Any IDS Recommendations?

[The Poster]

G/Day Forum,

I currently in the process of evaluating a number of IDS solutions. This IDS
system will sit between an edge router (configured with ingress/egress
filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
only got a 2mb leased line to our ISP..

Whats important to us:
- ease of configuration and ongoing management
- cost effectiveness
- suitability to Industry (Financial)
- logging ability/high quality reports/audit trail

The products I'm currently looking at are:
- Tipping Point 50
- Cisco IDS 4215

Any ideas, opinions, guidance?

Regards,
Steve.

 

[S. Pidgorny]

Hi there,

I recommend Snort. The open source solution is used in at least one of
Australian Big 5 banks. Alternatively, you can use SourceFire - they add
nice management interface, "supportability" and price tag.

Implementing NIDS in front of the external firewal - bad idea. You will have
a lot of rubbish and chances are that you'll miss something important. DMZ
is a different matter - port scan has to raise a legitimate alarm in there.
On the corporate network implement your NIDS too, you must.

 

[Mercury]

Please ignore this if your site is not a High Security site.

If you are using SSL, then where is the End Point? IE where is the encrypted
traffic decrypted?

I would expect your auditors to have a hissy fit if the SSL traffic were
dencrypted anywhere sniffable, snortable or IDS'able as that could lead to
identity theft.

For a high security site, logging SSL traffic is pointless, logging source
ip, port, time is more useful. Logging decrypted SSL traffic is an outright
danger.

I am happy to be corrected if needs be.

 

[David H. Lipman]

From: "The Poster" <nospam@nospam_dontyoudare.net>

| G/Day Forum,
|
| I currently in the process of evaluating a number of IDS solutions. This IDS
| system will sit between an edge router (configured with ingress/egress
| filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
| only got a 2mb leased line to our ISP..
|
| Whats important to us:
| - ease of configuration and ongoing management
| - cost effectiveness
| - suitability to Industry (Financial)
| - logging ability/high quality reports/audit trail
|
| The products I'm currently looking at are:
| - Tipping Point 50
| - Cisco IDS 4215
|
| Any ideas, opinions, guidance?
|
| Regards,
| Steve.
|

Fortress Tecnolgies
http://www.fortresstech.com/news/press_details.asp?id=49

Internet Security Systems
http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=ISS&oid=14435

 

[The Poster]

Thanks Simon for the advice.

Vendors recommend that the first IDS be placed in front of the edge router
(I think I might have read that in a Cisco Safe white paper) - I've taken
this a step further in placing it between the packet filtering router and
the firewall. As I mentioned in my earlier post that we are running a Cisco
based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
much in the way (bar the IDS rule and a few common signatures) of IDS
features. I do appreciate that alot of 'trash' will be reported, and most
of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared to
take.

Snort - do you think its easy to configure? I don't. From the research that
I've done to date Tipping Point seem to have the spot light on them, and are
selling it on the basis that its easy to install and configure, and doesn't
involve constant monitoring.

Steve.

 

[Steve Clark [MSFT]]

Honestly, NIDS is nothing more than a waste of time and money IMO.

Put HIDS on high value servers and workstations or other devices. Hackers
don't want to "0wn" the network; they use it like dial tone to get to where
they are really going, which is the host where data resides. The only
exception to this is DDoS attacks, which aren't going to be prevented by
NIDS in any event.

Focus effort on the points where attackers want to get to, and less on the
roads they use to get there with. If you operate from the worst assumption
(i.e., they are already inside the network) then they will be using
"trusted" paths to communicate with the intended targets. Most
organizations do not monitor internal traffic going to other internal
destination sets as they do the "perimeter" or remote access paths.

You can spend the rest of your life trying to figure out what "normal" is on
the network or especially the Internet; you darn sure ought to know what
normal is on hosts that you manage though, and that battle can actually be
won by the sysadmin. It's also higher-yield in that you have more
information to conduct forensic analysis, etc.

 

[Karl Levinson, mvp]

Honestly, NIDS is nothing more than a waste of time and money IMO.

NIDS is a tool that gives you something you can't easily get otherwise.
It's grep for the network. It's true that some organizations probably waste
too much effort on IDS. But how much time you put into IDS is entirely up
to you. You can automate a lot of it if you want.

NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
portion is the most useful part of them, but it's easier and more cost
effective to do that same network monitoring with a NIDS. Detecting file
changes is useful, but is only a part of some NIDS, and is arguably better
done with a file change checker like www.gfi.com Languard SIM, Osiris, etc.
There really aren't too many robust commercial file change checker solutions
IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
main other thing most HIDS do is monitor the windows event log, but 1) you
can do that with any number of other non-IDS products, 2) most HIDS are
configured by default to give you way too many false alarms in the windows
event logs, and 3) few NIDS I'm aware of give you an easy way to configure
these events, you have to go back into Windows to manage this stuff.

To the OP: A lot of people are running away from ISS due to their
historically high prices and bad support in the past. Their prices may have
changed with their new line, I don't know. Their products in the past have
not been so easy to configure if you have a lot of devices, but OK if you
have just one or two. A problem for me is that their signatures are closed
source, which would be useful information to know when trying to tell false
alarms from real events.

www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
somewhat similar to Snort, but is probably easier to configure.

www.netscreen.com has some attractive inexpensive low end devices that I
understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
bunch of other features. Their low end devices have all the exact same
features as their high end enterprise devices.

The tipping point IDS / IPS and cisco devices you mention are other popular
choices.

 

[S. Pidgorny]

G'day,

You've received some good replies so far.

Rule #1: always challenge the vendors' recommendation. In my opinion, even
behind the filtering router, NIDS i next to useless. It's hard enough to
make sense of NIDS in DMZ and on corporate WAN.

Secondly: regarless of your chosen products, it's the people who'll be
monitoring and supporting the solution in production. If you don't have
dedicated team that knows the product and how to make changes and deploy new
sensors quickly - you better don't invest. Without the right process,
auditors won't approve your NIDS.

And you have the right people, they don't necessarily need fancy GUI to get
started with Snort. You'll have a solution at the right cost for NIDS -
$0.00 per monitored IP address.

One thing is really important: have your testing criteria defined, and do
testing. Yes, you'll need traffic generators and all that, but some due
diligence saves time, money and nerves to the project team

 

[Phil Agcaoili]

Ease of use is relative, but in this category your first requirement is to
get an appliance-based IDS/IPS solution.

This rules stuff out like Snort. Snort is one of the best IDS solutions by
the way because it is highly configurable and very fast.

SourceFire is the commercial company that the founder of Snort started. It
is an appliance solution with a Web GUI that you manage. You do not have to
install Linux or compile anything to get it working, it comes out of the box
ready with an OS and Snort running, and you simply configure and manage it
with your Browser.

Also, with any signature based IDS, there is a learning curve and then there
is another process which will require all admins to update and make specific
judgements on which signatures to use or create based on their environment.

You can simply install an IDS and not touch it. It will become out of date.
Consider IDS like Antivirus, without the latest definition file, A/V is
useless.

If you want to get closer to a set it and forget it type of intrusion
detection solution, I would also consider an anomaly/behavior-based solution
such as Lancope, Tipping Point, and McAfee. I've seen implementations that
have been profiled and left alone for a while, but still detecting odd
network conditions and flagging that the links needs to be monitored.

The IDS/IPS market is commodity right now, so what ever you choose from the
vendors I pointed out above you should be good to go. Just know that you
need to manage these systems or else they're useless.

 

[The Poster]

Some good posts indeed Simon.

I agree with you in every point. I forgot to mention that the primary reason
I'm installing the IDS is for compliancy with the PCI Data Security Standard
(Visa/MasterCard).

Its a simple scenario - if we don't have an IDS on our network generating
'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
with the auditors re. the 'best' location for the device, they were
recommending I put it in my 'secure area' (a DMZ area where traffic and data
is encrypted). And my argument was that this was useless - an IDS sniffing
encrypted packets? A complete waste of Dollars or Euros in my case.......

Steve.

 

[The Poster]

Excellent advise Phil...... I like the idea of Snort running on a 'plug and
play' device - off which I'm going to investigate further.

3Com have agreed to lend me a Tipping Point 50 system for a few weeks
trial - a nice gesture. It proves that theye've got confidence in there
product and are quite willing to lend it to me on a trial basis. Now all I
need is some traffic generating software...

Out of interest - have you come across any of the devices you mentioned in
PCI (Visa/MasterCard Credit Card Security Standard) based environments?
Where topology wise were they placed?

