Any IDS Recommendations?

Discussion in 'Server Networking' started by The Poster, Jul 13, 2005.

  1. The Poster

    The Poster Guest

    G/Day Forum,

    I currently in the process of evaluating a number of IDS solutions. This IDS
    system will sit between an edge router (configured with ingress/egress
    filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
    only got a 2mb leased line to our ISP..

    Whats important to us:
    - ease of configuration and ongoing management
    - cost effectiveness
    - suitability to Industry (Financial)
    - logging ability/high quality reports/audit trail

    The products I'm currently looking at are:
    - Tipping Point 50
    - Cisco IDS 4215

    Any ideas, opinions, guidance?

    The Poster, Jul 13, 2005
    1. Advertisements

  2. The Poster

    S. Pidgorny Guest

    Hi there,

    I recommend Snort. The open source solution is used in at least one of
    Australian Big 5 banks. Alternatively, you can use SourceFire - they add
    nice management interface, "supportability" and price tag.

    Implementing NIDS in front of the external firewal - bad idea. You will have
    a lot of rubbish and chances are that you'll miss something important. DMZ
    is a different matter - port scan has to raise a legitimate alarm in there.
    On the corporate network implement your NIDS too, you must.
    S. Pidgorny, Jul 13, 2005
    1. Advertisements

  3. The Poster

    Mercury Guest

    Please ignore this if your site is not a High Security site.

    If you are using SSL, then where is the End Point? IE where is the encrypted
    traffic decrypted?

    I would expect your auditors to have a hissy fit if the SSL traffic were
    dencrypted anywhere sniffable, snortable or IDS'able as that could lead to
    identity theft.

    For a high security site, logging SSL traffic is pointless, logging source
    ip, port, time is more useful. Logging decrypted SSL traffic is an outright

    I am happy to be corrected if needs be.
    Mercury, Jul 13, 2005
  4. From: "The Poster" <[email protected]>

    | G/Day Forum,
    | I currently in the process of evaluating a number of IDS solutions. This IDS
    | system will sit between an edge router (configured with ingress/egress
    | filtering) and a Cisco Firewall. Our throughput requirement is low, as we've
    | only got a 2mb leased line to our ISP..
    | Whats important to us:
    | - ease of configuration and ongoing management
    | - cost effectiveness
    | - suitability to Industry (Financial)
    | - logging ability/high quality reports/audit trail
    | The products I'm currently looking at are:
    | - Tipping Point 50
    | - Cisco IDS 4215
    | Any ideas, opinions, guidance?
    | Regards,
    | Steve.

    Fortress Tecnolgies

    Internet Security Systems
    David H. Lipman, Jul 13, 2005
  5. The Poster

    The Poster Guest

    Thanks Simon for the advice.

    Vendors recommend that the first IDS be placed in front of the edge router
    (I think I might have read that in a Cisco Safe white paper) - I've taken
    this a step further in placing it between the packet filtering router and
    the firewall. As I mentioned in my earlier post that we are running a Cisco
    based firewall (PIX) - which as I'm sure you are aware of, doesn't provide
    much in the way (bar the IDS rule and a few common signatures) of IDS
    features. I do appreciate that alot of 'trash' will be reported, and most
    of that trash will be SSL/IPSec traffic - but thats the hit I'm prepared to

    Snort - do you think its easy to configure? I don't. From the research that
    I've done to date Tipping Point seem to have the spot light on them, and are
    selling it on the basis that its easy to install and configure, and doesn't
    involve constant monitoring.

    The Poster, Jul 13, 2005
  6. Honestly, NIDS is nothing more than a waste of time and money IMO.

    Put HIDS on high value servers and workstations or other devices. Hackers
    don't want to "0wn" the network; they use it like dial tone to get to where
    they are really going, which is the host where data resides. The only
    exception to this is DDoS attacks, which aren't going to be prevented by
    NIDS in any event.

    Focus effort on the points where attackers want to get to, and less on the
    roads they use to get there with. If you operate from the worst assumption
    (i.e., they are already inside the network) then they will be using
    "trusted" paths to communicate with the intended targets. Most
    organizations do not monitor internal traffic going to other internal
    destination sets as they do the "perimeter" or remote access paths.

    You can spend the rest of your life trying to figure out what "normal" is on
    the network or especially the Internet; you darn sure ought to know what
    normal is on hosts that you manage though, and that battle can actually be
    won by the sysadmin. It's also higher-yield in that you have more
    information to conduct forensic analysis, etc.
    Steve Clark [MSFT], Jul 13, 2005
  7. NIDS is a tool that gives you something you can't easily get otherwise.
    It's grep for the network. It's true that some organizations probably waste
    too much effort on IDS. But how much time you put into IDS is entirely up
    to you. You can automate a lot of it if you want.

