,
which can be gained from ifnormation on a virus etc. Seeing any pattern here?
This then allowed us to isolate and amend direct rules live to combat the
system.
Now dont get me wrong, this took some time, and we had to implement a HOWTO,
but we implemented one based upon a current system which is familiar to the
people using it, thus saving alot on external costings, while educated the
current staff to use a product better.
Now dont get me wrong, my view is my own, and one taken in a particular
environment, and hopefully others will give you their views on what they did, I
expect it will be different , but that was the purpose my reply, not to say
ours is better, just giving a different channel.
Snort I know is excellent, and I expect the cisco kit will be good (in a cicso
DC hehehe)
But anyways food for thought, and have a pleasant weekend.
Regards
Knowledge is Power - Nam et ipsa scientia potestas est
- Francis Bacon (1561-1626)
Lee @ STS
http://www.seethrusec.co.uk
Building Knowledge and Security..
----- Original Message -----
From: Debbie
To: full-disclosure@xxxxxxxxxxxxxxxx
Sent: Friday, May 14, 2004 8:27 PM
Subject: [Full-Disclosure] Re: IDS/IPS Info
Hi all,
I'm a student doing a research paper on the IDS/IPS industry, from the
perspective of analyzing products - what works and what doesn't, and also
analyzing vendors - who will succeed. Anyone had good/bad experiences with
these vendors? (Your response will be kept strictly confidential.)
Thanks all for your help!
Network Associates
Sana Security
GreenBorder Tech
Argus Systems
Cisco
Intrusion Inc.
Tippingpoint Tech
Internet Security (ISSX)
Symantec
-Deborah
mangomartini2005@xxxxxxxxx
------------------------------------------------------------------------------
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.