network security gurus, need your help

C

cryme

[H]ard|Gawd
Joined
Jun 10, 2002
Messages
1,339
we are currently evaluating intrustion detection systems, particularly ciscos.

so far it looks like we are planning on purchasing the network-based IDS for intergration with our routers, and the desktop client version of cisco's security agent, but i'm wondering, with the router protection and the desktop clients protected with the security agent, is it really neccesary to purchase the server version of the security agent for our servers? we have quite a few servers, and the security agent is not cheap for the servers, we really would like to save money if we can.
 
Originally posted by cryme
we are currently evaluating intrustion detection systems, particularly ciscos.

so far it looks like we are planning on purchasing the network-based IDS for intergration with our routers, and the desktop client version of cisco's security agent, but i'm wondering, with the router protection and the desktop clients protected with the security agent, is it really neccesary to purchase the server version of the security agent for our servers? we have quite a few servers, and the security agent is not cheap for the servers, we really would like to save money if we can.
Click to expand...


What does this "security agent" do? It doesn't sound like an IDS sensor; it sounds more like some package that reacts in response to reports from the NIDS.

And are the servers in RFC1918 address space, or in a DMZ?

Answer those questions, and I can tell you whether or not it's necessary.
 
Originally posted by skritch
What does this "security agent" do? It doesn't sound like an IDS sensor; it sounds more like some package that reacts in response to reports from the NIDS.

And are the servers in RFC1918 address space, or in a DMZ?

Answer those questions, and I can tell you whether or not it's necessary.
Click to expand...

Basically it is a host based security product providing distributed firewall, intrusion prevention, etc. It integrates with the IDS system (and PIX devices) to expand the area of protection. It can also help protect against the spread of worms, etc...

Personally, I think if you are going to go to such length to protect your network you might as well cover all your bases, but that's just me. I have an all or nothing attitude :)
 
the servers are not in the dmz or RFC1918. my managers are on a real security trip right now, but still want to save as much money as possible. am i wrong in thinking that if the routers/switches are covered, and the desktops are covered, that should be sufficient enough?
 
Originally posted by cryme
the servers are not in the dmz or RFC1918. my managers are on a real security trip right now, but still want to save as much money as possible. am i wrong in thinking that if the routers/switches are covered, and the desktops are covered, that should be sufficient enough?
Click to expand...

1) If the servers are not in a DMZ or in RFC1918 space, then they're just dangling in the breeze with routable IPs and no firewall. That's not very wise.

2) No, that should not be sufficient. If it were, you wouldn't need the agents on the desktops, either.
 
Originally posted by PHUNBALL
Basically it is a host based security product providing distributed firewall, intrusion prevention, etc. It integrates with the IDS system (and PIX devices) to expand the area of protection. It can also help protect against the spread of worms, etc...

Personally, I think if you are going to go to such length to protect your network you might as well cover all your bases, but that's just me. I have an all or nothing attitude :)
Click to expand...

Thanks. I wonder which company Cisco ate to acquire that. I generally ignore Cisco when it comes to firewalls and things like HIDS/NIDS, because they've got such a poor track record.

I'd avoid it anyway, beucase any reactive technology coupled with a NIDS is a recipe for intentional or accidental DoS.
 
Originally posted by skritch
1) If the servers are not in a DMZ or in RFC1918 space, then they're just dangling in the breeze with routable IPs and no firewall. That's not very wise.

2) No, that should not be sufficient. If it were, you wouldn't need the agents on the desktops, either.
Click to expand...

argh my fault, they are in rfc1918, they are behind their own PIX firewall
 
Originally posted by skritch
Thanks. I wonder which company Cisco ate to acquire that. I generally ignore Cisco when it comes to firewalls and things like HIDS/NIDS, because they've got such a poor track record.

I'd avoid it anyway, beucase any reactive technology coupled with a HIDS is a recipe for intentional or accidental DoS.
Click to expand...

Agreed, I am not a proponent of Cisco security products either. Until something better comes along I will continue to use Checkpoint (IPSO Platform)...
 
Sonicwall firewalls, servers in the DMZ with opening ports on an outside services-need basis, services secured and jailed, antivirus on the desktop and email server.

