[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Best IDS??
Setup one sensor outside firewall, set it to log verbosely but not to page you. This will provide forensic evidence that might prove usefull. Setup another sensor inside your dmz OR on the inside leg of your firewall. Carefully setup rules for filtering of alerts on valid flows, and set everything else to a variety of actions such as: FW-1 OPSEC (block intruder, might be good idea on certain types of activity like ftp, however OPSEC blocking can BITE you if the attacker manages to spoof addresses for sites on the Inet you don't want blocked...basically, you could DoS yourself from accessing even the root name servers!) SNMP Traps can work with product like NAI Distributed Sniffer which can be configured to capture packets based on event. (nice to have the decodes, trust me!) Paging services, light up some alarms on network operations staff monitoring pages??? etc etc. This can all be accomplished with scripting. With Snort, you can do a lot...especially if you are able to develop your own perl scripts. I think ISS RealSecure 6.0 is a much nicer product however and it IS extensible, although there are some real braindead limitations in ISS for filtering of events. (I have a laundry list of comments...) FOR INSTANCE, ISS lets you filter by tcp,udp,icmp, with given src/dest addresses etc etc...but you CAN'T define filters for specific PROTOCOLS like ESP, GRE etc. When I talk to ISS support staff, they say use TCP and set port to 50!!! NO NO NO!, this is not PORT 50, its "PROTOCOL" 50. (silence is deafening) This was a problem for me because I wanted to see whenever someone was attempting connections with firewall that was from unauthorized subnets. When you enable the policy event to log ESP/GRE connections you can't filter the ones that you know are trivial/uninteresting. Instead your logs get spammed. Regardless, after having used both products I would make my recommendation this way: If this is for home, go with Snort. If this is for work, go with ISS. Regardless of which product you use, you can't just install the software and then walkaway. NIDS has to be constantly tuned and monitored just like a firewall. Carl E. Mankinen Southeast Regional Data Center - Systems/Network Engineer, CCSA CCSE AT&T Broadband Advanced Services > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On > Behalf Of Tim Anderson > Sent: Thursday, November 29, 2001 12:16 PM > To: [email protected] > Subject: [FW-1] Best IDS?? > > > We have budget to purchase an IDS and would like to get > suggestions from you > fine folks. We are looking at SNORT since it is free (except for the > equipment costs) and ISS Real Secure. We are open to other > suggestions as > well. Also where do you guys have your sensors? We were > thinking that > having one on the DMZ is probably enough but we want some > input from others > before we decide. Thanks! > > Tim Anderson > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|