Solved

Intrusion Detection

Posted on 2010-08-15
18
540 Views
Last Modified: 2013-11-29
What is the best way to add IDS/IPS system to your network?  Is it best to do this via an existing firewall or use an open source system like snort.

Thanks
0
Comment
Question by:Jack_son_
  • 5
  • 5
  • 3
  • +4
18 Comments
 
LVL 8

Expert Comment

by:bpinning
ID: 33442729
Hey,

I used, http://www.securecomputing.net.au/Review/90967,idsips.aspx
Added as a new device replacing the old setup.

However, Snort would be a better or cheaper option and there is less disruption ot your phical network setup
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 33443472
IDS will not distrupt the live network, as you will be doing port mirroring. For IPS set up you will have a small disruption of a couple of minutes, as you will need to divert traffc via the device. I have set up ISS Site Protector, its bit expensive but a very good solution.
0
 
LVL 9

Expert Comment

by:Barry Gill
ID: 33443952
it depends what you want to do, what your budget is and what your appetite for risk is.

The best is to buy a device that works as part of your firewall as it will then also be aware of port scans from IP addresses, it will have access to connections etc to be able to make decisions on these things.

I have had great success with Fortigate firewalls for this, but you need to know why you want to do this.

Snort is a fantastic tool but it is a standalone tool, so if all you want is traffic to be analyzed, then port forwarding and a tool like snort will be fine.

if you want IPS to be pro-active, then it needs to be integrated into your firewall
0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 33448094
Hi,

A hardware based IDS is always better then a software based IDS . You need to look at tipping point or Juniper based IDS.

0
 
LVL 2

Expert Comment

by:CodeC6
ID: 33455726
Depends on your network. Setting up Snort IDS would be quite easy, but then you'd need to invest in a SIEM or SEM to manage it which can be costly.The amount of traffic you do would determine whether you need to invest in a pricier solution. Snort should be sniffing the traffic from your border routers. You can have a firewall in front of them (which I would recommend)  
I've experienced some issues with a flaw in tipping point that can cause a  DoS situation which I do not believe they ever fixed it - but then in order for you to encounter it you'd have to push quite a bit of bandwidth. Other than that - it works fine.
I use snort coupled with a couple of products, RSA's enVision and a product owned by Tripwire now called Enterprise (was one called Activeworx)
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33517866
I specialize in IDS and forensics, and I have to disagree with some of the posts here that state that it will not effect your network. First of all if you do a port mirror incorrectly you can greatly effect your network with packet storms and saturation issues? Also many of the new "IDS" do what is called "Active-Passive" monitoring where it is not quite a true IPS but does do some things like work with smart switches to do port blocking, rate limiting, VLAN quarantines etc. If not careful you can VERY easily cripple your network.

I recommend introducing a dedicated appliance/server that is for the IDS itself. I would make sure you are using it in passive monitoring off of a promiscuous interface. I would install it on a switch and monitor with wireshark or the like to see what it is doing and sending. (I recommend this on any new appliance so you know from a forensic standard what is appropriate IP traffic for the device.

I would then have it monitor right away and introduce segments of your network one by one via port mirrors, syslog or netflow (depends on what one you choose). I also would put the appliance on a dedicated switch if you can so that you can mirror one port off each switch direct.

Here are some of the IDS;s that are out there.

SNORT
Enterasys Dragon (used it very good product)
Cisco
OSSEC HIDS

Here is a link for open source tools http://sectools.org/ids.html


Also you have to ask yourself do you want HIDS or NIDS. One is Host one is Network. They are the same yet fundamentally different. With HIDS you get more log and file anomolies, verse network which is going to only really show you malware spreading, or a DDoS or SQL injection something like that HIDS will give you concrete info for insider attacks.

