Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Intrusion Detection

Posted on 2010-08-15
18
Medium Priority
?
580 Views
Last Modified: 2013-11-29
What is the best way to add IDS/IPS system to your network?  Is it best to do this via an existing firewall or use an open source system like snort.

Thanks
0
Comment
Question by:Jack_son_
  • 5
  • 5
  • 3
  • +4
17 Comments
 
LVL 8

Expert Comment

by:bpinning
ID: 33442729
Hey,

I used, http://www.securecomputing.net.au/Review/90967,idsips.aspx
Added as a new device replacing the old setup.

However, Snort would be a better or cheaper option and there is less disruption ot your phical network setup
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 33443472
IDS will not distrupt the live network, as you will be doing port mirroring. For IPS set up you will have a small disruption of a couple of minutes, as you will need to divert traffc via the device. I have set up ISS Site Protector, its bit expensive but a very good solution.
0
 
LVL 9

Expert Comment

by:Barry Gill
ID: 33443952
it depends what you want to do, what your budget is and what your appetite for risk is.

The best is to buy a device that works as part of your firewall as it will then also be aware of port scans from IP addresses, it will have access to connections etc to be able to make decisions on these things.

I have had great success with Fortigate firewalls for this, but you need to know why you want to do this.

Snort is a fantastic tool but it is a standalone tool, so if all you want is traffic to be analyzed, then port forwarding and a tool like snort will be fine.

if you want IPS to be pro-active, then it needs to be integrated into your firewall
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 33448094
Hi,

A hardware based IDS is always better then a software based IDS . You need to look at tipping point or Juniper based IDS.

0
 
LVL 2

Expert Comment

by:CodeC6
ID: 33455726
Depends on your network. Setting up Snort IDS would be quite easy, but then you'd need to invest in a SIEM or SEM to manage it which can be costly.The amount of traffic you do would determine whether you need to invest in a pricier solution. Snort should be sniffing the traffic from your border routers. You can have a firewall in front of them (which I would recommend)  
I've experienced some issues with a flaw in tipping point that can cause a  DoS situation which I do not believe they ever fixed it - but then in order for you to encounter it you'd have to push quite a bit of bandwidth. Other than that - it works fine.
I use snort coupled with a couple of products, RSA's enVision and a product owned by Tripwire now called Enterprise (was one called Activeworx)
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33517866
I specialize in IDS and forensics, and I have to disagree with some of the posts here that state that it will not effect your network. First of all if you do a port mirror incorrectly you can greatly effect your network with packet storms and saturation issues? Also many of the new "IDS" do what is called "Active-Passive" monitoring where it is not quite a true IPS but does do some things like work with smart switches to do port blocking, rate limiting, VLAN quarantines etc. If not careful you can VERY easily cripple your network.

I recommend introducing a dedicated appliance/server that is for the IDS itself. I would make sure you are using it in passive monitoring off of a promiscuous interface. I would install it on a switch and monitor with wireshark or the like to see what it is doing and sending. (I recommend this on any new appliance so you know from a forensic standard what is appropriate IP traffic for the device.

I would then have it monitor right away and introduce segments of your network one by one via port mirrors, syslog or netflow (depends on what one you choose). I also would put the appliance on a dedicated switch if you can so that you can mirror one port off each switch direct.

Here are some of the IDS;s that are out there.

SNORT
Enterasys Dragon (used it very good product)
Cisco
OSSEC HIDS

Here is a link for open source tools http://sectools.org/ids.html


Also you have to ask yourself do you want HIDS or NIDS. One is Host one is Network. They are the same yet fundamentally different. With HIDS you get more log and file anomolies, verse network which is going to only really show you malware spreading, or a DDoS or SQL injection something like that HIDS will give you concrete info for insider attacks.

