[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] IDS or Intrusion Prevention Systems
From:       "Paul D. Robertson" <proberts () patriot ! net>
Date:       2002-10-27 15:11:55
[Download RAW message or body]

On Sun, 27 Oct 2002, Walter Ludwig wrote:

> Hello to all,
>  
> i'm looking for an IDS or Intrusion Prevention System to use in our
> office. I have no idea which one are good an effective and which one
> not. Additionally, I have to write an exam in our school about this

For the record, posts just naming IDS systems won't be approved, posts 
with actually useful content may.

IDS systems are relatively immature, so there's no blanket "good and 
effective" rubber chicken that can be waved over them.  All of them have 
strengths and weaknesses.  Testing IDS products is incredibly difficult to 
do well.  ICSA Labs has just started to test and certify products[1], 
setting up a common testbed with the right mix of legitimate traffic, 
false, but pottentially "bad looking" traffic, and the infrastructure to 
do all that takes a lot of time.

> topic. This exam is the last one and therefore very hard. Can you help
> me?

If you have to *write* the exam, I'd suggest looking at Northcutt's books 
on IDS, there's one on IDS in general, and one on writing rules.

> Which products are good and why? Which one do you prefer and recommend

Just like firewalls, which one you choose has more to do with what kind of 
environment you plan on putting it in, and what kind of policy you're 
attempting to enfoce with it than "which product is best" because they all 
fit different scenerios differently.  You can't just "Go get the blue one" 
because, like when you buy a vehicle, there are different purposes filled 
with different ones.  Ferraris aren't better than minivans when the goal 
is to take a family of six out to dinner.

You'd probably be much better served spending some significant time 
thinking about what sorts of things might change which IDS you chose, or 
which evaluation criteria might be interesting for different IDS 
deployments, or maybe even back at "what could possibly make one 
deployement different from another?"

> and how easy are they to administate? Pros and Cons of different
> products? Where can I find additional information? Do you know Okena and
> their products ("StormWatch", ...)? Are they better (Prevention System)
> than common IDSs? When you use an IDS, what additional software are you
> using (File Integrity,...)? What will be the most secure solution?

People have already commented on the "intrusion prevention" buzzword and 
what it's utility has in the market, so I won't reiterate that here.

The most secure solution is to have systems that don't have exploitable 
bugs exposed to other systems.  IDS and "intrusion prevention" don't touch 
that piece of the puzzle.

Paul
[1] Disclaimer:  I work for TruSecure, ICSA Labs is an independent 
division, and I've been slightly involved in the IDS testing program.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@patriot.net      which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]