Intrusin Detection Systems
We are a medium sized manufacturing company. We have our main location in the U.S and another locaton in Mexico. These are connected by Frame Relay. I am using a Cisco 515 PIX for a Firewall. Recently the auditors have told us we need an Intrusion Detection System. I am looking for one that will work with the PIX. Preferably an appliance as opposed to a software solution. I am not familiar with these systems. I am hoping someone can give me some suggestions. Price is an issue. Also ease of setup and managemen
Software/Hardware used:
Software/Hardware used:
ASKED:
September 7, 2005 10:18 AM
UPDATED:
September 11, 2005 1:59 PM
Answer Wiki:
You don't have very difficult criteria (Price, management, etc.) ;-)
For price, you could use Snort. A cheap PC can be set up to run this.
To work with the PIX, you might consider the Cisco device, which also works as an Intrusion Prevention system.
For management, I would suggest an outsourced service model. ISS, CyberTrust, etc. They handle everything except escalations, which really cuts down on false alarms. Another less known service is Alert Logic www.alertlogic.net.
Obviously, you'll need to make some choices based on which is the most important factor.
Best regards,
Telecomking
To see all answers submitted to the Answer Wiki: View Answer History.
What level of intrusion detection do you need? The pix already has limited intrusion detection capabilities. Check this link: http://www.cisco.com/application/pdf/en/us/guest/products/ps2030/c1031/cdccont_0900aecd800eb525.pdf
Since you asked for an appliance, this would probably be your easiest choice. They also have other appliances.
I have heard good things about snort but it is a software solution. In any case, if you want an install and forget appliance, you are looking at the wrong technology. Properly configuring and managing a sophisticated IDS is one of the most complex jobs in networking. We had a system installed by ISS in our lab at Intel and we were buried by the false positives to the point it wasn’t useful.
Before you make your decision, consider carefully how much time and knowledge you are willing to invest in IDS.
rt
For the most part, I’d tend to agree with Telecomking and astronomer. Depending on what you’re looking for, using what’s built into the Pix is likely to be the simplest solution.
I use snort, and have adapted some PERL scripts to provide me with a nice HTML formatted daily report. But even so, tuning took a while to get the volume of reports down to what’s manageable.
I’ve worked with ISS and consider it to be over-engineered junk. How they got to be market leader is beyond me.
What I’ve been entranced with lately is the Juniper Networks IDP-1000 system. The GUI is very Checkpoint-like, AND you can define rules to do a packet capture surrounding the event – VERY useful in separating threat from over-eager. When I was working with the ISS, the sales people told me that they essentially didn’t allow for packet capture. This was about 2 years ago, so things may have changed.
That’s my $.02 worth
Bob