[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] intrusion detection - benifits?
That is not an intrusion detection system, it is a traffic logging device. As a suggestion, I would get something like Shadow or Snort (which are free) and slap them up on your network. Then, use this free product to show your management what a real intrusion detection system can do and how it should be used. You would at least have a usable system and you might be able to get your 75K back. Jim Edwards -----Original Message----- From: Pellowski, Tom [mailto:[email protected]] Sent: Wednesday, November 29, 2000 7:37 AM To: 'Frank Darden'; 'Jon Vandiveer'; [email protected] Subject: RE: [FW1] intrusion detection - benifits? Frank: You are correct in your take on the resentment. Here is the reasons) why: 1. I have no choice in the product and after much teeth gnashing it was discovered that this product is the ISS Co. IDS that rides on a Nokia 630. 2. I have no control over it. It gets managed and the reports generated by an external "Security Management Assessment Center" and they decide what gets put in the report and its severity value. Essentially, usurping all security containment of the network I am charged to manage and keep secure. 3. The "SMAC" produces the reports every 30 days...so if we had a scan or attack on the 2nd we wouldn't hear about it till the 31st. 4. I have to open several ports on the wall and the router (I do initial ACLs on the router as well as port blocks and then have the firewall take care of the rest of the policies and management). Not too big a deal...but unnecessary IMHO just so the SMAC can get reports. 5. I loose 75K a year out of my net operations budget for this when I know there are certainly better and cheaper products available. All of this I found out yesterday afternoon...7 hours after I posted my initial question. No matter what I say or do there is no recourse... Anybody know of anyplace that needs a CCNA MCSE+I CCSE/SA with over 8 years of frontline provisioning/install/management experience? Tom -----Original Message----- From: Frank Darden [mailto:[email protected]] Sent: Tuesday, November 28, 2000 18:21 To: 'Jon Vandiveer'; [email protected]; [email protected] Subject: RE: [FW1] intrusion detection - benifits? Importance: High We install a LOT of IDS, and the payback is clear. The customers we have that use and understand IDS suffer a significant number less intrusions, and are painfully aware of many attempts. The IDS we use integrates with CheckPoints SAMP (Suspicious Activity Monitoring Protocol). This allows you to block the script kiddies from further penetration activity. It also makes the job of sploiting a particular box nerve racking at the least.. There are some configuration issues that you might face unless you enlist the help of someone knowledgeable with IDS eg: You need to set up filtering so that an IP spoofing attack doesnt block access to a critical resource.. Think about it. My stance if I were in your place would be not to let a particular IDS be shoved down your throat. You seem rather resentful towards the idea, since it wasnt your idea, I dont blame you. Look for the features such as SAMP, the ability to compose attack signatures, etc.. I would guess if you think this through, and look at it as a positive (Youll be able to mostly see what the hell is going on), and get the features you need you will realize that IDS will make your life easier. Frank -----Original Message----- From: Jon Vandiveer [mailto:[email protected]] Sent: Tuesday, November 28, 2000 5:25 PM To: [email protected]; [email protected] Subject: Re: [FW1] intrusion detection - benifits? Hi Tom, Placing IDS inside of you LAN is a good idea, but ignoring the outside is a particularly BAD idea. It is akin to letting anyone sit out in your frontyard and look for moments of opportunity without any protection. That's why people have security guards and cameras watching the OUTSIDE of their buildings. Of course you always need to balance your need vs. your budget vs. your return on investment. It is really worth it for YOUR company ? Jon Date: Tue, 28 Nov 2000 11:21:13 -0500 From: "Scott Murray" <[email protected]> Subject: Re: [FW1] intrusion detection - benefits? Tom, I personally don't see the real need to have IDS running outside the Firewall, I would have it running INSIDE the Firewall for the overly paranoid folks. It gives you a little more peace of mind. Scott >From: "Pellowski, Tom" <[email protected]> >To: "fw-1-mailinglist@lists. us. checkpoint. com (E-mail)" ><[email protected]> >Subject: [FW1] intrusion detection - benifits? >Date: Tue, 28 Nov 2000 08:45:05 -0500 > > >Greetings: > >I have this question that I would like the community to give me their .02 >worth. > >In an arena running Checkpoint (whatever flavor) is it really worth the >time, expense, and possible network performance compromises to put a >separate intrusion detection appliance online in front of the firewall? > >I understand that there are tons of "well, you could.." but what I am >really >after is "your" opinion. Would you, as the FW admin/engineer, do it. > >Obviously I am looking for some backup here as I am having a intrusion >detection package rammed down my throat, and frankly, I don't want it. But >my only defense at this point is that "is something more to manage". > >Thanks to all in advance!!! > >Tom ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|