Again,
NFR, ISS Real Secure, Network ICE Agent/Sentry/ICECap is a Network based
IDS with hooks to allow for Host Based Monitoring.
Each one of the products have their +'s and -'s, so this is more how each
vendor has architected their product to account for medium to large sized
enterprises. Some may require a load balancing solution, or a
reconfiguration of the high end network switch in order to enable SPAN Port
mirroring, etc, etc.
But back to the point, it appears that you might be interesting in some
sort of combination host-based/integrity checking product like
TripWire/Centrax or something like that.
Most Network Based IDS has options to notify the administrator through
various methods (Email, paging, out of band, etc).
/m
At 09:06 AM 9/6/00 -0700, Aaron Schultz wrote:
>Sorry Kyle, this is in response to your mail, but not "directed" at you :)
>
>On Wed, 6 Sep 2000, Haugsness, Kyle wrote:
>
> > So if you need to watch some big pipes, start taking a look at other
> > products such as Network Flight Recorder (hi Marcus), Network Security
> > Wizards' Dragon, or even snort.
>
>Currently NFR's solution is also based on the load balancer. NFR admits
>that their product cannot accurately watch for things like portscans
>across multiple hosts in a load balanced setup:
>
>NFR's response to me:
># Just following up to make sure you got my last email (about 2 weeks ago)
># saying that you were correct in that our load balancing solution would
># not work in the situation you described.
><snip>
># However, this still works fairly well because generally portscans
># involve a large number of ports.
><snip>
>
>I'm not sure which Internet that NFR's connected to, but it must be
>something other than the one I'm on. Programs like wu-scan exist for the
>sole purpose of doing single port scanning across entire network segments
>looking for hosts with a specific exploit. This is not the first program
>like this, nor will it be the last.
>
>Network-based IDS seems to still be aimed at the small network, although
>every commercial host-based IDS I've found doesn't include port-level
>watching on the host. I'd really like one of the commercial IDS people
>make a host IDS with port-level detection built in, but I've yet to find
>one... unless you run the FREEWARE portsentry (unix-only) with it,
>then most commercial IDS can watch logs and report.. but at that point,
>why bother since portsentry can already run custom commands on it's
>own (like e-mailing the NOC that scans are in progress).
>
>- Aaron Schultz
>- [EMAIL PROTECTED]
>------
> /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> \ / ASCII Ribbon Campaign
> X - NO HTML/RTF in e-mail
> / \ - NO Word docs in e-mail
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
