[CentOS] [Practices] Host and Network IDS -- WAS: DNS wizard

Thu Dec 29 22:19:34 UTC 2005
Bryan J. Smith <thebs413 at earthlink.net>

Jesse <ras1 at jamrockmusic.com> wrote:
> Just curious what you use for this.

Depends on the budget.  ;->

I'm partial to Nokia solutions for financial sectors,
although I _never_ put all my eggs in one basket.  I
typically and _always_ use Snort for the network IDS,
including the free update subscription.  It can't hurt to
have Snort (or even  their SourceFire subscription) in
addition to non-freedom solutions.

For a freedom host IDS, a combination of Snort IDS and then
Portsentry targetting active (or commonly targetted)
services.

For layer-7 services, I shouve out some serious money when I
can (i.e., 5 figures).  When I can't, I make sure it's in a
DMZ.  I'm still looking for a freedom layer-7 scanning
service.

It's never a matter of whether you will be hacked, it's a
matter of when.  Updating only goes so far (although it's
clearly the best move).

Basic 1, 2 and 3 sigma statistics generally apply here (I
appologize for my over-simplistic application of risk
analysis -- but I'm an engineer after all ;-).

Updating only gets you to 1 (~67%).

I prefer the "defense-in-depth" of adding network and host
IDS as well, getting me to 2 (~96%) and letting me know when
I've been compromised (like even my wife's system home
Windows system was c/o some spyware earlier this year).

Ideally, anytime you have any layer-7 application service (or
even client -- such as a resident virus scanner that scans
specific, incoming/outgoing ports), active scanning is ideal.
 That's more 3 sigma (>99%), assuming you use network and
host IDS too.

-- Bryan "I've definitely done too much [Practices] today"
Smith

P.S.  For defense, there are MIL-STD and CCEA -- and MAC/RBAC
is required by default (and must be explained with exceptions
if not).  And such networks _never_ go on publicly accessible
networks -- although that's still 70% of the battle (although
MAC/RBAC addresses it fairly well).


-- 
Bryan J. Smith     Professional, Technical Annoyance                      b.j.smith at ieee.org      http://thebs413.blogspot.com
----------------------------------------------------
*** Speed doesn't kill, difference in speed does ***