[178067] in North American Network Operators' Group
RE: Intrusion Detection recommendations
daemon@ATHENA.MIT.EDU (Warsaw LATAM Operations Group)
Fri Feb 13 19:48:48 2015
X-Original-To: nanog@nanog.org
From: Warsaw LATAM Operations Group <gaswarsaw-latam@outlook.com>
To: Andy Ringsmuth <andy@newslink.com>, NANOG <nanog@nanog.org>
Date: Fri, 13 Feb 2015 19:48:44 -0500
In-Reply-To: <EB3171FA-1A68-4564-B655-0BAF9189AB11@newslink.com>
Errors-To: nanog-bounces@nanog.org
Hello Andy=2C
I believe you are very good set up the way you are in technology. I see you=
are surrounded by BSD systems everywhere=2C on servers=2C mobile and deskt=
op. And I suggest you keep running FreeBSD for this new security requiremen=
t you have.
We run FreeBSD as IDS/IPS system on several sites=2C and pfSense on a coupl=
e others. From my experience=2C we started using Snort=2C the common path p=
eople usually follow=2C but under certain circumstances=2C the drop ratio (=
unprocessed packets) started to raise a lot=2C and we looked for options. T=
ried Bro and Suricata and with some help from one of our servers supplier w=
e decided to give Suricata a tuning and special try=2C and it became our pr=
imary option for IDS.
Therefore I strongly suggest you start researching around Bro vs Snort vs S=
uricata and try to reach your conclusions from your own findings. But if yo=
u ask me for suggestion=2C as a long time user for Snort=2C I deprecated it=
in favor of Suricata. So my primary suggestion is Suricata + FreeBSD as ID=
P. Suricata is a very serious Project with very good software provided.
We run ServerU networking servers=2C and they are the vendor who supported =
us. Usually they offer their own software solution called ProApps=2C it's a=
system made on top of FreeBSD which you have full root access etc=2C a pla=
in old good FreeBSD system=2C but with nice auto update features and a help=
ful web GUI which allows me to delegate IDS operations to different level o=
f staff operators on my team.=20
They allow using for their ProApps solution on ServerU hardware=2C so if in=
tend to add new hardware to your project=2C it might worth a try. I find th=
e tool very powerful and very complete.
On pfSense side you have a third party package made by community members=2C=
it also has a nice GUI=2C good deployment practices=2C but is Snort based.=
=20
At one special location we needed even more performance for packets capturi=
ng=2C and we added Suricata running in Netmap mode=2C and it raised perform=
ance three times on the same box.
So if you are looking for something easy=2C ready and supported=2C go for S=
erverU+ProApps. If you are looking for plain good open source arranged the =
way want to=2C you can have just the same with FreeBSD + Suricata & Friends=
.
Should you want to do everything by yourself=2C FreeBSD + Suricata + Barnya=
rd2 + Sguil + Snortsam is my suggested path way to go=2C with Richard Beijt=
lichs' books on your hand for good analysis learning and IDS best common op=
eration practices. And maybe I can be of any help=2C private mail me if you=
want to.
Regards=2C
> From: andy@newslink.com
> Subject: Intrusion Detection recommendations
> Date: Fri=2C 13 Feb 2015 11:40:06 -0600
> To: nanog@nanog.org
>=20
> NANOG'ers=2C
>=20
> I've been tasked by our company president to learn about=2C investigate a=
nd recommend an intrusion detection system for our company.
>=20
> We're a smaller outfit=2C less than 100 employees=2C entirely Apple-based=
. Macs=2C iPhones=2C some Mac Mini servers=2C etc.=2C and a fiber connectio=
n to the world. We are protected by a FreeBSD firewall setup=2C and we stay=
current on updates/patches from Apple and FreeBSD=2C but that's as far as =
my expertise goes.
>=20
> Initially=2C what do people recommend for:
>=20
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or sof=
tware
> 3. Other things I'm likely overlooking
>=20
> Thank you all in advance for your wisdom.
>=20
>=20
> ----
> Andy Ringsmuth
> andy@newslink.com
> News Link =96 Manager Technology & Facilities
> 2201 Winthrop Rd.=2C Lincoln=2C NE 68502-4158
> (402) 475-6397 (402) 304-0083 cellular
>=20
=
