Hello, I appreciate the information, as I myself am also looking into a IDS solution of some sort. I was thinking along the lines of the following: 1. The NIDS would sit between the firewall internal line and our office backbone using a tap that would fail open. I figure this was if anything breaks the firewall or a attack comes from inside and tries to make a outbound connection I would know. I completely agree with you about the attack from inside vs a attacker from out side. I also come completely agree with the HIDS. I have also thought about a internal machine (not sure of the technical name for it) to act as a live bit box. I believe the theory is that you leave a internal box a little open or un-patched with bogus data on it, this is used to attract the attacker and trigger other bells and whistles. Michael. On Mon, 19 Apr 2004 11:27:54 -0400 "John A. Sullivan III" <john.sullivan@xxxxxxxxxxxxx> wrote: > On Sun, 2004-04-18 at 13:29, IT Clown wrote: > > Hi > > > > What intrusion detection software would you guys > > recommend?Is psad or portsentry any good? > <snip> > I wonder if I might permutate this question slightly. I have spent a > fair amount of time recently looking at Intrusion Detection Systems and > came away with a conclusion I did not expect. I would like to share > that conclusion not to start a flame war but to hold it up to scrutiny > to see if I am truly out of my mind or whether it makes sense. > > I concluded that NIDS can be effective but that they required so much > upkeep, maintenance and ongoing expertise that I would rather invest my > time and money in other security measures. There were two primary > reasons for this conclusion. > > 1) Those attempting to perpetrate an intensional, focused attack (as > opposed to the random "door-knob jiggling" antics of script-kiddies) are > as likely to attack from the inside as from the outside. In other > words, if the front door firewall is secure, I would not waste my time > trying to break through it. I would send forged e-mails that direct > internal users to a phished site where I would plant a malicious trojan > or I would find a vulnerable remote user, e.g., one with an insecure > home wireless access method and do a man-in-the-middle attack. In our > brave new networked world, I would find a way to attack from the inside > rather than the outside. > That makes the placement of NIDS quite a challenge. How many and where > do I place them? Do I use port mirroring or taps? What are the impacts > on network capacity and traffic patterns? Do I fail safe or open? > By the time of build a NIDS environment to protect against external and > internal attacks, I can have a very complex and very expensive > architecture - one that may have inflicted more impact on the business > bottom line that the attacks it may prevent. > > 2) As I studied the mechanisms used to evade NIDS and the > counter-measures use to defeat the evasion attempts, it seemed like a > constant "cat and mouse" game -- one that required constant vigilance > and maintenance. I felt like my NIDS would be secure only until the > next major publication of a new evasion technique. > > This does not mean that NIDS cannot work -- just that it takes a lot of > effort and expertise to make it work well. I felt I would rather make > the following investment in time and money: > > 1) Create a multi-layered security environment with inter and intra > office access control and encryption and move away from the "hard and > crunchy outside - soft and chewy inside" perimeter security model. Of > course, I am quite biased here as making this method affordable is one > of the driving factors behind the ISCS project I am working on > (http://iscs.sourceforge.net). If an attacker breaches my outer > defenses or is attacking from the inside, I want to do my best to > contain them to a limited area. > > 2) Combine regular vulnerability assessments using something like the > automated features of the fabulous Nessus product > (http://www.nessus.org) with an automated software management tool to > close known vulnerabilities as quickly as possible. If an attacker > manages to break through all my defenses, I want to render them impotent > and unable to use known exploits against my systems. > > 3) Implement even a simple HIDS or integrity checker like tripwire or > the fully open source Osiris (http://osiris.shmoo.com). If an attacker > has penetrated all my defenses and succeeded in using some exploit, I > want to know about it. > > This threefold solution is also not simple. But given the return on > investment of my time an money maintaining NIDS in an ever changing > security world where an attack is as likely to come from the inside as > the outside versus maintaining these three combined strategies, I think > I get more from my investment in the latter. > > However, as always, I am suspicious of putting too much faith in my own > conclusion without significant corroboration. I would be interested in > other's thoughts, insights and insults -- well, maybe not too many > insults. Thanks, all - John > -- > Open Source Development Corporation > Financially Sustainable open source development > http://www.opensourcedevelopmentcorp.com > > > > > > -- Michael Gale Network Administrator Utilitran Corporation
