Intrusion Detection Devices | For Bankers. From Bankers

Skip to content

BOL Conferences

BankersOnline.com Forums Banker Forums eBanking / Technology Intrusion Detection Devices

Thread Options

#45630 - 11/26/02 04:33 PM Intrusion Detection Devices
Queen Mum Power Poster Joined: Mar 2001 Posts: 3,920 OK	Just wondering what type of intrusion detection devices others are utilizing. We have been advised to implement a more sophisticated internal method of monitoring unauthorized attempts to our system and thought someone could recommend something they are using that is working well and satisfies examiners.
Return to Top

eBanking / Technology

#45631 - 03/03/03 06:42 PM Re: Intrusion Detection Devices
Anonymous Unregistered	We use a managed IDS from Secureworks. The FDIC liked it in our last audit.
Return to Top

#45632 - 03/10/03 06:04 PM Re: Intrusion Detection Devices
Anonymous Unregistered	Real Secure offers an IDS module but it's expensive. Many companies are now using SNORT, which is free, and you can run it on Linux. Regulators shouldn't have a problem with either provided they are implemented and managed correctly.
Return to Top

#45633 - 03/10/03 07:56 PM Re: Intrusion Detection Devices
1111 Platinum Poster Joined: Jan 2003 Posts: 580	Quote: Just wondering what type of intrusion detection devices others are utilizing. We are having SonicWall SOHO3 installed this week for the same purpose, along with Sonicwall Antivirus subscription service which doesn't let anyone on the system unless they have the latest antivirus updates. I'm not a tech, but apparently SonicWall will detect hacker activity and report it to you. A review of SonicWall is posted HERE
Return to Top

#45634 - 05/09/03 09:35 PM Re: Intrusion Detection Devices
Lawrence T. Levine Junior Member Joined: May 2003 Posts: 37 Troy, VA	We've been offering an managed IDS solution to community bankers for the last few years. At the risk of a blatant plug.... you might want to check out what we're doing. The key to IDS is management. False positives are the bane of IDS management. Have a read over: http://www.ffiec.gov/ffiecinfobase/booklets/information_secruity/04j_intrusion_detect%20_response.htm Which is a good discussion from the ffiec about the subject. Short story - An IDS system is only as good as the management behind it. Some things to check out: A post here where I say some potentially usefull things - http://www.bankersonline.com/ubbthreads/showflat.php?Cat=&Board=UBB3&Number=66601&page=0&view=collapsed&sb=5&o=&fpart=1 A good article on IDS ROI - in two parts http://online.securityfocus.com/infocus/1608 http://online.securityfocus.com/infocus/1621 Snort is a great product, ISS has a good product, Enterasys has a good product.... none of them are worth anything if they aren't managed right. Up on a soap box as usuall. _________________________ Lawrence T. Levine Managing Director SecurePipe, Inc. Direct: 4342932454 www.SecurePipe.com
Return to Top

#45635 - 06/20/03 06:57 AM Re: Intrusion Detection Devices
Ji Lee New Poster Joined: Jun 2003 Posts: 4 Los Angeles	Quote: Quote: Just wondering what type of intrusion detection devices others are utilizing. We are having SonicWall SOHO3 installed this week for the same purpose, along with Sonicwall Antivirus subscription service which doesn't let anyone on the system unless they have the latest antivirus updates. I'm not a tech, but apparently SonicWall will detect hacker activity and report it to you. A review of SonicWall is posted HERE Actually, there is a fundamental difference between firewalls and IDS'. I can best explain one aspect of this difference with an example. Let's assume you have a password protected FTP site on a server behind the firewall. You must open the FTP port on the firewall for proper file transfer. All attempts to gain access to the FTP site is considered authorized traffic. This means if a hacker is using a brute force attack to try to crack the password, the firewall will allow this. A properly configured IDS will not. IDS' will detect patterns of behavior that is not consistent with normal events(such as 100 consecutive failed logins within a short period). Of course many sites have password lockouts but that is not usually the case for Admin passwords. Another thing to understand about IDS' such as Snort is that they detect but do not block or shun attacks. This is critical to understand. Remember, when you are asleep, there is someone on the other side of the planet that is awake and trying to hack your system. By the time you find out in the morning, it may be too late. Solutions from Cisco, Symantec (Axent), ISS, etc. do shun and block but are extremely expensive and hard to maintain. My IDS strategy is to use managed services at the Internet border. Someone mentioned SecureWorks. SecureWorks is a 24x7 monitoring and prevention system and it seems to work great. I have clients that have installed this and so far we've avoided code-red, nimda, slammer, and bugbear. Up to now, I've written about Network IDS' (NIDS). Unfortunately, NIDS' are tough solutions for internal use. First of all, NIDS' will only monitor one subnet. If you have multiple branches, you will need one for each branch. This can be VERY expensive. Furthermore, the expertise to manage an IDS system is daunting. IDS management is not a science, it is an art. Trying to allow "good" traffic and block "bad" is a tricky ordeal. So what is a good internal solution? I've investigated Host IDS' of which there are many. HIDS are usually installed on servers and protect only that server from intrusion. The good HIDS' do not use signatures as AV software does. Instead, they use various technologies that prevent the end result, such as changing of system files or processes that perform buffer overflows. The downside to HIDS' is that they are also very expensive. I believe Cisco's solution was about $5K to $10K for the console and $1K for every server agent (ouch). There is no clear cut solution for internal IDS'. Unless you are ground-zero for an anti-virus attack, as long as you keep your anti-virus software up to date, you should be Okay on the virus borne hacks. However, it is still a difficult task trying to protect your network and servers from employees that install scanning and cracking software for malicious purposes. If you have the money and the expertise, HIDS and NIDS internally will keep your network relatively safe. If you don't, I'd at least protect my Internet border with a managed IDS provider, keep my AV signatures up to date, and check your logs on a daily basis. BTW, if anyone knows of an inexpensive HIDS, please share.
Return to Top

Previous Thread

Previous Thread

View All Threads

Next Thread

Hop To

Moderator: Andy_Z