Ids/ips

[SephStorm]

Hey,

Does anyone have any suggestions for an IDS/IPS for a SINGLE Windows machine? Later I would like to extend it to a network, once I get my other computer running. I did find a video explaining how to install and use Snort on an XP machine, and I know Snort is a well known, and respectable application, but my research indicates that Snort is for Networks, hence, I don't know if it can be used on a single client.

I looked up HIDS/HIPS next, because they use McAfee HIDS where I work, ad I did some research before they came out with it. HIDS/HIPS look like they are more what i'm looking for, but suggestions would be appreciated. Again, I am not an expert in this area, so something that I can learn easily now is preferred, and I can work with more technical programs later.

[Chobin73]

Well, first of all, you'd better consider that IDS/IPS is not intended to protect only one system. IDS/IPS's can detect exploit attempts and take immediate countermeasures (typically by terminating session or shutting down a relevant vlan if integrated in a more complex NAC/IPS system).
Using it on a single machine is...well, it doesn't really makes sense IMHO..
It's all about personal firewalling.
Otherwise, you can consider checking entry level UTM appliances and buy one...there are many offers from Juniper, Checkpoint, Zyxel..If you want something which deals effectively with a lot of threats and assures you good performances at a reasonable price, you can even check Netasq products...they're terribly effective and efficient at a reasonable price. Almost nobody knows that company even if it's the NATO UTM choice for their networks...

[xorred]

Get yourself (I guess you're using windows?) a Comodo Personal Firewall + Home Avast antivirus. Then harden your system as explained in NSA's security configuratino guides (googlefu). That should do it. If you're using any other OS, just follow the same security configuration guides by the same 3 letter organization. I've found them the best of their breed.

[SephStorm]

IDK. I have a firewall that does what its supposed to do, it passed my testing criteria, and I'm protected as far as AV/AS/AM, but a multi layed defense is suggested, and I see little reason not to add this layer, especially concidering that it will be a big part of my career later in network administration. Might as well get started now, if possible.

Now, in response to Xorred, I have heard of the NSA's guidelines, in the case of establishing guidelines for Infosec professionals (NSTISSI 4011), but I wasn't aware of anything that could help a user at my level, what should I be looking for?

[purehate]

A proper ids should be implemented with a passive tap outside the LAN so packets coming in are analyzed by snort even before they reach the firewall. Then based on those analysis you create your firewall rules. For example



Now I can add those SQL worm attempts and whatever else to my firewall reject or drop list. As you can see the inertubes are very active and dangerous

[imported_cybrsnpr]

I have heard of the NSA's guidelines, in the case of establishing guidelines for Infosec professionals (NSTISSI 4011), but I wasn't aware of anything that could help a user at my level, what should I be looking for?

Google for "nsa security configuration guide"

Also, remember, HIPS is a "host intrusion prevention system". This is usually a good firewall! No need to over think the solution. HIDS is usually associated with a larger network where several HIDS sensors would report to a centralized IDS suite. There are several personal security products out there that combine firewalls, A/V, alerts (HIDS) and autoblocking features (HIPS). As the previous poster mentioned, comodo isn't a bad choice, though I'm not familar with all of it's capabilities.

[Chobin73]

Well, thinking of your future career you should point even stronger to a UTM appliance instead of looking for pieces of software to run on your system...
Mind that the big difference between appliances resides in the administration consoles and customization capabilities. All the rest is "packed" in bulked softwares running on hardened linux or freebsd systems.
You do not really need to know anything about the "core level" filters, while as a net admin you are strictly concerned about usability, effectiveness and customization...
Mind that 99% of IDS/IPS management is a mere "report extraction, cleanup of false positives and trimming on", while the identification of an effective attack is usually delegated to a mail or sms alert...

[streaker69]

If you have a computer connected to a router, guess what? You have a network.

As Purehate said, you should put an IDS on the outside of your firewall, have it configured to automatically update the signatures and it will help protect you against unknown and new threats.

I'll probably be writing something up a little later this year with setting up IDS/IPS solutions across multiple sites with a central database at the main site for all of the sensors to report to.

Snort is probably the quickest and easiest tool to learn for this, and as you said, it's pretty well known. The new version is supposed to make setting up an IPS easier than it was before.

[Barry]

If you have a computer connected to a router, guess what? You have a network.

As Purehate said, you should put an IDS on the outside of your firewall, have it configured to automatically update the signatures and it will help protect you against unknown and new threats.

I'll probably be writing something up a little later this year with setting up IDS/IPS solutions across multiple sites with a central database at the main site for all of the sensors to report to.

Snort is probably the quickest and easiest tool to learn for this, and as you said, it's pretty well known. The new version is supposed to make setting up an IPS easier than it was before.

Heh, speaking of automagic firewall rules based on snort. My smoothwall box has an add on that does this. Took me about 20 minutes to figure out it was thinking opendns was a bad thing and dropping all packets from them.

[streaker69]

Heh, speaking of automagic firewall rules based on snort. My smoothwall box has an add on that does this. Took me about 20 minutes to figure out it was thinking opendns was a bad thing and dropping all packets from them.

If it's using the Bleeding edge rules, you may want to change your config, you can get some bad stuff from there.