Well, we already *have* a firewall.. a nice Cisco ASA 5510. :-) I don't need another firewall, just an IPS/IDS.
-----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, December 04, 2009 3:54 PM To: NT System Admin Issues Subject: Re: IDS appliance Untangle doesn't look much like an IDS, based on the marketing on the front page of the web site. It looks more like a web/spam filter. Another possibility, if you want to set it up as a gateway, is pfsense - http://pfsense.org - it can add snort and other things as packages to its firewalling duties. But, that covers only one spot in the network, though you could certainly argue that it's the most critical spot. Kurt On Fri, Dec 4, 2009 at 12:36, Andrew S. Baker <[email protected]> wrote: > +1 > > Get the OSS stuff in there first, and get a handle on what your needs > actually are, then when you find you need something with more features, > you'll be able to articulate and evaluate that more effectively. > > Consider starting with: http://www.untangle.com/ > > ASB (My XeeSM Profile) > Providing Competitive Advantage through Effective IT Leadership > > On Fri, Dec 4, 2009 at 1:17 PM, Kurt Buff <[email protected]> wrote: >> >> On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]> >> wrote: >> > >> > Guys, I was talking to my boss this morning about how we need an IDS >> > appliance to help catch malware as it comes in from the web or as it tries >> > to phone home. Now up until yesterday I though an IDS was just good for >> > catching hackers trying to get through our firewall or something like that. >> > Im not that knowledgeable about this sort of thing. How exactly does an IDS >> > appliance work? >> > >> > >> >> It depends on the appliance. However, the general theory is that it >> watches the bit stream, and sends alerts when it sees suspicious >> traffic. Often they also trend traffic and do other spiffy things. >> >> Before committing to a commercial product, I'd try the free OSS stuff. >> >> In particular, OSSIM is a very interesting package, though it's more >> than just an IDS. It's got an installer that puts Linux on a box and >> installs snort, ntop, nagios and a bunch of other software, and wraps >> it all up in a pretty web interface. >> >> I'm trying to find the time (and a spare PC) to dive into it. >> >> You can install it on one machine (with several NICs), or use it to >> install a set of sensors at various points in your network that talk >> to a central server that aggregates it. >> >> The critical things are 1) to get enough box to handle the load, 2) to >> place the sensor(s) at points in your network where you're most likely >> to see attacks, 3) dial down the alerts so that they fit your >> environment. They tend to be really noisy - lots of alerts - until you >> get them tuned to only look for things that are relevant to your >> environment. For instance, you don't want to see alerts on traffic >> that looks like an attack on an Oracle server if you don't have Oracle >> in your org. >> >> And, an IPS is basically an IDS that can operate your firewall on the >> fly. They can be as dangerous as combining tequila and handguns, if >> you're not extra careful. >> >> Kurt >> >> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.426 / Virus Database: 270.14.93/2544 - Release Date: 12/04/09 07:32:00 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
