Ron Morita wrote:
>Can anybody point me to information about business solutions and real
>life experience with Intrusion Detection systems?
Probably the best way to get some real life experiences with them
is to try one yourself. It's not particularly difficult (or shouldn't
be!) and any credible vendor will let you "try before you buy."
There are a few decent articles in the trade press about some of
the products out there - one thing to be aware of when you read
them is that IDS products are still at the rapid stage of evolution
and whats said about any given product 6 months ago probably no
longer applies.
> We have about 35
>desktops, 4 servers. I've heard that false positives can make deploying
>this type of a solution impractical for a small sized business. Is that
>true?
It depends.
With a small installation like yours, you won't run into scaleability
pain particularly badly. Obviously, installing something per-desktop is
more painful when you have 6,000 desktops than when you have 35! :)
A good litmus test for this is whether or not you've installed virus
protection on your desktops - if that's proven challenging, then desktop
IDS may not be best for you simply for administrative reasons.
With respect to false positives, the rate of false positives you get
should depend very much on the location of your IDS. First off, I will
assume you have a firewall. If you don't have a firewall, please forget
about intrusion detection and run, do not walk, to install a firewall. ;)
If you put your IDS outside the firewall, it will generate a lot of
reports - typically these will not be false positives - they will be
actual attacks that your firewall (hopefully!) has deflected. If you put
your IDS inside the firewall, on your protected network, the number of
false positives should be very low. There are some false positives, but
the current crop of products have gotten much better than they used to be.
Within a small network such as yours, behind a firewall, I wouldn't expect
very many. Larger organizations will also see "false positives" at their
IDS even behind their firewalls. My experience from such and their
subsequent investigations is that often "false positives" behind the
firewalls are, in fact, employees engaging in abusive behaviour!! I know
a site that complained their IDS was broken because it was claiming
there was a machine inside their network doing attacks against the Internet -
it turns out they had an intern who thought he was a bigtime cyberninja...
Many security products' effectiveness is very much influenced by your
network and how it is set up. Unfortunately. So an IDS will produce
different results for you than it would someone else. My suggestion is
always "try before you buy."
(Disclaimer: I am a vendor in the IDS area. However, I don't believe
there is anything in my posting above that is even arguably biassed
towards my company's products or our competition.)
mjr.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