    NIDS [that aren't NIPS] are just as much a waste of time IMHO. The network
    portion is the most useful part of them, but it's easier and more cost
    effective to do that same network monitoring with a NIDS. Detecting file
    changes is useful, but is only a part of some NIDS, and is arguably better
    done with a file change checker like Languard SIM, Osiris, etc.
    There really aren't too many robust commercial file change checker solutions
    IMHO, except maybe Tripwire for Windows, which I understand is pricey. The
    main other thing most HIDS do is monitor the windows event log, but 1) you
    can do that with any number of other non-IDS products, 2) most HIDS are
    configured by default to give you way too many false alarms in the windows
    event logs, and 3) few NIDS I'm aware of give you an easy way to configure
    these events, you have to go back into Windows to manage this stuff.

    To the OP: A lot of people are running away from ISS due to their
    historically high prices and bad support in the past. Their prices may have
    changed with their new line, I don't know. Their products in the past have
    not been so easy to configure if you have a lot of devices, but OK if you
    have just one or two. A problem for me is that their signatures are closed
    source, which would be useful information to know when trying to tell false
    alarms from real events. Dragon is a popular and inexpensive IDS solution that is
    somewhat similar to Snort, but is probably easier to configure. has some attractive inexpensive low end devices that I
    understand have IDS, IPS, bandwidth shaping and monitoring, and a whole
    bunch of other features. Their low end devices have all the exact same
    features as their high end enterprise devices.

    The tipping point IDS / IPS and cisco devices you mention are other popular
    Karl Levinson, mvp, Jul 14, 2005
  8. The Poster

    S. Pidgorny Guest


    You've received some good replies so far.

    Rule #1: always challenge the vendors' recommendation. In my opinion, even
    behind the filtering router, NIDS i next to useless. It's hard enough to
    make sense of NIDS in DMZ and on corporate WAN.

    Secondly: regarless of your chosen products, it's the people who'll be
    monitoring and supporting the solution in production. If you don't have
    dedicated team that knows the product and how to make changes and deploy new
    sensors quickly - you better don't invest. Without the right process,
    auditors won't approve your NIDS.

    And you have the right people, they don't necessarily need fancy GUI to get
    started with Snort. You'll have a solution at the right cost for NIDS -
    $0.00 per monitored IP address.

    One thing is really important: have your testing criteria defined, and do
    testing. Yes, you'll need traffic generators and all that, but some due
    diligence saves time, money and nerves to the project team
    S. Pidgorny, Jul 14, 2005
  9. Ease of use is relative, but in this category your first requirement is to
    get an appliance-based IDS/IPS solution.

    This rules stuff out like Snort. Snort is one of the best IDS solutions by
    the way because it is highly configurable and very fast.

    SourceFire is the commercial company that the founder of Snort started. It
    is an appliance solution with a Web GUI that you manage. You do not have to
    install Linux or compile anything to get it working, it comes out of the box
    ready with an OS and Snort running, and you simply configure and manage it
    with your Browser.

    Also, with any signature based IDS, there is a learning curve and then there
    is another process which will require all admins to update and make specific
    judgements on which signatures to use or create based on their environment.

    You can simply install an IDS and not touch it. It will become out of date.
    Consider IDS like Antivirus, without the latest definition file, A/V is

    If you want to get closer to a set it and forget it type of intrusion
    detection solution, I would also consider an anomaly/behavior-based solution
    such as Lancope, Tipping Point, and McAfee. I've seen implementations that
    have been profiled and left alone for a while, but still detecting odd
    network conditions and flagging that the links needs to be monitored.

    The IDS/IPS market is commodity right now, so what ever you choose from the
    vendors I pointed out above you should be good to go. Just know that you
    need to manage these systems or else they're useless.
    Phil Agcaoili, Jul 14, 2005
  10. The Poster

    The Poster Guest

    Some good posts indeed Simon.

    I agree with you in every point. I forgot to mention that the primary reason
    I'm installing the IDS is for compliancy with the PCI Data Security Standard

    Its a simple scenario - if we don't have an IDS on our network generating
    'traffic' and 'trash' stats - then we fail the compliancy audit. I argued
    with the auditors re. the 'best' location for the device, they were
    recommending I put it in my 'secure area' (a DMZ area where traffic and data
    is encrypted). And my argument was that this was useless - an IDS sniffing
    encrypted packets? A complete waste of Dollars or Euros in my case.......

    The Poster, Jul 15, 2005
  11. The Poster

    The Poster Guest

    Excellent advise Phil...... I like the idea of Snort running on a 'plug and
    play' device - off which I'm going to investigate further.

    3Com have agreed to lend me a Tipping Point 50 system for a few weeks
    trial - a nice gesture. It proves that theye've got confidence in there
    product and are quite willing to lend it to me on a trial basis. Now all I
    need is some traffic generating software... :)

    Out of interest - have you come across any of the devices you mentioned in
    PCI (Visa/MasterCard Credit Card Security Standard) based environments?
    Where topology wise were they placed?


    I do agree with you point (and Simons previous post) - that if you don't
    maintain an IDS, then its worthless/useless and a complete waste of money.
    The Poster, Jul 15, 2005
  12. The Poster

    The Poster Guest

    Hi Karl,

    Thanks for your reply.

    Funny you mention Tripwire, its a product we intend rolling out in parallel
    with our NIDS. So far I'm leaning towards the Tipping Point solution - and
    3Com have agreed to give me one on trial for a few weeks.

    Any thoughts re' best location for my NIDS?


    The Poster, Jul 15, 2005
  13. It's true that as others have suggested, behind your firewall(s) is a
    popular location, as well as in DMZs and near valuable infrastructure
    targets are popular locations. This permits the IDS to detect and alert you
    when your defenses such as firewall have been breached. Internal Windows
    networks of workstations and servers are chatty and can cause a fair number
    of false alarms, but monitoring these can still be beneficial and the false
    alarms can be managed in a variety of ways. Your network architecture may
    define where you can and should place IDS, because if you only have one IDS,
    you probably want to place it in a location where it will be able to see the
    most network traffic. Naturally your IDS won't see traffic that doesn't
    traverse past its interfaces.

    Tipping point is also an IPS, which changes things like potential placement
    if you choose to use this functionality. Inline IPS in general is more like
    a firewall IMHO in that it can only monitor and protect one or a few network
    segments, whereas IDS can generally be used to span and monitor more
    networks. If you choose to use the device as an IPS, it might require the
    purchase of more devices to monitor the same percentage of your network.

    Karl Levinson, mvp, Jul 15, 2005
  14. The Poster

    S. Pidgorny Guest


    For audit compliance, you must have:

    * IDS in place
    * Procedures to manage IDS riles (signatures and heuristics)
    * Procedures to manage alerts - that is, your Emergency Response
    * Reports done regularly
    * Testing of the IDS/Emergency response done
    * (depending on the auditors' paranoia level) - plan to cover all corporate
    network with IDS sensors

    I see you have managed to convince the auditors that DMZ isn't the best
    place to install the sensors because all traffic there is encrypted. However
    I might suggest that this creates and excellent opportunity to come up with
    tight IDS rule set: everything that is not on the list of (encrypted)
    protocols is potential security breach. And seriously consider internal
    network: first of all, NIDS will generate a lot of interesting information -
    like curious grads that believe they're [email protected] and stuff like that. Secndly,
    the next IT security audit will require that anyway.

    And please - call me Slavko, or Slav. Simon is too Die Hard-ish for me.
    S. Pidgorny, Jul 16, 2005
  15. The Poster

    Jeff Cochran Guest

    First, you won't go wrong with a Tipping Point or Cisco solution. You
    may overpay, you may not get the best results, but you'll meet your
    compliance needs. I'll leave out that I think most of the compliance
    rules are for covering some collective butts and not real security.

    Also, I've found that most IDS vendors will lend you a box to try. So
    try them all. I happen to also prefer Snort, and a SourceFire box
    goes a long way toward making management feel better. You might also
    look at a managed IDS though, offload both the workload and the
    responsibility to someone else.

    Now, here's what I've found critical about choosing an IDS:

    Pretty much, they all work. Some have features that make them better
    for a specfic set of requirements, but any decent one does fine if
    properly managed and maintained. So it comes down to which solution
    fits your organization and your comfort level as much as anything
    else. Pick the one that "feels" right and make sure you stay current
    with it.

    Jeff Cochran, Jul 16, 2005
  16. The Poster

    Jeff Cochran Guest

    But a counter to that is if this is for the compliance portion of
    Visa/MC, this makes it a perfect choice. You don't want to monitor
    the entire network, just the critical portions. That dramatically
    cuts the background noise from your analysis. And I'd venture a guess
    that the biggest problem with IDS, whether NIDS, IPS, NIPS or
    whatever, is getting the ciritcal information out of the total
    overload most of these options generate.

    But again, this does depend a lot on your network architecture. You
    may even find it advantageous to change some your architecture to
    manage this even better.


    Jeff Cochran, Jul 16, 2005
  17. I have been very very unsatisifed with outsourcing IDS to someone else.
    Most of them seem to really skimp on getting skilled workers [and
    admittedly, it seems like you're almost never going to be able to get
    someone with solid IDS experience on the second and third shifts], and I
    question how most firms configure and monitor the IDS or whether the
    configuration is adequately customized to your individual network. But I
    suppose if you don't have the time and skill to do IDS, you've got little
    Karl Levinson, mvp, Jul 16, 2005
  18. Note that internal networks can be as challenging to monitor and give as
    many false alarms as putting sensors outside your firewall.

    And encrypted traffic does not necessarily have to be impossible to monitor.
    There are solutions that will let you unencrypt and monitor encrypted
    traffic, if you feel it is in your best interest to do so.
    Karl Levinson, mvp, Jul 16, 2005
  19. Checkpoint RLZ.
    André Fagundes, Jul 18, 2005
  20. The Poster

    S. Pidgorny Guest

    Checkpoint what? :)
    S. Pidgorny, Jul 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.