|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Policy Based IDS/Network traffic Policy-Compliance Monitoring
From: Evans, Arian (aevans
fishnetsecurity.com)
Date: Fri Jul 11 2003 - 12:00:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----Original Message-----
From: NidsKid [mailto:mylesgtinet.ie]
> I am looking for information on "Policy Based IDS" configuration where
you
> define what is normal and acceptable behaviour for the network
segments
> you are protecting
Here are some places to start looking:
http://www.arbornetworks.com
http://www.lancope.com
http://www.mazunetworks.com
http://www.securify.com
-and I'll throw Niksun in here as a *sort of*-
http://www.niksun.com/
> What are the pros and cons of "policy based IDS" over "rule based IDS"
Pros:
* Excellent visualization and mapping of what is *really* going on on
your network
* More focused than NIDS on policy-compliance (a good thing)
* Versatile general network observation tool
Cons:
*really darned expensive
*lack of signature-based detection of actual attacks
*same flaws of any behavior-based IDS: if the attack is part of the
normal flow and
behavior of things, you aren't going to see it
(e.g.--here's what these will give you: I don't allow HTTP to this
server from the Internet.
HTTP is getting to this server, therefore I'll investigate. ...and so
on... and here's what
they don't give you: I allow HTTP from the Internet to this server, and
that's a valid session,
never mind the fact it's filled w/SQL injection or .printer sploits etc
etc)
And yet...at least in the case of Securify, there are some limited
"signature" checks.
I haven't worked with Lancope or Mazu's current software releases.
I am still 50/50 on whether or not the value is there considering the
*cost*. Meaning,
I really like these tools, but almost everyone I work with has so many
more things
they aren't doing right the money might be better spent on....
<insert>firewall review/tuning monitoring
<insert>NIDS tuning (or turning them back on)
<insert>correlation between alerts, business value of assets, and
vulnerability posture
<insert>etc</insert>
It's a huge topic and there's far smarter people than I on this list who
can discuss it with you.
Cheers,
Arian J. Evans
Sr. Security Engineer
FishNet Security Piranha Team
Ph: 816.421.6611
________________________________________________________________________
______
The information transmitted in this e-mail is intended only for the
addressee and may contain
confidential and/or privileged material. Any interception, review,
retransmission, dissemination,
or other use of, or taking of any action upon this information by
persons or entities other than
the intended recipient is prohibited by law and may subject them to
criminal or civil liability. If
you received this communication in error, please contact us immediately
at 816.421.6611, and
delete the communication from any computer or network system.
________________________________________________________________________
______
-------------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with vulnerability
info, reduces false positives with the click of a button, and distributes this
information to hundreds of users.
Visit Tenable Network Security at http://www.tenablesecurity.com to learn more.
-------------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]