Steve.

I do agree with you point (and Simons previous post) - that if you don't
maintain an IDS, then its worthless/useless and a complete waste of money.

 

[The Poster]

Hi Karl,

Thanks for your reply.

Funny you mention Tripwire, its a product we intend rolling out in parallel
with our NIDS. So far I'm leaning towards the Tipping Point solution - and
3Com have agreed to give me one on trial for a few weeks.

Any thoughts re' best location for my NIDS?

Regards,
Steve.

Honestly, NIDS is nothing more than a waste of time and money IMO.

NIDS is a tool that gives you something you can't easily get otherwise.
It's grep for the network. It's true that some organizations probably waste
too much effort on IDS. But how much time you put into IDS is entirely up
to you. You can automate a lot of it if you want.

NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
portion is the most useful part of them, but it's easier and more cost
effective to do that same network monitoring with a NIDS. Detecting file
changes is useful, but is only a part of some NIDS, and is arguably better
done with a file change checker like www.gfi.com Languard SIM, Osiris, etc.
There really aren't too many robust commercial file change checker solutions
IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
main other thing most HIDS do is monitor the windows event log, but 1) you
can do that with any number of other non-IDS products, 2) most HIDS are
configured by default to give you way too many false alarms in the windows
event logs, and 3) few NIDS I'm aware of give you an easy way to configure
these events, you have to go back into Windows to manage this stuff.

To the OP: A lot of people are running away from ISS due to their
historically high prices and bad support in the past. Their prices may have
changed with their new line, I don't know. Their products in the past have
not been so easy to configure if you have a lot of devices, but OK if you
have just one or two. A problem for me is that their signatures are closed
source, which would be useful information to know when trying to tell false
alarms from real events.

www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
somewhat similar to Snort, but is probably easier to configure.

www.netscreen.com has some attractive inexpensive low end devices that I
understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
bunch of other features. Their low end devices have all the exact same
features as their high end enterprise devices.

The tipping point IDS / IPS and cisco devices you mention are other popular

choices.

 

[Karl Levinson, mvp]

It's true that as others have suggested, behind your firewall(s) is a
popular location, as well as in DMZs and near valuable infrastructure
targets are popular locations. This permits the IDS to detect and alert you
when your defenses such as firewall have been breached. Internal Windows
networks of workstations and servers are chatty and can cause a fair number
of false alarms, but monitoring these can still be beneficial and the false
alarms can be managed in a variety of ways. Your network architecture may
define where you can and should place IDS, because if you only have one IDS,
you probably want to place it in a location where it will be able to see the
most network traffic. Naturally your IDS won't see traffic that doesn't
traverse past its interfaces.

Tipping point is also an IPS, which changes things like potential placement
if you choose to use this functionality. Inline IPS in general is more like
a firewall IMHO in that it can only monitor and protect one or a few network
segments, whereas IDS can generally be used to span and monitor more
networks. If you choose to use the device as an IPS, it might require the
purchase of more devices to monitor the same percentage of your network.

Hi Karl,

Thanks for your reply.

Funny you mention Tripwire, its a product we intend rolling out in parallel
with our NIDS. So far I'm leaning towards the Tipping Point solution - and
3Com have agreed to give me one on trial for a few weeks.

Any thoughts re' best location for my NIDS?

Regards,
Steve.

Honestly, NIDS is nothing more than a waste of time and money IMO.

NIDS is a tool that gives you something you can't easily get otherwise.
It's grep for the network. It's true that some organizations probably waste
too much effort on IDS. But how much time you put into IDS is entirely up
to you. You can automate a lot of it if you want.

NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
portion is the most useful part of them, but it's easier and more cost
effective to do that same network monitoring with a NIDS. Detecting file
changes is useful, but is only a part of some NIDS, and is arguably better
done with a file change checker like www.gfi.com Languard SIM, Osiris, etc.
There really aren't too many robust commercial file change checker solutions
IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
main other thing most HIDS do is monitor the windows event log, but 1) you
can do that with any number of other non-IDS products, 2) most HIDS are
configured by default to give you way too many false alarms in the windows
event logs, and 3) few NIDS I'm aware of give you an easy way to configure
these events, you have to go back into Windows to manage this stuff.

