Fwd: Is snort an overkill for desktop only environment ?
|
View:
New views
12 Messages
—
Rating Filter:
Alert me
|
 |
|
|
|
RE: Is snort an overkill for desktop only environment ?
by Jason Hurst
::
Rate this Message:
Hi Martin,
I believe you are taking the wrong approach to the situation. Installing an IDS/IPS solution is not about whether or not your systems are traditional desktops or servers, but about the sensitivity of your data and where it rests and travels. Are you storing or processing sensitive information, such as Social Security Numbers or Credit Cards? Or is it data that is not that sensitive, maybe you just process public press releases.... You should try and figure out how sensitive the data you have is and how motivated the "bad guys" are to get it. Jason Hurst Sr. Network Security Administrator Panda Restaurant Group jason.hurst@... Please consider the environment before printing this email -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of martin Sent: Saturday, October 24, 2009 11:54 AM To: security-basics@... Subject: Fwd: Is snort an overkill for desktop only environment ? anybody have any thoughts at all ? ---------- Forwarded message ---------- From: martin <martiniscool@...> Date: 2009/10/22 Subject: Is snort an overkill for desktop only environment ? To: security-basics@... Hi all I've been reading up on IDP recently, and particularly started looking at snort. I'm considering suggesting to my boss that we install it at a small branch office I'm based at. However, all that we have at the branch office are a few desktop PC's, a firewall, switch, and a printer. Our DC, file server etc, is at head office and accessed using a VPN. Is it worth installing IDP in simplified environment such as this ? Or is it designed for more "complex" environments which have more resources such as file servers, web servers etc ?? Also, currently we wouldn't have anything in the budget to pay for the $500 rule subscription for one sensor - so all the rules we would be getting would be 30 days old. Is it worth having an IDP with rules that are this old ? Are they still of any value ? I'm thinking back to the conflicker threat last year - I know there was a Snort rule for it, but without the subscription, we wouldn't have gotten it for 30 days. So it would have been pretty much too late in that case. I know that we can write our own rules, but I don't think anybody would have time to do that. So we'd be relying on what rules get downloaded Any feedback would be greatly appreciated thanks in advance M ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Is snort an overkill for desktop only environment ?
by mojorising-2
::
Rate this Message:
Hi, Martin,
The answer to your question probably depends on what level of security you need. If there isn't much in need of protection on those desktops, then maybe you don't need an IDS so much at that office. Then again, if that office is connected to the main office via VPN, maybe it is a good idea to watch that net with Snort or similar since it could be a way in to the good stuff at the other locations if it is a weak area in your network's security. One way to save money and management overhead with Snort might be to install it on the firewall/router (if that gear happens to be running some form of Unix and has enough muscle, bandwidth, and storage capacity). Some small offices and homes handle this by installing Snort on an OpenWRT router, perhaps another consideration for you. Another option is to install it on a small, low-power machine since you'd be deploying the system to a presumably relatively low-traffic network -- maybe even an old laptop will do since this is a non-essential service and it won't be a problem if the system fails. You could even just go ahead and do this now (be sure to enable port spanning/mirroring on the switch) for testing and evaluation so you can see what Snort is like in action on this little branch network. As for the rules, I think there is value in having a system without the commercial rule subscription. Sure, it won't be able to catch attacks only detectable by those newer-than-30-days-old subscriptions but there are tons of attacks and anomolies (obviously many more) covered by all the other rules out there that are over 30 days old. Plus, as you mentioned, this is only a small branch net with no servers. Perhaps if your experience with Snort on this net is positive, you'll deploy it to the main office and be able to justify the $500 for the rule subscription for that particular sensor. Then you will be able to use those new rules where you need them most. Hopefully that gives you something to chew on as you consider Snort. Have fun! Mike On 24/10/2009, martin <martiniscool@...> wrote: > anybody have any thoughts at all ? > > > ---------- Forwarded message ---------- > From: martin <martiniscool@...> > Date: 2009/10/22 > Subject: Is snort an overkill for desktop only environment ? > To: security-basics@... > > > Hi all > > I've been reading up on IDP recently, and particularly started looking > at snort. I'm considering suggesting to my boss that we install it at > a small branch office I'm based at. However, all that we have at the > branch office are a few desktop PC's, a firewall, switch, and a > printer. Our DC, file server etc, is at head office and accessed > using a VPN. > > Is it worth installing IDP in simplified environment such as this ? > Or is it designed for more "complex" environments which have more > resources such as file servers, web servers etc ?? > > Also, currently we wouldn't have anything in the budget to pay for the > $500 rule subscription for one sensor - so all the rules we would be > getting would be 30 days old. Is it worth having an IDP with rules > that are this old ? Are they still of any value ? I'm thinking back > to the conflicker threat last year - I know there was a Snort rule for > it, but without the subscription, we wouldn't have gotten it for 30 > days. So it would have been pretty much too late in that case. > > I know that we can write our own rules, but I don't think anybody > would have time to do that. So we'd be relying on what rules get > downloaded > > Any feedback would be greatly appreciated > > thanks in advance > M > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL > certificate. We look at how SSL works, how it benefits your company and how > your customers can tell if a site is secure. You will find out how to test, > purchase, install and use a thawte Digital Certificate on your Apache web > server. Throughout, best practices for set-up are highlighted to help you > ensure efficient ongoing management of your encryption keys and digital > certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Is snort an overkill for desktop only environment ?
