I now have a few moments to discuss Security Onion, and why it works well
for a many small and mid-sided organization.
Security Onion is a Linux distro for IDS, NSM, and log management. The
whole thing can be run on a single, or separated systems, based on the
needs, network and security
, February 14, 2015 12:57 PM
To: Randy Bush
Cc: North American Network Operators' Group
Subject: [EXTERNAL]Re: Intrusion Detection recommendations
On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush ra...@psg.com wrote:
Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.
By itself, a single
-
From: NANOG [mailto:nanog-bounces+patrick.darden=p66@nanog.org] On Behalf
Of Justin M. Streiner
Sent: Saturday, February 14, 2015 3:28 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Rich Kulawiec wrote:
On Fri, Feb 13, 2015 at 02:45
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec
Sent: Saturday, February 14, 2015 4:29 PM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: Intrusion Detection recommendations
.
.
.
This reminds me to bring up a point that can't be stressed enough:
it's just
a Linux kernel around PIX OS V8.
--p
-Original Message-
From: NANOG [mailto:nanog-bounces+patrick.darden=p66@nanog.org] On Behalf
Of Justin M. Streiner
Sent: Saturday, February 14, 2015 3:28 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: Intrusion Detection recommendations
I'm not sure if it's been mentioned, but for a business of your size...check
out SecurityOnion. It's everything you need in one easy package and it's free.
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Andy Ringsmuth
Sent: Friday, February 13, 2015 12:40 PM
: Intrusion Detection recommendations
On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
By itself, a single install of Snort/Bro is not necessarily a complete
IDS, as it cannot inspect the contents of outgoing SSL sessions, so
there can still be Javascript/attacks against the browser
On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless he locks himself in his mom's basement for the next 5 years.
I know this
On Fri, 13 Feb 2015, Rich Kulawiec wrote:
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
Thanks for the awesome response, you have valid points. This could be me
trying to simplify things by suggesting something like Cisco ASA, but the
FreeBSD solution will need much more than just a well written ipfw or pf
set of rules. In his scenario, I would also most likely need to setup VPN,
On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush ra...@psg.com wrote:
Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.
By itself, a single install of Snort/Bro is not necessarily a complete
IDS, as it cannot inspect the contents of outgoing SSL sessions, so
there can still be
On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai raf...@gav.ufsc.br wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA.
Or maybe Juniper, Cisco's Ironport, IPSO?
They are all FreeBSD based, big and
On Sat, Feb 14, 2015 at 10:19 AM, Rich Kulawiec r...@gsp.org wrote:
On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD
guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless
Checkout security onion. Its got a pretty nice suite of tools and can run a (or
many) dedicated sensor system and communicate back to a central system.
As for SSL MITM, see the recent nanog thread for a full layer 2 to layer 8
ramifications of that activity.
For ssh mitm, I don't know of any
On Fri, Feb 13, 2015 at 12:43 PM, J. Oquendo joque...@e-fensive.net wrote:
[...]
For the most part
though, this practice of half-baked security will continue,
vendors will make bucketloads of money, consumers of IPS/IDS
devices will still complain how much the product sucks, and
I as a
On Sat, Feb 14, 2015 at 12:04 PM, BPNoC Group bpnoc.li...@gmail.com wrote:
The thing to note about ipfw, is it only provides you with essentially
5-tuple based access lists based on source and destination, as this
functions strictly by looking at packet headers.There's no
ipfw rule you
On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
By itself, a single install of Snort/Bro is not necessarily a complete
IDS, as it cannot inspect the contents of outgoing SSL sessions, so
there can still be Javascript/attacks against the browser, or SQL
injection attempts
I've been tasked by our company president to learn about, investigate and
recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based.
Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
world. We are
On Fri, 13 Feb 2015, Andy Ringsmuth wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and
recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs,
iPhones, some Mac Mini
On 13/02/15 17:45 +, Mel Beckman wrote:
Unless you need regulatory-grade IDS, your best bet is a Unified Threat
Management (UTM) appliance, essentially any modern enterprise grade firewall
such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS
options for a fee.
On Fri, 13 Feb 2015, Mel Beckman wrote:
Unless you need regulatory-grade IDS, your best bet is a Unified Threat
Management (UTM) appliance, essentially any modern enterprise grade firewall
such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in
IDS/IPS options for a fee.
JO,
IDS to meet PCI or HIPAA requirements is regulatory grade. It meets specific
notification and logging requirements. SNORT-based systems fall into this
category.
-mel beckman
On Feb 13, 2015, at 10:00 AM, J. Oquendo joque...@e-fensive.net wrote:
On Fri, 13 Feb 2015, Mel Beckman
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA. Depending on
the traffic you have on your fiber uplink, you can get a redundant pair of
ASAs running for less than $2,000 in the US. I just find it less
On Fri, 13 Feb 2015, Mel Beckman wrote:
JO,
IDS to meet PCI or HIPAA requirements is regulatory grade. It meets
specific notification and logging requirements. SNORT-based systems fall into
this category.
rambletl;dr (even I don't read what I write)
You failed to see the snark in
What is the alternative then... Does he have the time to become a BSD guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless he locks himself in his mom's basement for the next 5 years.
On Fri, Feb 13, 2015 at 3:27 PM, Rich Kulawiec r...@gsp.org wrote:
On Fri, Feb
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
---rsk
On Fri, 13 Feb 2015 15:45:30 -0600, Rafael Possamai said:
What is the alternative then... Does he have the time to become a BSD guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless he locks himself in his mom's basement for the next 5 years.
By the time you
On Fri, 13 Feb 2015, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless he locks himself in his mom's basement for the next 5 years.
The alternative is to
tl;dr
dc
-mel
On Feb 13, 2015, at 1:13 PM, J. Oquendo joque...@e-fensive.net wrote:
On Fri, 13 Feb 2015, Mel Beckman wrote:
JO,
IDS to meet PCI or HIPAA requirements is regulatory grade. It meets
specific notification and logging requirements. SNORT-based systems fall
into this
Hello Andy,
I believe you are very good set up the way you are in technology. I see you are
surrounded by BSD systems everywhere, on servers, mobile and desktop. And I
suggest you keep running FreeBSD for this new security requirement you have.
We run FreeBSD as IDS/IPS system on several sites,
Of course it is. You say that like faith is a bad thing.
The illogic of claiming to have no faith in anything is this: it's impractical
to assume the role of quality assurance for everything in your life.
The question is your faith reasonable. Ever use an elevator? Faith. Drive a
car? Faith.
On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth a...@newslink.com wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and
recommend an intrusion detection system for our company.
An important thing to realize is that an Intrusion Detection System is
not a
German Shepherd Dogs are wonderful intrusion detection devices. In a lot of
cases they also server as excellent intrusion prevention devices as well.
(Must be Friday night)
:-)
---
Theory is when you know everything but nothing works. Practice is when
everything works but no one knows why.
33 matches
Mail list logo