Hope this all helps.
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33517870
ALso on the comments about knowing about port scans if you have a device and presence on the internet assume port scans as the norm. I get them daily. I also know exactly what is supposed to go in and out of the network and that is what I watch and I also know how my device will react to a scan, dropping stealth packets is the key.
0
 

Author Comment

by:Jack_son_
ID: 33629760
So you would not use an add-in to the current firewall for IDS and IPS, but a separate appliance?
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 33633619
Yes... go in for a separate appliance
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33635683
I personally recommend a separate device if the IDS is to monitor and log data for an internal network. If you need to monitor a DMZ etc. then you could go with an add-in but keep in mind you are going to be forwarding all of your data most likely to the device so if it is an add-in the appliance will need to be able to process all traffic in network plus any traffic it legitimately has to go out of the firewall.

What I have done in the past with a situation like this is place a NIDS (network IDS) sensor in the DMZ with a pinhole back to the main appliance (if that is needed) I then use HIDS (host IDS) to monitor the systems itself for things like worm/malware propagation, registry hacks, embedded malware, steganography type attacks that AV may miss etc.

I then place a hybrid IPS/IDS appliance in the LAN to do active / passive monitoring on the bulk of the data ... Hope this all helps.
0
 

Author Comment

by:Jack_son_
ID: 33664616
What are you using, something like tipping point?  Also, for the LAN monitoring, what type of hybrid do you use?
0
 

Author Comment

by:Jack_son_
ID: 33664619
Also, what about IPS?
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 33665494
You can use tipping point, real secure Site Protector etc. Resecure Site Protctor can act as IDS and IPS, for IDS you will need to mirror the ports in your switch, and for IPS you need to put the card of appliance in inline mode.
Netscreen NSM can be used as hybrid for LAN monitoring, but if you go in for real secure site protector, you can have both IDS and IPS in one appliance.
0
 
LVL 3

Expert Comment

by:acmeoil
ID: 33666168
You have to be REAL careful for IPS rule of thumb is make sure your IDS signatures are finely tuned and that you really know your network and traffic patterns before you even think of going that route been to many locations that they took the entire network down because someone flipped the switch on the IPS without really knowning what it would do.

For IPS I have used a bunch I personally like Enterasys they intergrate well with other components like SIEM, NAC and the like.

I also use for network monitoring Solarwinds, Wireshark and PRGT, I have also used IPSwitch for system continuity, and MOM for system patching. Monitoring is not just security threats but also for outages due to DDoS as well as patching updates so you make sure to close all your weaknesses
0
 

Author Comment

by:Jack_son_
ID: 33667625
Is tipping point and Enterasys so similar functions?  Also, they appear to have many devices, can you get away with just one initially, if so is it the IDS?

Also, is IPSwitch part of solarwinds - it manages system continuity?
0
 
LVL 3

Accepted Solution

by:
acmeoil earned 2000 total points
ID: 33671373
IPSwitch is a company separate to Solarwinds. IPSwitch makes a product called WhatsUp Gold. It is a connection monitor to show you if the website or server goes offline. It is not a security monitor itself BUT would alert to things like DDoS attacks. PRTG shows trending and traffic patterns that you can also associate to attacks or large amounts of data moving in or out of your network. If you get really savvy you can sometimes even tell if a virus is propagating based on traffic patterns.

Enterasys and Tipping Point for the most part cover the area of IPS but that is where Enterasys takes off. They also offer NAC (Network Access Control) and Quarantine Processes. I also see that since HP owns TippingPoint they push their ProCurve smart switches, which I personally do not like. When it comes to switches for the enterprise Enterasys, Cisco, or Nortel is all I use. Enterasys also has a product called NetSight that allows some layer 3 rule capability right at the port level !!! Pretty slick.

Some bauk at the price but if you go into an enterprise class infrastructure it is going to hurt the wallet. Their (E-sys) also is very scalable and easy as well to scale, weather it is the SIEM, IDS/IPS, NAC, Network Manager, or Switches/Routers it is very easy. (And NO I do not work for Enterasys!!) I will be honest I hated them at first but have grown to love them and their support staff.

Hope this all helps.
0
 

Author Comment

by:Jack_son_
ID: 33794404
Thanks for the info; the Enterasys is a nice product.  It is expensive but seems to cover most of what we are looking for.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question