intrusion detection

intrusion detection

[IT Clown]

Hi

What intrusion detection software would you guys
recommend?Is psad or portsentry any good? 

Regards
______________________________________________________________
Herbalife Independent Distributor http://www.healthiest.co.za

Re: intrusion detection

[David Cannings]

On Sunday 18 April 2004 18:29, IT Clown wrote:
> What intrusion detection software would you guys
> recommend?Is psad or portsentry any good?

Personally I use Snort (http://www.snort.org) which I find to be easy to 
configure and fairly flexible.  The default rulesets are quite concise 
and daily reports give a good summary of what is happening.  

However, I haven't used either psad or portsentry so couldn't compare.

David

Re: intrusion detection

[Michael Gale]

Hello,

	Is portsentry not just more of a port monitor -- to let you know who is
"knocking" at your door. Where snort will monitor the actual traffic on the
pipe.

Michael.




On Sun, 18 Apr 2004 18:49:29 +0100
David Cannings <lists@edeca.net> wrote:

> On Sunday 18 April 2004 18:29, IT Clown wrote:
> > What intrusion detection software would you guys
> > recommend?Is psad or portsentry any good?
> 
> Personally I use Snort (http://www.snort.org) which I find to be easy to 
> configure and fairly flexible.  The default rulesets are quite concise 
> and daily reports give a good summary of what is happening.  
> 
> However, I haven't used either psad or portsentry so couldn't compare.
> 
> David
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

[OT]Re: intrusion detection

[John A. Sullivan III]

On Sun, 2004-04-18 at 13:29, IT Clown wrote:
> Hi
> 
> What intrusion detection software would you guys
> recommend?Is psad or portsentry any good? 
<snip>
I wonder if I might permutate this question slightly.  I have spent a
fair amount of time recently looking at Intrusion Detection Systems and
came away with a conclusion I did not expect.  I would like to share
that conclusion not to start a flame war but to hold it up to scrutiny
to see if I am truly out of my mind or whether it makes sense.

I concluded that NIDS can be effective but that they required so much
upkeep, maintenance and ongoing expertise that I would rather invest my
time and money in other security measures.  There were two primary
reasons for this conclusion.

1) Those attempting to perpetrate an intensional, focused attack (as
opposed to the random "door-knob jiggling" antics of script-kiddies) are
as likely to attack from the inside as from the outside.  In other
words, if the front door firewall is secure, I would not waste my time
trying to break through it.  I would send forged e-mails that direct
internal users to a phished site where I would plant a malicious trojan
or I would find a vulnerable remote user, e.g., one with an insecure
home wireless access method and do a man-in-the-middle attack.  In our
brave new networked world, I would find a way to attack from the inside
rather than the outside.
That makes the placement of NIDS quite a challenge.  How many and where
do I place them? Do I use port mirroring or taps? What are the impacts
on network capacity and traffic patterns? Do I fail safe or open?
By the time of build a NIDS environment to protect against external and
internal attacks, I can have a very complex and very expensive
architecture - one that may have inflicted more impact on the business
bottom line that the attacks it may prevent.

2) As I studied the mechanisms used to evade NIDS and the
counter-measures use to defeat the evasion attempts, it seemed like a
constant "cat and mouse" game -- one that required constant vigilance
and maintenance.  I felt like my NIDS would be secure only until the
next major publication of a new evasion technique.

This does not mean that NIDS cannot work -- just that it takes a lot of
effort and expertise to make it work well.  I felt I would rather make
the following investment in time and money:

1) Create a multi-layered security environment with inter and intra
office access control and encryption and move away from the "hard and
crunchy outside - soft and chewy inside" perimeter security model.  Of
course, I am quite biased here as making this method affordable is one
of the driving factors behind the ISCS project I am working on
(http://iscs.sourceforge.net).  If an attacker breaches my outer
defenses or is attacking from the inside, I want to do my best to
contain them to a limited area.

