If you the switch that your firewall plugs into (on the trusted side) can span/mirror the firewall port, that will be just what you want.
Kurt On Fri, Dec 4, 2009 at 13:19, John Aldrich <[email protected]> wrote: > > Thanks, guys… I just might do that. ‘Course I have to find a machine first…. > ‘specially one that can handle the load. I thought I might put it in between > our firewall and the network…… or maybe I’ll find a small hub and put it in > there that way…. > > > > > > From: Andrew S. Baker [mailto:[email protected]] > Sent: Friday, December 04, 2009 3:37 PM > To: NT System Admin Issues > Subject: Re: IDS appliance > > > > +1 > > Get the OSS stuff in there first, and get a handle on what your needs > actually are, then when you find you need something with more features, > you'll be able to articulate and evaluate that more effectively. > > Consider starting with: http://www.untangle.com/ > > ASB (My XeeSM Profile) > Providing Competitive Advantage through Effective IT Leadership > > > > On Fri, Dec 4, 2009 at 1:17 PM, Kurt Buff <[email protected]> wrote: > > On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]> > wrote: > > > > Guys, I was talking to my boss this morning about how we need an IDS > > appliance to help catch malware as it comes in from the web or as it tries > > to “phone home.” Now up until yesterday I though an IDS was just good for > > catching hackers trying to get through our firewall or something like that. > > I’m not that knowledgeable about this sort of thing. How exactly does an > > IDS appliance work? > > > > > > It depends on the appliance. However, the general theory is that it > watches the bit stream, and sends alerts when it sees suspicious > traffic. Often they also trend traffic and do other spiffy things. > > Before committing to a commercial product, I'd try the free OSS stuff. > > In particular, OSSIM is a very interesting package, though it's more > than just an IDS. It's got an installer that puts Linux on a box and > installs snort, ntop, nagios and a bunch of other software, and wraps > it all up in a pretty web interface. > > I'm trying to find the time (and a spare PC) to dive into it. > > You can install it on one machine (with several NICs), or use it to > install a set of sensors at various points in your network that talk > to a central server that aggregates it. > > The critical things are 1) to get enough box to handle the load, 2) to > place the sensor(s) at points in your network where you're most likely > to see attacks, 3) dial down the alerts so that they fit your > environment. They tend to be really noisy - lots of alerts - until you > get them tuned to only look for things that are relevant to your > environment. For instance, you don't want to see alerts on traffic > that looks like an attack on an Oracle server if you don't have Oracle > in your org. > > And, an IPS is basically an IDS that can operate your firewall on the > fly. They can be as dangerous as combining tequila and handguns, if > you're not extra careful. > > Kurt > > > > > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.426 / Virus Database: 270.14.93/2544 - Release Date: 12/04/09 > 07:32:00 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