How would an IDS help me? My network has never been touched by a virus/worm and my email server has never been hit. I'm up to date on every service available and have constant monitoring/performance monitoring going.
 
Originally posted by shade91
Sonicwall firewalls, servers in the DMZ with opening ports on an outside services-need basis, services secured and jailed, antivirus on the desktop and email server.

How would an IDS help me? My network has never been touched by a virus/worm and my email server has never been hit. I'm up to date on every service available and have constant monitoring/performance monitoring going.
Click to expand...
i'm kind of at a loss to how this would really help us as well. we're behind a pix firewall, have enterprise virus protection, internet virus/spam filtering, etc. in my opinion i don't think i can justify the price of the systems my managers are looking at, because i don't think it will be that much of a help.
 
Originally posted by cryme
i'll take a look, but my dickhead director will probably shun anything open source.

do you have any specific packages you reccomend?
Click to expand...

Snort. Particularly, snort coupled with pf on OpenBSD.
 
Originally posted by skritch
Snort. Particularly, snort coupled with pf on OpenBSD.
Click to expand...

i will definately mention that one to my coordinator, do you know of anything similar to the cisco security agent that i can bring up? something preferredbly client/host based and runs on windows 2000.
 
Checkpoints Secure Client is similar, but does not have the distributed IDS features etc. and is geared more toward the mobile community, but also offers great in house security. IMHO the Checkpoint product is far superior...
 
Originally posted by PHUNBALL
Checkpoints Secure Client is similar, but does not have the distributed IDS features etc. and is geared more toward the mobile community, but also offers great in house security. IMHO the Checkpoint product is far superior...
Click to expand...

Checkpoint has problems, and is derived from fwtk, and has in the past made Swiss cheese look like it was inpenetrable (I have video of Dug Song violating FW-1 in about 10 different ways onstage at BlackHat 2000 or 2001, I forget which). It was so bad there was a Checkpoint rep standing outside the presentation room handing out brochures and swearing they were going to address the issues "soon", basically begging people not to

a) tell others about it, and
b) stop using FW-1.


And let's not ignore Checkpoint's asinine licensing scheme, and their penchant for forcing unwanted upgrades (4.1 to NG, anyone?) on their customer base.

Why use a commercial product derived from free code, when you can just use the free code to begin with?
 
Originally posted by skritch
And let's not ignore Checkpoint's asinine licensing scheme, and their penchant for forcing unwanted upgrades (4.1 to NG, anyone?) on their customer base.
Click to expand...

How true this is, I still don't see the need to upgrade from 4.1 to NG from a functionality standpoint (maybe from a support standpoint). I Love Checkpoint licensing!!!! Yes, if that was true I would have to be insane, thank God it's not...


The main reason I prefer Checkpoint (on IPSO) is because it is easy to implement, easy to manage, and easy to turnover to the people tasked with it's ongoing support. It's hard to do that with more "home grown" security products especially when dealing with folks that are less than technically proficient and can't follow directions to save their lives...
 
Originally posted by PHUNBALL

The main reason I prefer Checkpoint (on IPSO) is because it is easy to implement, easy to manage, and easy to turnover to the people tasked with it's ongoing support. It's hard to do that with more "home grown" security products especially when dealing with folks that are less than technically proficient and can't follow directions to save their lives...
Click to expand...

True, but then, trusting your site security to such people in the first place is a questionable move all its own. :)
 
Originally posted by skritch
True, but then, trusting your site security to such people in the first place is a questionable move all its own. :)
Click to expand...

hehe, another good point, but unfortunately we don't always have a choice and it often pains me to turn over certain things to certain people....
 
Well let me start off by asking you what you are trying to accomplish with NIDS?

Do you intend to stop attacks before they get into your network?

If your answer is yes, Cisco's offering will not solve your problem. Let me tell you why: Cisco's IDS line sits off a SPAN port on your switch or is a blade that plugs into a modular router and takes copies of traffic off the backplane. This means that the sensor is seeing a COPY of the traffic, once it has seen it that packet has already passed into your network. The Cisco can take action after the first packet and shun the IP if it detects an attack, but it will not stop that first packet from getting in. Cisco's Threat Response technology is somewhat misleading. I've read a few docs that seem to portray that CTR provides some sort of Intrusion Prevention mechanism. It doesn't, Cisco's own product specialist leader has told me that CTR only automates the forensic process of tracking down any attack that has already occured and seeing if damage actually happened as a result of it and collecting as much info as possible about it.

