I would completely go with a signature based IDS. Anomaly based IDS will not
give you the greatest results.
Seems like this conversation just comes up over and over on this list. It's
like a broken record.
Anyway, Defend the above statement. What experience do you have with
anomaly/behavior systems? I suspect not much. At least not with any of the
modern ones such as that from Mazu or Lancope.
Nowadays when you talk about "anomaly IDS" you're talking about
NetFlow-based systems that absolutely smoke sig-based systems on cost vs.
value. If you have 500 sites on an MPLS cloud, you need 500 SPAN/tap/mirror
based probes. Not so with NetFlow-based systems. You need only a flow
collector appliance and a management console. The routers at each of the
sites provide a "virtual probe" of sorts that sends traffic accounting
telemetry back to the centrally located collector. Far cheaper than anything
you'll get out of a sig-based platform.
I recommend sig-based systems at critical areas in the network (datacenter
switch fabrics, Internet ingress/egress points, etc. and NetFlow technology
everywhere else. Together they make a powerful combination. But simply
saying "Anomaly based IDS will not give you the greatest results" is both an
uninformed, dated, and inaccurate view of the way things really are.
On 10/4/07 10:29 PM, "frankfrydrych@gmail.com" <frankfrydrych@gmail.com>
wrote:
Hola,
I would completely go with a signature based IDS. Anomaly based IDS will not
give you the greatest results.
For signature base I highly recommend SNORT. It is probably one of the best
IDS out there. Now I'm not just saying this as a "ooh open source is the
best". I truely believe this. I actually use to be a huge Cisco buff and just
dealt with Cisco IDS. However, at my current job I am a security analyst and
have to analyze events from Cisco, IIS, Juniper, etc, and SNORT beats them
all. Mainly for the fact that you are able to see the packet payload and are
able to make the decision if something is malicious based on the actual
payload and not just the signature that is triggered (like some IDS). Also,
when a new threat emerges usually SNORT users will create a signature to
combat the threat. The other vendors create the signatures for you and it
usually ends up to be like 3 months after the threat was actually a realistic
threat. And on top of it the vendor signatures usually give out huge amount of
false positves. Then again, an IDS is only as good as who tunes it. If you
take ANY IDS and turn it on in a production network you will have so many
false positives I garuntee you will miss actual threats. Every IDS (including
SNORT) has to be tuned for the production network it is on.
Finally, make sure to place the IDS behind the firewall. If you place it in
front of the firewall you will receive so much traffic that it is just not
valuable data. You have a firewall, so let the firewall do its job and block
the already known bad activity, and catch what gets through the firewall with
a IDS.
-FF
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr
o_sfw
to learn more.
------------------------------------------------------------------------
--
Adam Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam@lancope.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
