Any idea if this will run in a VM? Might be worth looking into. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4
From: Andrew S. Baker [mailto:[email protected]] Sent: Friday, December 04, 2009 3:37 PM To: NT System Admin Issues Subject: Re: IDS appliance +1 Get the OSS stuff in there first, and get a handle on what your needs actually are, then when you find you need something with more features, you'll be able to articulate and evaluate that more effectively. Consider starting with: http://www.untangle.com/ ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker> Providing Competitive Advantage through Effective IT Leadership On Fri, Dec 4, 2009 at 1:17 PM, Kurt Buff <[email protected]<mailto:[email protected]>> wrote: On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]<mailto:[email protected]>> wrote: > > Guys, I was talking to my boss this morning about how we need an IDS > appliance to help catch malware as it comes in from the web or as it tries to > "phone home." Now up until yesterday I though an IDS was just good for > catching hackers trying to get through our firewall or something like that. > I'm not that knowledgeable about this sort of thing. How exactly does an IDS > appliance work? > > It depends on the appliance. However, the general theory is that it watches the bit stream, and sends alerts when it sees suspicious traffic. Often they also trend traffic and do other spiffy things. Before committing to a commercial product, I'd try the free OSS stuff. In particular, OSSIM is a very interesting package, though it's more than just an IDS. It's got an installer that puts Linux on a box and installs snort, ntop, nagios and a bunch of other software, and wraps it all up in a pretty web interface. I'm trying to find the time (and a spare PC) to dive into it. You can install it on one machine (with several NICs), or use it to install a set of sensors at various points in your network that talk to a central server that aggregates it. The critical things are 1) to get enough box to handle the load, 2) to place the sensor(s) at points in your network where you're most likely to see attacks, 3) dial down the alerts so that they fit your environment. They tend to be really noisy - lots of alerts - until you get them tuned to only look for things that are relevant to your environment. For instance, you don't want to see alerts on traffic that looks like an attack on an Oracle server if you don't have Oracle in your org. And, an IPS is basically an IDS that can operate your firewall on the fly. They can be as dangerous as combining tequila and handguns, if you're not extra careful. Kurt ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
