GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: ISS Real Secure Vs Cisco IDS [7:63461] posted 02/22/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Come on now, the slammer worm? If you are security conscious this
shouldn't have had any effect on you. Microsoft released a patch last
summer.  Security is a best effort solution. It is about layers and
maintenance. You cannot eliminate risk, you can only reduce risk.

An IDSs responsibility is to pick up attacks on the wire, not prevent
them. I personally don't believe in allowing my IDS to respond to an
attack.

-----Original Message-----
From: cebuano [mailto:cebu2ccie@xxxxxxx] 
Sent: Friday, February 21, 2003 8:22 PM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]


Hi Albert,
Very good point. Which brings me to this question - how can one measure
the security of a network? It almost always is an after-the-fact
response whichever vendor you choose. As you pointed out in your example
regarding the slammer virus, have you heard any vendor claiming immunity
from this?
Is "detecting" synonymous with "preventing"?
I'm also interested in this topic due to the fact that the pricing
structure from almost ALL the major players in the IDS/Firewall market
is astronomical.

Elmer

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Albert Lu
Sent: Friday, February 21, 2003 9:19 AM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]

Hi Troy,

Must be some secure site, reason I was interested is that I had a
discussion
with someone else before in regards to multi-vendor IDS solutions and
how
effective they might be.

So if you mostly rely on manual action, and an attack came in after
hours,
how quickly can you respond to your alerts? Since for some attacks, a
half
hour response time could cause your site to be down (eg. slammer virus).
If
that was the case, even if you had all the vendor's IDS, it will be
useless.

Albert

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]
Sent: Friday, February 21, 2003 10:57 PM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]


As with most things, you need to way up costs againts your requirements.
IN
our case, security is absolutely essential, so having a multivendor
security
solutions (and indeed fully redundant) is costly, but we see it as
justified.

With regards to action during attacks etc.  We mostly rely on manual
actions
as we dont want to inadvertently block legitimate traffic (for example
if an
attack came from a spoofed IP). For automatic action, you can make use
of
Ciso Policy manage, which has the ability to dynamically rewrite ACL's,
on
Pix's, Routers, and indeed Cat's.  according to data from IDS.  So for
example, if you where really paraniod (like we are),. you could have
pix's
as the first firewall, with IDS on the inside / dmz etc (using IDSM or
standalone IDS), tie these together with Policy manager .. then taking a
further step into your network, a set of Nokia Fw1 NG, along with
further
Nokia IDS solutions on the inside, and tied together using the
enterprisef
software!



Albert Lu wrote:
>
> Hi,
>
> I'm just curious about your multi-vendor solution. It must cost
> quite alot
> in order to have 3 IDS running. What about redundancy, if you
> are using dual
> switch/router/fw/ids, you would have a total of 6 IDS.
>
> Being able to detect attacks with multiple IDS is one thing.
> What action can
> it take once the IDS detects an attack? Logging it into the
> syslog server is
> not enough.
>
> Albert
>
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]
> Sent: Friday, February 21, 2003 7:53 PM
> To: cisco@xxxxxxxxxxxxxx
> Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]
>
>
> Hi Sean,
>
> I currently use Cisco IDSM (IDS module for the Cat6500), Nokia
> IDS, and
> Snort on the server themselves.  You can never be paranoid
> enough about
> these sort of things.  Each vendor has different exploits etc,
> so by
> implementing a multi vendor path to your critical servers, you
> protect
> yourself from any signle vendor specific exploit!
>
>
>
>
> Sean Kim wrote:
> >
> > Hello all,
> >
> > My company is thinking about installing an IDS (dedicated
> > appliance type) for our network.
> > As far as I know, the Real Secure and the Cisco IDS are two
> > biggest names out there.  So I checked out the documents and
> > white papers provided by the each company, but I couldn't
> > really come up with what the differences are between them, and
> > which one is better suited for our network.
> >
> > Can anyone voice their opinion about these two IDS?
> >
> > Thanks,
> >
> > Sean Kim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63548&t=63461
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx