IDS IPS - they exist but who really uses them ?

[3w`Sparky]

I have had some Exposure to IDS with the Cisco Product, where I work we have a network of 5000+ Desktops + all the other crap that is on there. and we tried to use the Cisco IDS but to be honest is was crap maybe the setup wasn't perfection but unless you were going to sit there allday watching it whats the point.

We Tried another Product and then it was Bought out by Cisco (MARS) but it's CPU is up at 100% all the time it's capturing data.

we gave up with all that so the network then became un-monitored !

recently we paid a 3rd party to do the monitoring 2K a month and they tell us what "happen`ED" last month, also not ideal but atleast we have a log of it now. (think - think they use snort)

anybody had better luck / What do you use / are you lightly to be caught hacking with the current Products ?

[pheonixace7]

I have wondered that myself. We have a much smaller IT department. We only have 300ish computers and 14 servers, but there are also a grand total of 2 of us in the department (and the other guy does management type stuff 70% of the time and not IT stuff). While a network of that size isn't impossible to monitor it certainly takes a lot of time. I'd love to hear if there are any "easier ways" of monitoring that.

[ansichild]

Where I work, we run SNORT, but I swear it's voodoo magic. Sometimes it works, sometimes it doesn't. I would love to know more about it, but the online docs I've read are just not that engaging. I've tried binary mode logging, all that crap.

I'd say it has about a 35% accuracy monitoring on my 100mbit connection. It'll catch things if they're repeated, but if they only hit once, it's usually a no-go.

And it's noisy, I have to shut off about 50% of its detection rules just to make it worth running. False positives up the wazoo.

[puredistortion]

With SNORT you really need to maintain it and do alot of tuning to make it a worth while tool. Once you have done this it is a great tool to use. Though I recommend that you set it to only drop the obvious and then log the rest for inspection,

Using tools in conjunction with SNORT such as acid or base will make handling the output from SNORT a lot easier.

ACID: http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html

BASE: http://base.secureideas.net/about.php

I use the IDS tools in Astaro Security gateways in alot of deployments as in the SME space this is the only way to get these tools in place. Though this will only catch data that is passing through the interfaces of the appliance.

[Jason Cooper]

I once had a call from the group responsible for keeping our networks secure saying that their snort had picked up some odd behavior from our subnet with one of our servers looking like it was running a ssh connection on port 80. Turns out that the web service running on that machine had handed out a sessionID which had an exact match for their signature for a ssh connection and so their IDS thought that webserver was running ssh on port 80. Took me ages of looking through logs to figure out what had happened to trigger the IDS.

[Darcon]

I was looking into something like this as well. I'm looking to monitor network traffic, but being new to this kind of thing, I've been playing with numerous things, like Snort and a few various Linux Firewalls like Endian and Entangle with inline monitoring.

I would really love to see some additional material on how some of this stuff is set up, since some of the documentation I've read just is not clear enough.

[puredistortion]

Another thing is use a span port on your switch. This takes the IDS out of the loop. It also allows you to tune what traffic hit your IDS.

[barry99705]

Another thing is use a span port on your switch. This takes the IDS out of the loop. It also allows you to tune what traffic hit your IDS.

Span ports are cool, but can get overrun (you'll lose stuff) with a lot of traffic on the network.

[Dragon X]

I'm using a Cisco MARS at my current job in a comparably sized environment to the original poster. It is just O.K. nothing phenominal. Has anyone here had any experience with OSSIM the open source IDS.

[techtronic]

alot of business's use them, its a must if your concerned about the security of your network,

[Dragon X]

Let me rephrase my previous statement. The idea of an IDS is great. Actually managing one is not. I use a Cisco MARS with the latest version software on it, and with hundreds of infrastructure pieces reporting to it, we tend to get a ton of false positives. Much of this is due to the fact that prior to my arrival at this place two years ago, the idea of a tiered/structured network was something very foreign. I really think that a lot of networks are not what I would call IDS ready. Well all it takes is for a CIO to see a commercial or something on television extolling the virtues of an IDS and the next thing you know you will be stuck trying to fit it into a less than perfect environment.

If I were in control I'd make sure that I had a few things in place first before attempting to setup an IDS.

1) Proper Segmentation - Make sure your users and servers/services are separated in a logical fashion.

2) Proper Perimeter - Have a well defined network perimeter. It is a lot easier to detect an intrusion if you know your exposure points (Sun Tzu as applied to networking :D).

3) Define Your Core - Plan out the layers of access control. Know what you will be blocking where and stick to best practices. ( i.e. it is never ok to have 16 switches daisy chained )

Having a good foundation is key for network/business agility. My directors were taken in by the promises of the MARS system, but they failed to realize that not all opportunities can be taken advantage of without proper preparation. So some of my "meh" attitude about it is mainly due to the fact that we should have focused on the basics first, that way we would be getting more out of the system now.

[3w`Sparky]

we have been paying a 3rd party 3k a month for reporting to us the " alerts " that they see and at the same time tuning the reports to remove false positives, the thing is , 36k could pay an additional member of staff who could have a sole purpose of auditing this system and reporting on findings that need correcting, ie old samba shares or alike, granted after 12 months they might be sent off to the loony bin.

also currently the reports that are received are just archived as no one has the time or skill to cope with the shear amount the reports produce.

the total cost of ownership is massive, don't be fooled with a "just plug it in" salesman !