Thanks, guys. I just might do that. 'Course I have to find a machine first.. 'specially one that can handle the load. I thought I might put it in between our firewall and the network.. or maybe I'll find a small hub and put it in there that way..
John-AldrichTile-Tools From: Andrew S. Baker [mailto:[email protected]] Sent: Friday, December 04, 2009 3:37 PM To: NT System Admin Issues Subject: Re: IDS appliance +1 Get the OSS stuff in there first, and get a handle on what your needs actually are, then when you find you need something with more features, you'll be able to articulate and evaluate that more effectively. Consider starting with: http://www.untangle.com/ ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Providing Competitive Advantage through Effective IT Leadership On Fri, Dec 4, 2009 at 1:17 PM, Kurt Buff <[email protected]> wrote: On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]> wrote: > > Guys, I was talking to my boss this morning about how we need an IDS appliance to help catch malware as it comes in from the web or as it tries to "phone home." Now up until yesterday I though an IDS was just good for catching hackers trying to get through our firewall or something like that. I'm not that knowledgeable about this sort of thing. How exactly does an IDS appliance work? > > It depends on the appliance. However, the general theory is that it watches the bit stream, and sends alerts when it sees suspicious traffic. Often they also trend traffic and do other spiffy things. Before committing to a commercial product, I'd try the free OSS stuff. In particular, OSSIM is a very interesting package, though it's more than just an IDS. It's got an installer that puts Linux on a box and installs snort, ntop, nagios and a bunch of other software, and wraps it all up in a pretty web interface. I'm trying to find the time (and a spare PC) to dive into it. You can install it on one machine (with several NICs), or use it to install a set of sensors at various points in your network that talk to a central server that aggregates it. The critical things are 1) to get enough box to handle the load, 2) to place the sensor(s) at points in your network where you're most likely to see attacks, 3) dial down the alerts so that they fit your environment. They tend to be really noisy - lots of alerts - until you get them tuned to only look for things that are relevant to your environment. For instance, you don't want to see alerts on traffic that looks like an attack on an Oracle server if you don't have Oracle in your org. And, an IPS is basically an IDS that can operate your firewall on the fly. They can be as dangerous as combining tequila and handguns, if you're not extra careful. Kurt No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.426 / Virus Database: 270.14.93/2544 - Release Date: 12/04/09 07:32:00 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
<<image002.jpg>>
