Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Ids/ips

  1. #1
    Senior Member SephStorm's Avatar
    Join Date
    Aug 2008
    Posts
    166

    Default Ids/ips

    Hey,

    Does anyone have any suggestions for an IDS/IPS for a SINGLE Windows machine? Later I would like to extend it to a network, once I get my other computer running. I did find a video explaining how to install and use Snort on an XP machine, and I know Snort is a well known, and respectable application, but my research indicates that Snort is for Networks, hence, I don't know if it can be used on a single client.

    I looked up HIDS/HIPS next, because they use McAfee HIDS where I work, ad I did some research before they came out with it. HIDS/HIPS look like they are more what i'm looking for, but suggestions would be appreciated. Again, I am not an expert in this area, so something that I can learn easily now is preferred, and I can work with more technical programs later.
    "You're only smoke and mirrors..."

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Well, first of all, you'd better consider that IDS/IPS is not intended to protect only one system. IDS/IPS's can detect exploit attempts and take immediate countermeasures (typically by terminating session or shutting down a relevant vlan if integrated in a more complex NAC/IPS system).
    Using it on a single machine is...well, it doesn't really makes sense IMHO..
    It's all about personal firewalling.
    Otherwise, you can consider checking entry level UTM appliances and buy one...there are many offers from Juniper, Checkpoint, Zyxel..If you want something which deals effectively with a lot of threats and assures you good performances at a reasonable price, you can even check Netasq products...they're terribly effective and efficient at a reasonable price. Almost nobody knows that company even if it's the NATO UTM choice for their networks...

  3. #3
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    Get yourself (I guess you're using windows?) a Comodo Personal Firewall + Home Avast antivirus. Then harden your system as explained in NSA's security configuratino guides (googlefu). That should do it. If you're using any other OS, just follow the same security configuration guides by the same 3 letter organization. I've found them the best of their breed.

  4. #4
    Senior Member SephStorm's Avatar
    Join Date
    Aug 2008
    Posts
    166

    Default

    IDK. I have a firewall that does what its supposed to do, it passed my testing criteria, and I'm protected as far as AV/AS/AM, but a multi layed defense is suggested, and I see little reason not to add this layer, especially concidering that it will be a big part of my career later in network administration. Might as well get started now, if possible.

    Now, in response to Xorred, I have heard of the NSA's guidelines, in the case of establishing guidelines for Infosec professionals (NSTISSI 4011), but I wasn't aware of anything that could help a user at my level, what should I be looking for?
    "You're only smoke and mirrors..."

  5. #5
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    A proper ids should be implemented with a passive tap outside the LAN so packets coming in are analyzed by snort even before they reach the firewall. Then based on those analysis you create your firewall rules. For example



    Now I can add those SQL worm attempts and whatever else to my firewall reject or drop list. As you can see the inertubes are very active and dangerous

  6. #6

    Default

    Quote Originally Posted by SephStorm View Post
    I have heard of the NSA's guidelines, in the case of establishing guidelines for Infosec professionals (NSTISSI 4011), but I wasn't aware of anything that could help a user at my level, what should I be looking for?
    Google for "nsa security configuration guide"

    Also, remember, HIPS is a "host intrusion prevention system". This is usually a good firewall! No need to over think the solution. HIDS is usually associated with a larger network where several HIDS sensors would report to a centralized IDS suite. There are several personal security products out there that combine firewalls, A/V, alerts (HIDS) and autoblocking features (HIPS). As the previous poster mentioned, comodo isn't a bad choice, though I'm not familar with all of it's capabilities.

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Well, thinking of your future career you should point even stronger to a UTM appliance instead of looking for pieces of software to run on your system...
    Mind that the big difference between appliances resides in the administration consoles and customization capabilities. All the rest is "packed" in bulked softwares running on hardened linux or freebsd systems.
    You do not really need to know anything about the "core level" filters, while as a net admin you are strictly concerned about usability, effectiveness and customization...
    Mind that 99% of IDS/IPS management is a mere "report extraction, cleanup of false positives and trimming on", while the identification of an effective attack is usually delegated to a mail or sms alert...

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    If you have a computer connected to a router, guess what? You have a network.

    As Purehate said, you should put an IDS on the outside of your firewall, have it configured to automatically update the signatures and it will help protect you against unknown and new threats.

    I'll probably be writing something up a little later this year with setting up IDS/IPS solutions across multiple sites with a central database at the main site for all of the sensors to report to.

    Snort is probably the quickest and easiest tool to learn for this, and as you said, it's pretty well known. The new version is supposed to make setting up an IPS easier than it was before.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by streaker69 View Post
    If you have a computer connected to a router, guess what? You have a network.

    As Purehate said, you should put an IDS on the outside of your firewall, have it configured to automatically update the signatures and it will help protect you against unknown and new threats.

    I'll probably be writing something up a little later this year with setting up IDS/IPS solutions across multiple sites with a central database at the main site for all of the sensors to report to.

    Snort is probably the quickest and easiest tool to learn for this, and as you said, it's pretty well known. The new version is supposed to make setting up an IPS easier than it was before.
    Heh, speaking of automagic firewall rules based on snort. My smoothwall box has an add on that does this. Took me about 20 minutes to figure out it was thinking opendns was a bad thing and dropping all packets from them.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Barry View Post
    Heh, speaking of automagic firewall rules based on snort. My smoothwall box has an add on that does this. Took me about 20 minutes to figure out it was thinking opendns was a bad thing and dropping all packets from them.
    If it's using the Bleeding edge rules, you may want to change your config, you can get some bad stuff from there.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •