Jesse ras1@jamrockmusic.com wrote:
Just curious what you use for this.
Depends on the budget. ;->
I'm partial to Nokia solutions for financial sectors, although I _never_ put all my eggs in one basket. I typically and _always_ use Snort for the network IDS, including the free update subscription. It can't hurt to have Snort (or even their SourceFire subscription) in addition to non-freedom solutions.
For a freedom host IDS, a combination of Snort IDS and then Portsentry targetting active (or commonly targetted) services.
For layer-7 services, I shouve out some serious money when I can (i.e., 5 figures). When I can't, I make sure it's in a DMZ. I'm still looking for a freedom layer-7 scanning service.
It's never a matter of whether you will be hacked, it's a matter of when. Updating only goes so far (although it's clearly the best move).
Basic 1, 2 and 3 sigma statistics generally apply here (I appologize for my over-simplistic application of risk analysis -- but I'm an engineer after all ;-).
Updating only gets you to 1 (~67%).
I prefer the "defense-in-depth" of adding network and host IDS as well, getting me to 2 (~96%) and letting me know when I've been compromised (like even my wife's system home Windows system was c/o some spyware earlier this year).
Ideally, anytime you have any layer-7 application service (or even client -- such as a resident virus scanner that scans specific, incoming/outgoing ports), active scanning is ideal. That's more 3 sigma (>99%), assuming you use network and host IDS too.
-- Bryan "I've definitely done too much [Practices] today" Smith
P.S. For defense, there are MIL-STD and CCEA -- and MAC/RBAC is required by default (and must be explained with exceptions if not). And such networks _never_ go on publicly accessible networks -- although that's still 70% of the battle (although MAC/RBAC addresses it fairly well).