To the OP: A lot of people are running away from ISS due to their
historically high prices and bad support in the past. Their prices may have
changed with their new line, I don't know. Their products in the past have
not been so easy to configure if you have a lot of devices, but OK if you
have just one or two. A problem for me is that their signatures are closed
source, which would be useful information to know when trying to tell false
alarms from real events.

www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
somewhat similar to Snort, but is probably easier to configure.

www.netscreen.com has some attractive inexpensive low end devices that I
understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
bunch of other features. Their low end devices have all the exact same
features as their high end enterprise devices.

The tipping point IDS / IPS and cisco devices you mention are other popular

choices.


G/Day Forum,

I currently in the process of evaluating a number of IDS solutions. This
IDS
system will sit between an edge router (configured with ingress/egress
filtering) and a Cisco Firewall. Our throughput requirement is low, as
we've
only got a 2mb leased line to our ISP..

Whats important to us:
- ease of configuration and ongoing management
- cost effectiveness
- suitability to Industry (Financial)
- logging ability/high quality reports/audit trail

The products I'm currently looking at are:
- Tipping Point 50
- Cisco IDS 4215

Any ideas, opinions, guidance?

Regards,
Steve.

 

[S. Pidgorny]

G'day,

For audit compliance, you must have:

* IDS in place
* Procedures to manage IDS riles (signatures and heuristics)
* Procedures to manage alerts - that is, your Emergency Response
* Reports done regularly
* Testing of the IDS/Emergency response done
* (depending on the auditors' paranoia level) - plan to cover all corporate
network with IDS sensors

I see you have managed to convince the auditors that DMZ isn't the best
place to install the sensors because all traffic there is encrypted. However
I might suggest that this creates and excellent opportunity to come up with
tight IDS rule set: everything that is not on the list of (encrypted)
protocols is potential security breach. And seriously consider internal
network: first of all, NIDS will generate a lot of interesting information -
like curious grads that believe they're h@x0rz and stuff like that. Secndly,
the next IT security audit will require that anyway.

And please - call me Slavko, or Slav. Simon is too Die Hard-ish for me.

 

[Jeff Cochran]

Excellent advise Phil...... I like the idea of Snort running on a 'plug and
play' device - off which I'm going to investigate further.

3Com have agreed to lend me a Tipping Point 50 system for a few weeks
trial - a nice gesture. It proves that theye've got confidence in there
product and are quite willing to lend it to me on a trial basis. Now all I
need is some traffic generating software...

First, you won't go wrong with a Tipping Point or Cisco solution. You
may overpay, you may not get the best results, but you'll meet your
compliance needs. I'll leave out that I think most of the compliance
rules are for covering some collective butts and not real security.


Also, I've found that most IDS vendors will lend you a box to try. So
try them all. I happen to also prefer Snort, and a SourceFire box
goes a long way toward making management feel better. You might also
look at a managed IDS though, offload both the workload and the
responsibility to someone else.

Now, here's what I've found critical about choosing an IDS:

Pretty much, they all work. Some have features that make them better
for a specfic set of requirements, but any decent one does fine if
properly managed and maintained. So it comes down to which solution
fits your organization and your comfort level as much as anything
else. Pick the one that "feels" right and make sure you stay current
with it.

Jeff

 

[Jeff Cochran]

It's true that as others have suggested, behind your firewall(s) is a
popular location, as well as in DMZs and near valuable infrastructure
targets are popular locations. This permits the IDS to detect and alert you
when your defenses such as firewall have been breached. Internal Windows
networks of workstations and servers are chatty and can cause a fair number
of false alarms, but monitoring these can still be beneficial and the false
alarms can be managed in a variety of ways. Your network architecture may
define where you can and should place IDS, because if you only have one IDS,
you probably want to place it in a location where it will be able to see the
most network traffic. Naturally your IDS won't see traffic that doesn't
traverse past its interfaces.

Tipping point is also an IPS, which changes things like potential placement
if you choose to use this functionality. Inline IPS in general is more like
a firewall IMHO in that it can only monitor and protect one or a few network
segments, whereas IDS can generally be used to span and monitor more
networks. If you choose to use the device as an IPS, it might require the
purchase of more devices to monitor the same percentage of your network.

