Dirk,
With IDS's you have 2 choices: freeware (and no support other then users),
and commercial (supposedly with support). Some of the top commercial
products are NFR's Network Flight Recorder, ISS's RealSecure, and Cisco's
NetRanger. I, for one, am using Cisco's NetRanger, because I like the idea
of using my cisco routers as intrusion sensors, all reporting to a
centralized management decision engine. If you do not worry about support
too much, you could use Snort (http://www.clark.net/~roesch/security.html)
and/or Shadow (the Naval Surface Warfare Center freeware IDS) which you
could get at http://www.nswc.navy.mil/ISSEC/CID. You should know, however,
that Shadow is not a "real-time" intrusion-detection system, since it polls
data from the sensors at pre-set intervals (like 30 mins or so), however,
used in conjunction with Snort, it becomes not only a real-time IDS capable
of sending RST packets to offending traffic, but also able to use Shadow's
advanced traffic analisys engine to see patterns in attacks, and able to
provide you with indications and warnings as to what types of attacks/probes
are directed against you (it is capable of doing this in a much better
fashion then NetRanger). Some people at the NSWC (Naval Surface Warfare
Center), recommends for best results to use Snort/Shadow in conjunction with
Cisco's NetRanger, since this would give the best mix of content/pattern
analisys.
So, to answer your question (I did get a little off topic), you almost have
to run Axent's NetProwler/NetRecon on NT, and same goes for ISS's
RealSecure. Cisco's Netranger Director requires HP Openview Network Node
Manager, to use as a director, and either a cisco router, or a $15,000
black-box solution to use as a sensor. Snort and Shadow will run on just
about any sort of unix variant that could compile libcap and tcpdump (Linux,
BSD, Solaris, HP-UX, etc), and are free, and in some ways better at detects
then some of the commercial products, since it takes about an hour or so
after a new signature is found for somebody to put out a Snort signature
line. If you have the budget and time, running something like NetRanger and
Snort/Shadow in conjunction should provide you with an excellent IDS. This
is what I plan on doing. However, if you are on a tight string, Snort/Shadow
combination should be more then sufficient to provide your site with a
credible IDS.
Hope this helps. If you have any further questions, e-mail me, and I'll try
to help any way I can.
-Igor Gashinsky
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dirk.Nerling
Sent: Wednesday, March 22, 2000 11:13 AM
To: Firewall (M-list)
Subject: NT IDS to monitor unix firewall ?
Hello,
does anybody know an IDS System which could stand beside firewall - or is
this a really bad idea? We do use a free Unix as our firewall but
unfortunately the IDS products I'd like to use (Axcent or Realsecure,
because of the updateable database) doesn't support our firewall OS. What
do you mean?
- should I install an NT box beside the unix firewall (is this possible) ?
- which IDS products (comparable to my favorites) will run on a free unix ?
thanks in advance for all hints and
best regards Dirk Nerling
--
Dirk Nerling, PDV-Systeme Erfurt, Haarbergstr. 73, 99099 Erfurt, phone:
++49-361-4407144
PGP Fingerprint: C559 FF0E BAD0 9E09 F720 20F3 683E 357F 69B5
CC83
http://www.pdv.de
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
