Home » Mailing list archives » openbsd-misc » 2010 » February » 18

Re: OT: opinions on IDS / IPS solutions

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: bofh
Subject: Re: OT: opinions on IDS / IPS solutions
Date: Thursday, February 18, 2010 - 8:56 am

Allow me to speak from another perspective.  It all depends on $$, and the
network you have and how much leverage the security team has.

Usually, the security team does not have as much leverage and needs to play
catch up.

Understand this - no matter which solution you choose,
IDS/IPS/opensource/commercial, *someone* has to dedicate time to watching
the logs and alerts, or you might as well not do it.

When we implemented ours, my IPS guy spent half a year analyzing the
traffic, working out with each team on documenting every single traffic
pattern.  Once that is done, we flipped the switch and turned the monitoring
into prevention mode.

And unless you have a huge security team, I'll take every bit of help I can
take - I used to be against IPS (preferring IDS instead), but after living
with it for 3 years, I'll take IPS to knock off some of the crap.

Just don't get ISS crap.

Also, snort is good, but you must know what you're doing.  Our snort box,
running on an old throw away box, and only capturing/analyzing 10 minutes of
every hour, is giving us *MORE* useful data than half a mil worth of ISS
crap.

And the commercial version, sourcefire, is even better.  My ex-coworkers at
another place just had a shoot out of 10G devices, and sourcefire came out
heads and shoulders against everyone else.





-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
OT: opinions on IDS / IPS solutions, Jason Beaudoin, (Wed Feb 17, 8:59 pm)
Re: OT: opinions on IDS / IPS solutions, Johan Beisser, (Wed Feb 17, 9:28 pm)
Re: OT: opinions on IDS / IPS solutions, mehma sarja, (Wed Feb 17, 9:47 pm)
Re: OT: opinions on IDS / IPS solutions, Brad Tilley, (Thu Feb 18, 6:18 am)
Re: OT: opinions on IDS / IPS solutions, Jason Beaudoin, (Thu Feb 18, 7:30 am)
Re: OT: opinions on IDS / IPS solutions, Jason Beaudoin, (Thu Feb 18, 7:54 am)
Re: OT: opinions on IDS / IPS solutions, mehma sarja, (Thu Feb 18, 7:55 am)
Re: OT: opinions on IDS / IPS solutions, Vijay Sankar, (Thu Feb 18, 8:08 am)
Re: OT: opinions on IDS / IPS solutions, Jason Beaudoin, (Thu Feb 18, 8:17 am)
Re: OT: opinions on IDS / IPS solutions, bofh, (Thu Feb 18, 8:56 am)
Re: OT: opinions on IDS / IPS solutions, Laurens Vets, (Thu Feb 18, 9:48 am)
Re: OT: opinions on IDS / IPS solutions, bofh, (Thu Feb 18, 12:59 pm)
Re: OT: opinions on IDS / IPS solutions, Jason Beaudoin, (Thu Feb 18, 3:43 pm)
Re: OT: opinions on IDS / IPS solutions, Rich Kulawiec, (Fri Feb 19, 5:52 am)
Re: OT: opinions on IDS / IPS solutions, Laurens Vets, (Sat Feb 20, 3:31 am)
Re: OT: opinions on IDS / IPS solutions, Jason Beaudoin, (Sun Feb 21, 10:16 am)
Re: OT: opinions on IDS / IPS solutions, Jason Beaudoin, (Mon Feb 22, 9:53 pm)
Re: OT: opinions on IDS / IPS solutions, bofh, (Thu Mar 4, 9:32 pm)