But a counter to that is if this is for the compliance portion of
Visa/MC, this makes it a perfect choice. You don't want to monitor
the entire network, just the critical portions. That dramatically
cuts the background noise from your analysis. And I'd venture a guess
that the biggest problem with IDS, whether NIDS, IPS, NIPS or
whatever, is getting the ciritcal information out of the total
overload most of these options generate.

But again, this does depend a lot on your network architecture. You
may even find it advantageous to change some your architecture to
manage this even better.

Jeff

Hi Karl,

Thanks for your reply.

Funny you mention Tripwire, its a product we intend rolling out in parallel
with our NIDS. So far I'm leaning towards the Tipping Point solution - and
3Com have agreed to give me one on trial for a few weeks.

Any thoughts re' best location for my NIDS?

Regards,
Steve.

Honestly, NIDS is nothing more than a waste of time and money IMO.

NIDS is a tool that gives you something you can't easily get otherwise.
It's grep for the network. It's true that some organizations probably waste
too much effort on IDS. But how much time you put into IDS is entirely up
to you. You can automate a lot of it if you want.

NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
portion is the most useful part of them, but it's easier and more cost
effective to do that same network monitoring with a NIDS. Detecting file
changes is useful, but is only a part of some NIDS, and is arguably better
done with a file change checker like www.gfi.com Languard SIM, Osiris, etc.
There really aren't too many robust commercial file change checker solutions
IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
main other thing most HIDS do is monitor the windows event log, but 1) you
can do that with any number of other non-IDS products, 2) most HIDS are
configured by default to give you way too many false alarms in the windows
event logs, and 3) few NIDS I'm aware of give you an easy way to configure
these events, you have to go back into Windows to manage this stuff.

To the OP: A lot of people are running away from ISS due to their
historically high prices and bad support in the past. Their prices may have
changed with their new line, I don't know. Their products in the past have
not been so easy to configure if you have a lot of devices, but OK if you
have just one or two. A problem for me is that their signatures are closed
source, which would be useful information to know when trying to tell false
alarms from real events.

www.enterasys.com Dragon is a popular and inexpensive IDS solution that is
somewhat similar to Snort, but is probably easier to configure.

www.netscreen.com has some attractive inexpensive low end devices that I
understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
bunch of other features. Their low end devices have all the exact same
features as their high end enterprise devices.

The tipping point IDS / IPS and cisco devices you mention are other popular
choices.


G/Day Forum,

I currently in the process of evaluating a number of IDS solutions. This
IDS
system will sit between an edge router (configured with ingress/egress
filtering) and a Cisco Firewall. Our throughput requirement is low, as
we've
only got a 2mb leased line to our ISP..

Whats important to us:
- ease of configuration and ongoing management
- cost effectiveness
- suitability to Industry (Financial)
- logging ability/high quality reports/audit trail

The products I'm currently looking at are:
- Tipping Point 50
- Cisco IDS 4215

Any ideas, opinions, guidance?

Regards,
Steve.

 

[Karl Levinson, mvp]

goes a long way toward making management feel better. You might also
look at a managed IDS though, offload both the workload and the
responsibility to someone else.

I have been very very unsatisifed with outsourcing IDS to someone else.
Most of them seem to really skimp on getting skilled workers [and
admittedly, it seems like you're almost never going to be able to get
someone with solid IDS experience on the second and third shifts], and I
question how most firms configure and monitor the IDS or whether the
configuration is adequately customized to your individual network. But I
suppose if you don't have the time and skill to do IDS, you've got little
choice.

 

[Karl Levinson, mvp]

I see you have managed to convince the auditors that DMZ isn't the best
place to install the sensors because all traffic there is encrypted. However
I might suggest that this creates and excellent opportunity to come up with
tight IDS rule set: everything that is not on the list of (encrypted)
protocols is potential security breach. And seriously consider internal
network: first of all, NIDS will generate a lot of interesting information -
like curious grads that believe they're h@x0rz and stuff like that. Secndly,
the next IT security audit will require that anyway.

Note that internal networks can be as challenging to monitor and give as
many false alarms as putting sensors outside your firewall.

And encrypted traffic does not necessarily have to be impossible to monitor.
There are solutions that will let you unencrypt and monitor encrypted
traffic, if you feel it is in your best interest to do so.

 

[André Fagundes]

Checkpoint RLZ.

 

[S. Pidgorny]

Checkpoint what?