On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]> wrote: > > Guys, I was talking to my boss this morning about how we need an IDS > appliance to help catch malware as it comes in from the web or as it tries to > “phone home.” Now up until yesterday I though an IDS was just good for > catching hackers trying to get through our firewall or something like that. > I’m not that knowledgeable about this sort of thing. How exactly does an IDS > appliance work? > >
It depends on the appliance. However, the general theory is that it watches the bit stream, and sends alerts when it sees suspicious traffic. Often they also trend traffic and do other spiffy things. Before committing to a commercial product, I'd try the free OSS stuff. In particular, OSSIM is a very interesting package, though it's more than just an IDS. It's got an installer that puts Linux on a box and installs snort, ntop, nagios and a bunch of other software, and wraps it all up in a pretty web interface. I'm trying to find the time (and a spare PC) to dive into it. You can install it on one machine (with several NICs), or use it to install a set of sensors at various points in your network that talk to a central server that aggregates it. The critical things are 1) to get enough box to handle the load, 2) to place the sensor(s) at points in your network where you're most likely to see attacks, 3) dial down the alerts so that they fit your environment. They tend to be really noisy - lots of alerts - until you get them tuned to only look for things that are relevant to your environment. For instance, you don't want to see alerts on traffic that looks like an attack on an Oracle server if you don't have Oracle in your org. And, an IPS is basically an IDS that can operate your firewall on the fly. They can be as dangerous as combining tequila and handguns, if you're not extra careful. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