2) Combine regular vulnerability assessments using something like the
automated features of the fabulous Nessus product
(http://www.nessus.org) with an automated software management tool to
close known vulnerabilities as quickly as possible.  If an attacker
manages to break through all my defenses, I want to render them impotent
and unable to use known exploits against my systems.

3) Implement even a simple HIDS or integrity checker like tripwire or
the fully open source Osiris (http://osiris.shmoo.com).  If an attacker
has penetrated all my defenses and succeeded in using some exploit, I
want to know about it.

This threefold solution is also not simple.  But given the return on
investment of my time an money maintaining NIDS in an ever changing
security world where an attack is as likely to come from the inside as
the outside versus maintaining these three combined strategies, I think
I get more from my investment in the latter.

However, as always, I am suspicious of putting too much faith in my own
conclusion without significant corroboration.  I would be interested in
other's thoughts, insights and insults -- well, maybe not too many
insults.  Thanks, all - John
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: [OT]Re: intrusion detection

[Michael Gale]

Hello,

	I appreciate the information, as I myself am also looking into a IDS solution
of some sort. I was thinking along the lines of the following:

1. The NIDS would sit between the firewall internal line and our office
backbone using a tap that would fail open. 

I figure this was if anything breaks the firewall or a attack comes from inside
and tries to make a outbound connection I would know. 

I completely agree with you about the attack from inside vs a attacker from out
side.

I also come completely agree with the HIDS. I have also thought about a internal
machine (not sure of the technical name for it) to act as a live bit box. I
believe the theory is that you leave a internal box a little open or un-patched
with bogus data on it, this is used to attract the attacker and trigger other
bells and whistles.

Michael.



On Mon, 19 Apr 2004 11:27:54 -0400
"John A. Sullivan III" <john.sullivan@nexusmgmt.com> wrote:

> On Sun, 2004-04-18 at 13:29, IT Clown wrote:
> > Hi
> > 
> > What intrusion detection software would you guys
> > recommend?Is psad or portsentry any good? 
> <snip>
> I wonder if I might permutate this question slightly.  I have spent a
> fair amount of time recently looking at Intrusion Detection Systems and
> came away with a conclusion I did not expect.  I would like to share
> that conclusion not to start a flame war but to hold it up to scrutiny
> to see if I am truly out of my mind or whether it makes sense.
> 
> I concluded that NIDS can be effective but that they required so much
> upkeep, maintenance and ongoing expertise that I would rather invest my
> time and money in other security measures.  There were two primary
> reasons for this conclusion.
> 
> 1) Those attempting to perpetrate an intensional, focused attack (as
> opposed to the random "door-knob jiggling" antics of script-kiddies) are
> as likely to attack from the inside as from the outside.  In other
> words, if the front door firewall is secure, I would not waste my time
> trying to break through it.  I would send forged e-mails that direct
> internal users to a phished site where I would plant a malicious trojan
> or I would find a vulnerable remote user, e.g., one with an insecure
> home wireless access method and do a man-in-the-middle attack.  In our
> brave new networked world, I would find a way to attack from the inside
> rather than the outside.
> That makes the placement of NIDS quite a challenge.  How many and where
> do I place them? Do I use port mirroring or taps? What are the impacts
> on network capacity and traffic patterns? Do I fail safe or open?
> By the time of build a NIDS environment to protect against external and
> internal attacks, I can have a very complex and very expensive
> architecture - one that may have inflicted more impact on the business
> bottom line that the attacks it may prevent.
> 
> 2) As I studied the mechanisms used to evade NIDS and the
> counter-measures use to defeat the evasion attempts, it seemed like a
> constant "cat and mouse" game -- one that required constant vigilance
> and maintenance.  I felt like my NIDS would be secure only until the
> next major publication of a new evasion technique.
> 
> This does not mean that NIDS cannot work -- just that it takes a lot of
> effort and expertise to make it work well.  I felt I would rather make
> the following investment in time and money:
> 
> 1) Create a multi-layered security environment with inter and intra
> office access control and encryption and move away from the "hard and
> crunchy outside - soft and chewy inside" perimeter security model.  Of
> course, I am quite biased here as making this method affordable is one
> of the driving factors behind the ISCS project I am working on
> (http://iscs.sourceforge.net).  If an attacker breaches my outer
> defenses or is attacking from the inside, I want to do my best to
> contain them to a limited area.
> 
> 2) Combine regular vulnerability assessments using something like the
> automated features of the fabulous Nessus product
> (http://www.nessus.org) with an automated software management tool to
> close known vulnerabilities as quickly as possible.  If an attacker
> manages to break through all my defenses, I want to render them impotent
> and unable to use known exploits against my systems.
> 
> 3) Implement even a simple HIDS or integrity checker like tripwire or
> the fully open source Osiris (http://osiris.shmoo.com).  If an attacker
> has penetrated all my defenses and succeeded in using some exploit, I
> want to know about it.
> 
> This threefold solution is also not simple.  But given the return on
> investment of my time an money maintaining NIDS in an ever changing
> security world where an attack is as likely to come from the inside as
> the outside versus maintaining these three combined strategies, I think
> I get more from my investment in the latter.
> 
> However, as always, I am suspicious of putting too much faith in my own
> conclusion without significant corroboration.  I would be interested in
> other's thoughts, insights and insults -- well, maybe not too many
> insults.  Thanks, all - John
> -- 
> Open Source Development Corporation
> Financially Sustainable open source development
> http://www.opensourcedevelopmentcorp.com
> 
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: [OT]Re: intrusion detection

