RE: Re: Intrusion Detection recommendations
These are all excellent tools for a dedicated knowledgeable network security person to use. The most important element being the dedicated knowledgeable network security person. --p -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jimmy Hess Sent: Saturday, February 14, 2015 12:57 PM To: Randy Bush Cc: North American Network Operators' Group Subject: [EXTERNAL]Re: Intrusion Detection recommendations On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush ra...@psg.com wrote: Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools. By itself, a single install of Snort/Bro is not necessarily a complete IDS, as it cannot inspect the contents of outgoing SSL sessions, so there can still be Javascript/attacks against the browser, or SQL injection attempts encapsulated in the encrypted tunnels;I am not aware of an open source tool to help you with SSH/SSL interception/SSL decryption for implementation of network-based IDS. You also need a hand-crafted rule for each threat that you want Snort to identify... Most likely this entails making decisions about what commercial ruleset(s) you want to use and then buying the appropriate subscriptions. if you were comfortable enough with freebsd to use it as a firewall, you can run your traffic through, or mirror it to, a freebsd box running https://www.bro.org/ or https://www.snort.org/ two quite reasonable and powerful open source systems randy -- -JH
RE: Re: Intrusion Detection recommendations
I believe the ASA was first developed as the PIX on Plan 9. The OS that came out of that was originally called Finesse OS, but was later renamed as PIX OS. After Cisco purchased the PIX and renamed it to the ASA, they began using a Linux kernel around PIX OS V8. --p -Original Message- From: NANOG [mailto:nanog-bounces+patrick.darden=p66@nanog.org] On Behalf Of Justin M. Streiner Sent: Saturday, February 14, 2015 3:28 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Intrusion Detection recommendations On Fri, 13 Feb 2015, Rich Kulawiec wrote: On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote: I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA. Closed-source software is faith-based security. The ASA, like so many network/security appliances anymore, runs Linux (or *BSD) under the hood, however I don't know how old or horribly mangled it is. jms
RE: Re: Intrusion Detection recommendations
+10 The original SANS DDOS task force, and many others since, have emphasized this. Filter your Outbound! Bogons for obvious reasons, BGP3 to keep routing multipliers, non-internals to keep from being used as an amplifier network, the list goes on. Be a good network neighbor. --p -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec Sent: Saturday, February 14, 2015 4:29 PM To: nanog@nanog.org Subject: [EXTERNAL]Re: Intrusion Detection recommendations . . . This reminds me to bring up a point that can't be stressed enough: it's just as important to block *outbound* traffic as inbound. Ask Anthem. Or Target. Or the ghosts of the Trojans. ;) . . . .