[CentOS] [Practices] Host and Network IDS -- WAS: DNS wizard
Bryan J. Smith
thebs413 at earthlink.net
Thu Dec 29 22:19:34 UTC 2005
Jesse <ras1 at jamrockmusic.com> wrote:
> Just curious what you use for this.
Depends on the budget. ;->
I'm partial to Nokia solutions for financial sectors,
although I _never_ put all my eggs in one basket. I
typically and _always_ use Snort for the network IDS,
including the free update subscription. It can't hurt to
have Snort (or even their SourceFire subscription) in
addition to non-freedom solutions.
For a freedom host IDS, a combination of Snort IDS and then
Portsentry targetting active (or commonly targetted)
services.
For layer-7 services, I shouve out some serious money when I
can (i.e., 5 figures). When I can't, I make sure it's in a
DMZ. I'm still looking for a freedom layer-7 scanning
service.
It's never a matter of whether you will be hacked, it's a
matter of when. Updating only goes so far (although it's
clearly the best move).
Basic 1, 2 and 3 sigma statistics generally apply here (I
appologize for my over-simplistic application of risk
analysis -- but I'm an engineer after all ;-).
Updating only gets you to 1 (~67%).
I prefer the "defense-in-depth" of adding network and host
IDS as well, getting me to 2 (~96%) and letting me know when
I've been compromised (like even my wife's system home
Windows system was c/o some spyware earlier this year).
Ideally, anytime you have any layer-7 application service (or
even client -- such as a resident virus scanner that scans
specific, incoming/outgoing ports), active scanning is ideal.
That's more 3 sigma (>99%), assuming you use network and
host IDS too.
-- Bryan "I've definitely done too much [Practices] today"
Smith
P.S. For defense, there are MIL-STD and CCEA -- and MAC/RBAC
is required by default (and must be explained with exceptions
if not). And such networks _never_ go on publicly accessible
networks -- although that's still 70% of the battle (although
MAC/RBAC addresses it fairly well).
--
Bryan J. Smith Professional, Technical Annoyance b.j.smith at ieee.org http://thebs413.blogspot.com
----------------------------------------------------
*** Speed doesn't kill, difference in speed does ***
More information about the CentOS
mailing list