by Stephen Mullins
::
Rate this Message:
Eh...you can run Snort at home if you want. There is nothing saying
that you have to be on a huge enterprise network in order to have an IDS, especially a free/open source one. If I were in your shoes I would deploy Snort simply for the great learning opportunity, so long as your budget permits it. You may not be able to get the most current rules from Source Fire but you can at least get the most current rules from Emerging Threats, which tend to be relevant to current events and high quality. For something so high profile as Conficker, you can usually find a Snort rule on the front page of the Internet Storm Center. There is no monopoly on such rules. This is another benefit of Snort's origins, and thorough documentation due to remaining open source. On the other hand, you'll need to devote a lot of time to tuning the sensor, especially at first. Otherwise you'll be inundated with junk alerts/false positives and will quickly simply ignore it altogether. That's part of the learning process. Given the state of most private sector's IT security, your first and best step would be taking away admin privileges from all your users before you go through the trouble of deploying an IDS. Steve On Sat, Oct 24, 2009 at 2:53 PM, martin <martiniscool@...> wrote: > anybody have any thoughts at all ? > > > ---------- Forwarded message ---------- > From: martin <martiniscool@...> > Date: 2009/10/22 > Subject: Is snort an overkill for desktop only environment ? > To: security-basics@... > > > Hi all > > I've been reading up on IDP recently, and particularly started looking > at snort. I'm considering suggesting to my boss that we install it at > a small branch office I'm based at. However, all that we have at the > branch office are a few desktop PC's, a firewall, switch, and a > printer. Our DC, file server etc, is at head office and accessed > using a VPN. > > Is it worth installing IDP in simplified environment such as this ? > Or is it designed for more "complex" environments which have more > resources such as file servers, web servers etc ?? > > Also, currently we wouldn't have anything in the budget to pay for the > $500 rule subscription for one sensor - so all the rules we would be > getting would be 30 days old. Is it worth having an IDP with rules > that are this old ? Are they still of any value ? I'm thinking back > to the conflicker threat last year - I know there was a Snort rule for > it, but without the subscription, we wouldn't have gotten it for 30 > days. So it would have been pretty much too late in that case. > > I know that we can write our own rules, but I don't think anybody > would have time to do that. So we'd be relying on what rules get > downloaded > > Any feedback would be greatly appreciated > > thanks in advance > M > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
|
|
|
Re: Is snort an overkill for desktop only environment ?
by Craig S. Wright
::
Rate this Message:
What is the cost?