[Antony Stone]

On Monday 19 April 2004 4:54 pm, Michael Gale wrote:

> I have also thought about a internal machine (not sure of the technical name
> for it)

Honeypot or honeynet (depending on whether there's one or several machines 
involved).

> to act as a live bit box. I believe the theory is that you leave a internal
> box a little open or un-patched with bogus data on it, this is used to
> attract the attacker and trigger other bells and whistles.

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: [OT]Re: intrusion detection

[Antony Stone]

On Monday 19 April 2004 4:27 pm, John A. Sullivan III wrote:

> I have spent a fair amount of time recently looking at Intrusion Detection
> Systems and came away with a conclusion I did not expect.  I would like to
> share that conclusion not to start a flame war but to hold it up to scrutiny
> to see if I am truly out of my mind or whether it makes sense.
>
> I concluded that NIDS can be effective but that they required so much
> upkeep, maintenance and ongoing expertise that I would rather invest my
> time and money in other security measures.
>
> This does not mean that NIDS cannot work -- just that it takes a lot of
> effort and expertise to make it work well.

I agree with you.   NIDS is an expensive activity, and whilst some people like 
to get the information it provides, it does indeed require a big investment 
of time to keep things up to date, ensure you're looking for the latest 
attacks, and avoiding too many false positives.

> I felt I would rather make
> the following investment in time and money:
>
> 1) Create a multi-layered security environment with inter and intra
> office access control and encryption and move away from the "hard and
> crunchy outside - soft and chewy inside" perimeter security model.

I believe that many security professionals are now of the opinion that this is 
an outdated model on any reasonable-sized corporate network.   It may still 
be fine for home users and small businesses, but beyond a certain size and 
complexity there are now too many "grey areas" where you can't be quite sure 
if something is inside or outside the protected zone.

> 2) Combine regular vulnerability assessments using something like the
> automated features of the fabulous Nessus product
> (http://www.nessus.org) with an automated software management tool to
> close known vulnerabilities as quickly as possible.
>
> 3) Implement even a simple HIDS or integrity checker like tripwire or
> the fully open source Osiris (http://osiris.shmoo.com).  If an attacker
> has penetrated all my defenses and succeeded in using some exploit, I
> want to know about it.

Yes - these two are IMHO very sensible strategies, and I also think more 
certain than NIDS, because you at least know what you are protecting and what 
you've done about it.   With NIDS you are still very much "hoping it does the 
job okay" and you can never be sure of what you're missing.

> This threefold solution is also not simple.  But given the return on
> investment of my time an money maintaining NIDS in an ever changing
> security world where an attack is as likely to come from the inside as
> the outside versus maintaining these three combined strategies, I think
> I get more from my investment in the latter.

I agree.   Once you've taken the steps you describe, you might choose later to 
add NIDS as well, however I think you have the correct sequence of 
priorities.

Regards,

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: [OT]Re: intrusion detection

[John A. Sullivan III]

Thanks for the reply, Antony.  I notice how much you help on this list
and esteem your opinion highly.  I would just like to annotate your
comment on the inter/intra office security measures.  Its infeasibility
in a large, complex environment is why we saw traditional firewalls,
VPNs, etc., would not work in our complex, multi-client environment
awash in its sea of grey regarding what is inside and what is outside.

This, again, is why we feel ISCS is so unlike similar products. It is
designed to make the complexity manageable even for enterprise and
carrier environments and to bring into sharper contrast the grey areas
by abandoning the concept of zones, inside or outside and focusing on
the real traffic pattern issues of which accessors are attempting access
to which resources wherever they are.

Thanks again, and thanks for all the help you give - John

On Mon, 2004-04-19 at 11:55, Antony Stone wrote:
> On Monday 19 April 2004 4:27 pm, John A. Sullivan III wrote:
> 
> > I have spent a fair amount of time recently looking at Intrusion Detection
> > Systems and came away with a conclusion I did not expect.  I would like to
> > share that conclusion not to start a flame war but to hold it up to scrutiny
> > to see if I am truly out of my mind or whether it makes sense.
> >
> > I concluded that NIDS can be effective but that they required so much
> > upkeep, maintenance and ongoing expertise that I would rather invest my
> > time and money in other security measures.
> >
> > This does not mean that NIDS cannot work -- just that it takes a lot of
> > effort and expertise to make it work well.
> 
> I agree with you.   NIDS is an expensive activity, and whilst some people like 
> to get the information it provides, it does indeed require a big investment 
> of time to keep things up to date, ensure you're looking for the latest 
> attacks, and avoiding too many false positives.
> 
> > I felt I would rather make
> > the following investment in time and money:
> >
> > 1) Create a multi-layered security environment with inter and intra
> > office access control and encryption and move away from the "hard and
> > crunchy outside - soft and chewy inside" perimeter security model.
> 
> I believe that many security professionals are now of the opinion that this is 
> an outdated model on any reasonable-sized corporate network.   It may still 
> be fine for home users and small businesses, but beyond a certain size and 
> complexity there are now too many "grey areas" where you can't be quite sure 
> if something is inside or outside the protected zone.
> 
> > 2) Combine regular vulnerability assessments using something like the
> > automated features of the fabulous Nessus product
> > (http://www.nessus.org) with an automated software management tool to
> > close known vulnerabilities as quickly as possible.
> >
> > 3) Implement even a simple HIDS or integrity checker like tripwire or
> > the fully open source Osiris (http://osiris.shmoo.com).  If an attacker
> > has penetrated all my defenses and succeeded in using some exploit, I
> > want to know about it.
> 
> Yes - these two are IMHO very sensible strategies, and I also think more 
> certain than NIDS, because you at least know what you are protecting and what 
> you've done about it.   With NIDS you are still very much "hoping it does the 
> job okay" and you can never be sure of what you're missing.
> 
> > This threefold solution is also not simple.  But given the return on
> > investment of my time an money maintaining NIDS in an ever changing
> > security world where an attack is as likely to come from the inside as
> > the outside versus maintaining these three combined strategies, I think
> > I get more from my investment in the latter.
> 
> I agree.   Once you've taken the steps you describe, you might choose later to 
> add NIDS as well, however I think you have the correct sequence of 
> priorities.
> 
> Regards,
> 
> Antony.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com