[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] intrusion detection - benifits?
Umm, to put it bluntly..... that sucks ! Check out sec-jobs mailing list [email protected] goto securityfocus.com and check out their links They also have a PEN-TEST mailing list [email protected] Jon ----- Original Message ----- From: "Pellowski, Tom" <[email protected]> To: "'Frank Darden'" <[email protected]>; "'Jon Vandiveer'" <[email protected]>; <[email protected]> Sent: Wednesday, November 29, 2000 8:37 AM Subject: RE: [FW1] intrusion detection - benifits? > Frank: > > You are correct in your take on the resentment. > > Here is the reasons) why: > > 1. I have no choice in the product and after much teeth gnashing it was > discovered that this product is the ISS Co. IDS that rides on a Nokia 630. > 2. I have no control over it. It gets managed and the reports generated by > an external "Security Management Assessment Center" and they decide what > gets put in the report and its severity value. Essentially, usurping all > security containment of the network I am charged to manage and keep secure. > 3. The "SMAC" produces the reports every 30 days...so if we had a scan or > attack on the 2nd we wouldn't hear about it till the 31st. > 4. I have to open several ports on the wall and the router (I do initial > ACLs on the router as well as port blocks and then have the firewall take > care of the rest of the policies and management). Not too big a deal...but > unnecessary IMHO just so the SMAC can get reports. > 5. I loose 75K a year out of my net operations budget for this when I know > there are certainly better and cheaper products available. > > All of this I found out yesterday afternoon...7 hours after I posted my > initial question. > > No matter what I say or do there is no recourse... > > Anybody know of anyplace that needs a CCNA MCSE+I CCSE/SA with over 8 years > of frontline provisioning/install/management experience? > > Tom > > -----Original Message----- > From: Frank Darden [mailto:[email protected]] > Sent: Tuesday, November 28, 2000 18:21 > To: 'Jon Vandiveer'; [email protected]; > [email protected] > Subject: RE: [FW1] intrusion detection - benifits? > Importance: High > > > We install a LOT of IDS, and the payback is clear. The customers we have > that use and understand IDS suffer a significant number less intrusions, and > are painfully aware of many attempts. The IDS we use integrates with > CheckPoints SAMP (Suspicious Activity Monitoring Protocol). This allows you > to block the script kiddies from further penetration activity. It also makes > the job of sploiting a particular box nerve racking at the least.. There are > some configuration issues that you might face unless you enlist the help of > someone knowledgeable with IDS eg: You need to set up filtering so that an > IP spoofing attack doesnt block access to a critical resource.. Think about > it. My stance if I were in your place would be not to let a particular IDS > be shoved down your throat. You seem rather resentful towards the idea, > since it wasnt your idea, I dont blame you. Look for the features such as > SAMP, the ability to compose attack signatures, etc.. I would guess if you > think this through, and look at it as a positive (Youll be able to mostly > see what the hell is going on), and get the features you need you will > realize that IDS will make your life easier. > > Frank > > > -----Original Message----- > From: Jon Vandiveer [mailto:[email protected]] > Sent: Tuesday, November 28, 2000 5:25 PM > To: [email protected]; [email protected] > Subject: Re: [FW1] intrusion detection - benifits? > > > Hi Tom, > Placing IDS inside of you LAN is a good idea, but ignoring the outside is a > particularly BAD idea. > It is akin to letting anyone sit out in your frontyard and look for moments > of opportunity without any protection. That's why people have security > guards and cameras watching the OUTSIDE of their buildings. > > Of course you always need to balance your need vs. your budget vs. your > return on investment. > > It is really worth it for YOUR company ? > > Jon > > > Date: Tue, 28 Nov 2000 11:21:13 -0500 > From: "Scott Murray" <[email protected]> > Subject: Re: [FW1] intrusion detection - benefits? > > Tom, > > I personally don't see the real need to have IDS running outside the > Firewall, I would have it running INSIDE the Firewall for the overly > paranoid folks. It gives you a little more peace of mind. > > Scott > > > >From: "Pellowski, Tom" <[email protected]> > >To: "fw-1-mailinglist@lists. us. checkpoint. com (E-mail)" > ><[email protected]> > >Subject: [FW1] intrusion detection - benifits? > >Date: Tue, 28 Nov 2000 08:45:05 -0500 > > > > > >Greetings: > > > >I have this question that I would like the community to give me their .02 > >worth. > > > >In an arena running Checkpoint (whatever flavor) is it really worth the > >time, expense, and possible network performance compromises to put a > >separate intrusion detection appliance online in front of the firewall? > > > >I understand that there are tons of "well, you could.." but what I am > >really > >after is "your" opinion. Would you, as the FW admin/engineer, do it. > > > >Obviously I am looking for some backup here as I am having a intrusion > >detection package rammed down my throat, and frankly, I don't want it. But > >my only defense at this point is that "is something more to manage". > > > >Thanks to all in advance!!! > > > >Tom > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|