- CPU and disk - maintain and operate - time to review and monitor - false positives What are the benifits? - reduction in false negatives - improved response time What is the value of the system - data - leap frogging to other systems stopped If (benifit - cost) is less than a weighted value of the system, there is a net return on using the product. This return needs to be calculated as an IRR (internal rate of return) for the firm (see the treasury ppl). If the return is equal to or greater than the IRR, the expense is of benifits. Regards, Dr Craig Wright GSE-Malware LLM, etc On 27/10/2009, at 7:09 AM, krymson@... wrote: > I don't think it would be overkill unless this is a completely > useless office that has access to nothing. As Jason responded > earlier, it depends on the data value. Snort will also have less > value if the VPN is client-to-site, rather than site-to-site, since > it won't be able to see the encrypted traffic, but that won't > eliminate the value since you can still see if something evul is > getting into or out of your office/desktops. > > I think if you can get quality information about your environment, a > monitoring tool is worthwhile effort. The Snort sensor can probably > be tuned nicely to give very few alerts and far less false positives > than a complex environment, depending on the web browsing habits. > > Part of me really wants to say you can get good value out of netflow > statistics for that office (ferrets out strange destinations or > hours of activity), or making sure the desktops are behind a nicely > hardened firewall (egress and ingress accounted for) along with a > web proxy or filter, and some sort of ability to sense rogue (new) > systems. But Snort is a great piece as well. > > Regarding the 30 day lag time, I don't think that should be a huge > problem, but yes it can be a small concern. It wouldn't kill my > adoption of Snort in most environments, however, most likely because > Snort is an alert mechanism and not necessarily a prevention > mechanism. For prevention, I'd still rely on endpoint AV/security. I > fall on the side of using IDS less as an active tool like an IPS, > and more in the traditional detection/monitoring sense. > > > > ---------- Forwarded message ---------- > From: martin <martiniscool (at) gmail (dot) com [email concealed]> > Date: 2009/10/22 > Subject: Is snort an overkill for desktop only environment ? > To: security-basics (at) securityfocus (dot) com [email concealed] > > Hi all > > I've been reading up on IDP recently, and particularly started looking > at snort. I'm considering suggesting to my boss that we install it at > a small branch office I'm based at. However, all that we have at the > branch office are a few desktop PC's, a firewall, switch, and a > printer. Our DC, file server etc, is at head office and accessed > using a VPN. > > Is it worth installing IDP in simplified environment such as this ? > Or is it designed for more "complex" environments which have more > resources such as file servers, web servers etc ?? > > Also, currently we wouldn't have anything in the budget to pay for the > $500 rule subscription for one sensor - so all the rules we would be > getting would be 30 days old. Is it worth having an IDP with rules > that are this old ? Are they still of any value ? I'm thinking back > to the conflicker threat last year - I know there was a Snort rule for > it, but without the subscription, we wouldn't have gotten it for 30 > days. So it would have been pretty much too late in that case. > > I know that we can write our own rules, but I don't think anybody > would have time to do that. So we'd be relying on what rules get > downloaded > > Any feedback would be greatly appreciated > > thanks in advance > M > > --- > --------------------------------------------------------------------- > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs > an SSL certificate. We look at how SSL works, how it benefits your > company and how your customers can tell if a site is secure. You > will find out how to test, purchase, install and use a thawte > Digital Certificate on your Apache web server. Throughout, best > practices for set-up are highlighted to help you ensure efficient > ongoing management of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > --- > --------------------------------------------------------------------- > ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Is snort an overkill for desktop only environment ?
by Kurt Buff
::
Rate this Message:
As others have suggested, it depends on how much you value your data -
but unmentioned by the others, you should consider the relationship of the remote network to your larger environment. Do you do any egress filtering at the firewall of the remote network, specifically for traffic from the remote network to the larger network? Or is the VPN connection between your offices wide open? Even if you filter, I'll bet that you have open the usual Windows networking ports of 135, 139, 445, etc. to all machines on your larger network from the remote network, because that's the way it works. So, if you have the resources to install, maintain and monitor it, I'd say absolutely yes, you should install it, or whatever other security tools you can. Kurt On Sat, Oct 24, 2009 at 11:53, martin <martiniscool@...> wrote: > anybody have any thoughts at all ? > > > ---------- Forwarded message ---------- > From: martin <martiniscool@...> > Date: 2009/10/22 > Subject: Is snort an overkill for desktop only environment ? > To: security-basics@... > > > Hi all > > I've been reading up on IDP recently, and particularly started looking > at snort. I'm considering suggesting to my boss that we install it at > a small branch office I'm based at. However, all that we have at the > branch office are a few desktop PC's, a firewall, switch, and a > printer. Our DC, file server etc, is at head office and accessed > using a VPN. > > Is it worth installing IDP in simplified environment such as this ? > Or is it designed for more "complex" environments which have more > resources such as file servers, web servers etc ?? > > Also, currently we wouldn't have anything in the budget to pay for the > $500 rule subscription for one sensor - so all the rules we would be > getting would be 30 days old. Is it worth having an IDP with rules > that are this old ? Are they still of any value ? I'm thinking back > to the conflicker threat last year - I know there was a Snort rule for > it, but without the subscription, we wouldn't have gotten it for 30 > days. So it would have been pretty much too late in that case. > > I know that we can write our own rules, but I don't think anybody > would have time to do that. So we'd be relying on what rules get > downloaded > > Any feedback would be greatly appreciated > > thanks in advance > M > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Is snort an overkill for desktop only environment ?
by José Manuel Molina Pascual
::
Rate this Message:
If you have the HW and some time to do it.... Why not?
Take into account that from that office the server can be accessed via VPN. Having the free set of rules is better than having nothing. -- The complexity of software is an essential property, not an accidental one. Learn as if you were going to live forever. Live as if you were going to die tomorrow. Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune. (Noam Chomsky) ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Is snort an overkill for desktop only environment ?
by Alexander Klimov
::
Rate this Message:
On Tue, 27 Oct 2009, [ISO-8859-1] Jos? Manuel Molina Pascual wrote:
> If you have the HW and some time to do it.... Why not? Because every new software package you install is a potential source of exploitable flaws, even more so if it is always working and getting its inputs from network. -- Regards, ASK ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Is snort an overkill for desktop only environment ?
by pleed
::
Rate this Message:
Alexander Klimov wrote:
> On Tue, 27 Oct 2009, [ISO-8859-1] Jos? Manuel Molina Pascual wrote: > >> If you have the HW and some time to do it.... Why not? >> > > Because every new software package you install is a potential > source of exploitable flaws, even more so if it is always > working and getting its inputs from network. > > When deploying snort, you normaly want to know if there already has been a _successful_ attack, because when connecting to the internet you re always being attacked but mostly without any affect to your system. In your case if your desktop is attacked successfully, i wouldnt trust the NIDS output anyway. In addition snort is just helpfull if someone is looking into the alerts 24/7. I think you should spend your time with more productive stuff. But for educational purpose playing with it is never wasted time. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
RE: Is snort an overkill for desktop only environment ?
by Rivest, Philippe-2
::
Rate this Message:
I'M not sure we are tackling this the right way. The question that was ask
is "is it overkill for a desktop only environment". Every time you want to implement a control, you need to evaluate if you need it (cost-benefit). If theres no need for IDS (H-N) at all, dont implement them. But if you are the NSA and have (for what ever reason) a desktop only environment in on of their branch/location, you MIGHT want to have these controls. But at home, I really dont care about a N/H-IDS. So yes its overkill if your environment does not need that level of protection and No its not overkill if you need it. Risk management all the way. Philippe Rivest - CEH, Network+, Server+, A+ TransForce Inc. Internal auditor - Information security Verificateur interne - Securite de l'information 8585 Trans-Canada Highway, Suite 300 Saint-Laurent (Quebec) H4S 1Z6 Tel.: 514-331-4417 Fax: 514-856-7541 http://www.transforce.ca/ -----Message d'origine----- De : listbounce@... [mailto:listbounce@...] De la part de pleed Envoyé : 24 novembre 2009 16:38 À : security-basics@... Objet : Re: Is snort an overkill for desktop only environment ? Alexander Klimov wrote: > On Tue, 27 Oct 2009, [ISO-8859-1] Jos? Manuel Molina Pascual wrote: > >> If you have the HW and some time to do it.... Why not? >> > > Because every new software package you install is a potential > source of exploitable flaws, even more so if it is always > working and getting its inputs from network. > > _successful_ attack, because when connecting to the internet you re always being attacked but mostly without any affect to your system. In your case if your desktop is attacked successfully, i wouldnt trust the NIDS output anyway. In addition snort is just helpfull if someone is looking into the alerts 24/7. I think you should spend your time with more productive stuff. But for educational purpose playing with it is never wasted time. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ |
|
|
|
smime.p7s (2K) | Free embeddable forum powered by Nabble | Forum Help |