If you want to stop attacks before they get into your network you need something that sits inline (like between your perimeter firewall and the first switch in your network, or between your user switches and your server farm switches) and filters real-time. This way its seeing the actual traffic and can block as necessary. A couple companies to look at for this would be Netscreen (www.netscreen.com) and Tipping Point (www.tippingpoint.com). I personally believe after evaluating both products that Tipping Point is better, although its about 50% more expensive.

NIDS devices have been and probably always will be limited to blocking only what they know about. They use signatures much like your antivirus software does. NIDS manufacturers have tried to build in some future-proofing by including protocol anomoly detection, but some programs (oddly enough including some MS programs) do not always abide by the RFC protocol rules so enabling this function across the board can block legit traffic.

If you're not overly concerned about preventing attacks before they get in, then I'd look at Cisco but I'd look at Snort too. Generally speaking, from what I've seen things like Cisco IDS and Snort are going to provide you a lot more info about an attack than an actual Prevention device like a Netscreen or a TippingPoint...but at the same time perhaps a Prevention device could have blocked the attack in the first place.


As for HIDS, if you go down that route make sure you get something behavioral-based and not just signature-based. Behavioral-based would be something like the Cisco Security Agent. Signature-based would be something like Sygate Secure Enterprise. Signature-based HIDS sucks, in my opinion. My thoughts are this: I keep my patches up to date, and my AV software current, and have pretty good security on my network. If something gets through, its probably going to be a new worm, and if my signature-based HIDS software doesnt know about it (which it probably wont if my AV vendor doesnt know about it either) then what good does it do me? You need something behavioral-based that can be made to learn what is normal for your computers and then locked down to not allow anything to happen outside the norms.

When I was evaluating the Cisco Sec. Agent, I built a custom policy for a fresh XP install on my test network. I allowed this PC to log into the domain, check email, get DNS, surf the web, run Office, all the normal stuff my users do. I didnt put ANY patches on it or AV software. I locked down the CSA, unplugged the machine from the network and put it outside my firewall, gave it a public IP and let it sit there for about 3 weeks, all the while collecting logs with Ethereal. This PC got slammed with everything - Blaster, Nachi, port scans, Nimda, etc - and nothing worked. I was impressed. I did the same with a 2000 Server box with SQL, DNS, Active Directory installed on it and it stayed up too. The CSA works well, my only complaint is that its a pain in the ass to build the policies.


You dont need to stop at NIDS/HIDS, you need to have router ACL's to filter stuff before it gets to your firewall, good firewall rules, port security on your switches so people cant just plug in any old computer to your network, 802.1x authentication so you know every PC on your network is yours, good centrally-managed AV software, good physical security, patch management, and above all a security POLICY. You need to have all this stuff documented and need to have management sign off on it saying this is what we allow and what we dont and what happens if you break the rules - period. Without managements approval, one bitching user who's in tight with management can undermine everything you've done.
 
Originally posted by Boscoh
Well let me start off by asking you what you are trying to accomplish with NIDS?

Do you intend to stop attacks before they get into your network?

If your answer is yes, Cisco's offering will not solve your problem.
Click to expand...

Shorter answer: No NIDS (or HIDS) will. The "D" is for DETECTION, not PREVENTION.

It's nothing but an alarm system, telling you someone's doing something they're not supposed to. IDS technology is not designed to prevent anything.
 
Yes that is correct. However, a lot of people use NIDS/HIDS interchangeably with referring to Detection or Prevention devices...plus the fact that a lot of people dont know there is a difference.

I dont think the industry has really decided on what they want to call the different technologies yet. I've seen vendors describe Host-IDP software as HIDS (Cisco did that for a while right after they acquired Okena and got Stormwatch/StormFront which is now CSA). They need to, becauses its confusing a lot of consumers who dont know that NIDS really doesnt prevent anything.
 
You must log in or register to reply here.
Back
Top