+1 Get the OSS stuff in there first, and get a handle on what your needs actually are, then when you find you need something with more features, you'll be able to articulate and evaluate that more effectively.
Consider starting with: http://www.untangle.com/ *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Providing Competitive Advantage through Effective IT Leadership* On Fri, Dec 4, 2009 at 1:17 PM, Kurt Buff <[email protected]> wrote: > On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]> > wrote: > > > > Guys, I was talking to my boss this morning about how we need an IDS > appliance to help catch malware as it comes in from the web or as it tries > to “phone home.” Now up until yesterday I though an IDS was just good for > catching hackers trying to get through our firewall or something like that. > I’m not that knowledgeable about this sort of thing. How exactly does an IDS > appliance work? > > > > > > It depends on the appliance. However, the general theory is that it > watches the bit stream, and sends alerts when it sees suspicious > traffic. Often they also trend traffic and do other spiffy things. > > Before committing to a commercial product, I'd try the free OSS stuff. > > In particular, OSSIM is a very interesting package, though it's more > than just an IDS. It's got an installer that puts Linux on a box and > installs snort, ntop, nagios and a bunch of other software, and wraps > it all up in a pretty web interface. > > I'm trying to find the time (and a spare PC) to dive into it. > > You can install it on one machine (with several NICs), or use it to > install a set of sensors at various points in your network that talk > to a central server that aggregates it. > > The critical things are 1) to get enough box to handle the load, 2) to > place the sensor(s) at points in your network where you're most likely > to see attacks, 3) dial down the alerts so that they fit your > environment. They tend to be really noisy - lots of alerts - until you > get them tuned to only look for things that are relevant to your > environment. For instance, you don't want to see alerts on traffic > that looks like an attack on an Oracle server if you don't have Oracle > in your org. > > And, an IPS is basically an IDS that can operate your firewall on the > fly. They can be as dangerous as combining tequila and handguns, if > you're not extra careful. > > Kurt > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
