|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] intrusion detection - benifits?
You missed the point. Snort and Shadow can be installed for free and be used to demonstrate how intrusion detection is supposed to work. At the very least, they can be used to do some of the things that his other system doesn't do. Another thing to keep in mind. Just because something is popular, doesn't mean it is better than something that is free. 100,000 people CAN be wrong (been to Florida lately?) Jim -----Original Message----- From: Scott Schindler [mailto:[email protected]] Sent: Wednesday, November 29, 2000 11:53 AM To: James Edwards; 'Pellowski, Tom'; 'Frank Darden'; 'Jon Vandiveer'; [email protected] Subject: Re: [FW1] intrusion detection - benifits? And when you get attacked and Snort doesn't handle what happened(even if none of the other ones would have either), or doesn't auto update your firewall, and someone steals your new OS or bank account numbers, you can explain to the board members why you use a free product and explain about lack of standards or lack of support and lack of updates and etc. etc. etc. Snort works. Politics suck. Reality can come crashing down. No one ever gets fired for choosing the industry leader. Welcome to Microsoft, Check Point, Real Secure, etc. This isn't everyone. Just the ones that make the billions of dollars and are traded on Nasdaq. The rest can continue to use Snort, which is probably the most flexible product, once you've mastered UNIX and the learning curve. ----- Original Message ----- From: "James Edwards" <[email protected]> To: "'Pellowski, Tom'" <[email protected]>; "'Frank Darden'" <[email protected]>; "'Jon Vandiveer'" <[email protected]>; <[email protected]> Sent: Wednesday, November 29, 2000 11:21 AM Subject: RE: [FW1] intrusion detection - benifits? > > That is not an intrusion detection system, it is a traffic logging > device. > > As a suggestion, I would get something like Shadow or Snort (which are > free) > and slap them up on your network. Then, use this free product to show > your > management what a real intrusion detection system can do and how it > should > be used. You would at least have a usable system and you might be able > to > get your 75K back. > > Jim Edwards > > -----Original Message----- > From: Pellowski, Tom [mailto:[email protected]] > Sent: Wednesday, November 29, 2000 7:37 AM > To: 'Frank Darden'; 'Jon Vandiveer'; > [email protected] > Subject: RE: [FW1] intrusion detection - benifits? > > > > Frank: > > You are correct in your take on the resentment. > > Here is the reasons) why: > > 1. I have no choice in the product and after much teeth gnashing it was > discovered that this product is the ISS Co. IDS that rides on a Nokia > 630. > 2. I have no control over it. It gets managed and the reports generated > by > an external "Security Management Assessment Center" and they decide what > gets put in the report and its severity value. Essentially, usurping all > security containment of the network I am charged to manage and keep > secure. > 3. The "SMAC" produces the reports every 30 days...so if we had a scan > or > attack on the 2nd we wouldn't hear about it till the 31st. > 4. I have to open several ports on the wall and the router (I do initial > ACLs on the router as well as port blocks and then have the firewall > take > care of the rest of the policies and management). Not too big a > deal...but > unnecessary IMHO just so the SMAC can get reports. > 5. I loose 75K a year out of my net operations budget for this when I > know > there are certainly better and cheaper products available. > > All of this I found out yesterday afternoon...7 hours after I posted my > initial question. > > No matter what I say or do there is no recourse... > > Anybody know of anyplace that needs a CCNA MCSE+I CCSE/SA with over 8 > years > of frontline provisioning/install/management experience? > > Tom > > -----Original Message----- > From: Frank Darden [mailto:[email protected]] > Sent: Tuesday, November 28, 2000 18:21 > To: 'Jon Vandiveer'; [email protected]; > [email protected] > Subject: RE: [FW1] intrusion detection - benifits? > Importance: High > > > We install a LOT of IDS, and the payback is clear. The customers we have > that use and understand IDS suffer a significant number less intrusions, > and > are painfully aware of many attempts. The IDS we use integrates with > CheckPoints SAMP (Suspicious Activity Monitoring Protocol). This allows > you > to block the script kiddies from further penetration activity. It also > makes > the job of sploiting a particular box nerve racking at the least.. There > are > some configuration issues that you might face unless you enlist the help > of > someone knowledgeable with IDS eg: You need to set up filtering so that > an > IP spoofing attack doesnt block access to a critical resource.. Think > about > it. My stance if I were in your place would be not to let a particular > IDS > be shoved down your throat. You seem rather resentful towards the idea, > since it wasnt your idea, I dont blame you. Look for the features such > as > SAMP, the ability to compose attack signatures, etc.. I would guess if > you > think this through, and look at it as a positive (Youll be able to > mostly > see what the hell is going on), and get the features you need you will > realize that IDS will make your life easier. > > Frank > > > -----Original Message----- > From: Jon Vandiveer [mailto:[email protected]] > Sent: Tuesday, November 28, 2000 5:25 PM > To: [email protected]; [email protected] > Subject: Re: [FW1] intrusion detection - benifits? > > > Hi Tom, > Placing IDS inside of you LAN is a good idea, but ignoring the outside > is a > particularly BAD idea. > It is akin to letting anyone sit out in your frontyard and look for > moments > of opportunity without any protection. That's why people have security > guards and cameras watching the OUTSIDE of their buildings. > > Of course you always need to balance your need vs. your budget vs. your > return on investment. > > It is really worth it for YOUR company ? > > Jon > > > Date: Tue, 28 Nov 2000 11:21:13 -0500 > From: "Scott Murray" <[email protected]> > Subject: Re: [FW1] intrusion detection - benefits? > > Tom, > > I personally don't see the real need to have IDS running outside the > Firewall, I would have it running INSIDE the Firewall for the overly > paranoid folks. It gives you a little more peace of mind. > > Scott > > > >From: "Pellowski, Tom" <[email protected]> > >To: "fw-1-mailinglist@lists. us. checkpoint. com (E-mail)" > ><[email protected]> > >Subject: [FW1] intrusion detection - benifits? > >Date: Tue, 28 Nov 2000 08:45:05 -0500 > > > > > >Greetings: > > > >I have this question that I would like the community to give me their > .02 > >worth. > > > >In an arena running Checkpoint (whatever flavor) is it really worth the > >time, expense, and possible network performance compromises to put a > >separate intrusion detection appliance online in front of the firewall? > > > >I understand that there are tons of "well, you could.." but what I am > >really > >after is "your" opinion. Would you, as the FW admin/engineer, do it. > > > >Obviously I am looking for some backup here as I am having a intrusion > >detection package rammed down my throat, and frankly, I don't want it. > But > >my only defense at this point is that "is something more to manage". > > > >Thanks to all in advance!!! > > > >Tom > > > > ======================================================================== > ==== > ==== > To unsubscribe from this mailing list, please see the instructions > at > http://www.checkpoint.com/services/mailing.html > ======================================================================== > ==== > ==== > > > ======================================================================== > ======== > To unsubscribe from this mailing list, please see the instructions > at > http://www.checkpoint.com/services/mailing.html > ======================================================================== > ======== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