Hope this all helps.
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33517870
ALso on the comments about knowing about port scans if you have a device and presence on the internet assume port scans as the norm. I get them daily. I also know exactly what is supposed to go in and out of the network and that is what I watch and I also know how my device will react to a scan, dropping stealth packets is the key.
0
 

Author Comment

by:Jack_son_
ID: 33629760
So you would not use an add-in to the current firewall for IDS and IPS, but a separate appliance?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 10

Expert Comment

by:ujitnos
ID: 33633619
Yes... go in for a separate appliance
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33635683
I personally recommend a separate device if the IDS is to monitor and log data for an internal network. If you need to monitor a DMZ etc. then you could go with an add-in but keep in mind you are going to be forwarding all of your data most likely to the device so if it is an add-in the appliance will need to be able to process all traffic in network plus any traffic it legitimately has to go out of the firewall.

What I have done in the past with a situation like this is place a NIDS (network IDS) sensor in the DMZ with a pinhole back to the main appliance (if that is needed) I then use HIDS (host IDS) to monitor the systems itself for things like worm/malware propagation, registry hacks, embedded malware, steganography type attacks that AV may miss etc.

I then place a hybrid IPS/IDS appliance in the LAN to do active / passive monitoring on the bulk of the data ... Hope this all helps.
0
 

Author Comment

by:Jack_son_
ID: 33664616
What are you using, something like tipping point?  Also, for the LAN monitoring, what type of hybrid do you use?
0
 

Author Comment

by:Jack_son_
ID: 33664619
Also, what about IPS?
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 33665494
You can use tipping point, real secure Site Protector etc. Resecure Site Protctor can act as IDS and IPS, for IDS you will need to mirror the ports in your switch, and for IPS you need to put the card of appliance in inline mode.
Netscreen NSM can be used as hybrid for LAN monitoring, but if you go in for real secure site protector, you can have both IDS and IPS in one appliance.
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33666168
You have to be REAL careful for IPS rule of thumb is make sure your IDS signatures are finely tuned and that you really know your network and traffic patterns before you even think of going that route been to many locations that they took the entire network down because someone flipped the switch on the IPS without really knowning what it would do.

For IPS I have used a bunch I personally like Enterasys they intergrate well with other components like SIEM, NAC and the like.

I also use for network monitoring Solarwinds, Wireshark and PRGT, I have also used IPSwitch for system continuity, and MOM for system patching. Monitoring is not just security threats but also for outages due to DDoS as well as patching updates so you make sure to close all your weaknesses
0
 

Author Comment

by:Jack_son_
ID: 33667625
Is tipping point and Enterasys so similar functions?  Also, they appear to have many devices, can you get away with just one initially, if so is it the IDS?

Also, is IPSwitch part of solarwinds - it manages system continuity?
0
 
LVL 3

Accepted Solution

by:
acmeoil earned 500 total points
ID: 33671373
IPSwitch is a company separate to Solarwinds. IPSwitch makes a product called WhatsUp Gold. It is a connection monitor to show you if the website or server goes offline. It is not a security monitor itself BUT would alert to things like DDoS attacks. PRTG shows trending and traffic patterns that you can also associate to attacks or large amounts of data moving in or out of your network. If you get really savvy you can sometimes even tell if a virus is propagating based on traffic patterns.

Enterasys and Tipping Point for the most part cover the area of IPS but that is where Enterasys takes off. They also offer NAC (Network Access Control) and Quarantine Processes. I also see that since HP owns TippingPoint they push their ProCurve smart switches, which I personally do not like. When it comes to switches for the enterprise Enterasys, Cisco, or Nortel is all I use. Enterasys also has a product called NetSight that allows some layer 3 rule capability right at the port level !!! Pretty slick.

Some bauk at the price but if you go into an enterprise class infrastructure it is going to hurt the wallet. Their (E-sys) also is very scalable and easy as well to scale, weather it is the SIEM, IDS/IPS, NAC, Network Manager, or Switches/Routers it is very easy. (And NO I do not work for Enterasys!!) I will be honest I hated them at first but have grown to love them and their support staff.

Hope this all helps.
0
 

Author Comment

by:Jack_son_
ID: 33794404
Thanks for the info; the Enterasys is a nice product.  It is expensive but seems to cover most of what we are looking for.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now