they began
> using a Linux kernel around PIX OS V8.
>
> --p
>
> -Original Message-
> From: NANOG [mailto:nanog-bounces+patrick.darden=p66@nanog.org] On Behalf
> Of Justin M. Streiner
> Sent: Saturday, February 14, 2015 3:28 AM
> To: nanog@nanog.org
> S
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec
Sent: Saturday, February 14, 2015 4:29 PM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: Intrusion Detection recommendations
.
.
.
This reminds me to bring up a point that can't be stressed enough:
it'
, February 14, 2015 12:57 PM
To: Randy Bush
Cc: North American Network Operators' Group
Subject: [EXTERNAL]Re: Intrusion Detection recommendations
On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush wrote:
Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.
By itself, a single insta
-
From: NANOG [mailto:nanog-bounces+patrick.darden=p66@nanog.org] On Behalf
Of Justin M. Streiner
Sent: Saturday, February 14, 2015 3:28 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Rich Kulawiec wrote:
> On Fri, Feb 13, 2015 at 02
I now have a few moments to discuss Security Onion, and why it works well
for a many small and mid-sided organization.
Security Onion is a Linux distro for IDS, NSM, and log management. The
whole thing can be run on a single, or separated systems, based on the
needs, network and security architec
I'm not sure if it's been mentioned, but for a business of your size...check
out SecurityOnion. It's everything you need in one easy package and it's free.
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Andy Ringsmuth
Sent: Friday, February 13, 2015 12:40 PM
PM
To: nanog@nanog.org
Subject: Re: Intrusion Detection recommendations
On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
> By itself, a single install of Snort/Bro is not necessarily a complete
> IDS, as it cannot inspect the contents of outgoing SSL sessions, so
> there can
On Sat, Feb 14, 2015 at 12:04 PM, BPNoC Group wrote:
The thing to note about ipfw, is it only provides you with essentially
5-tuple based access lists based on source and destination, as this
functions strictly by looking at packet headers.There's no
ipfw rule you can make that will tell
On Fri, Feb 13, 2015 at 12:43 PM, J. Oquendo wrote:
[...]
> For the most part
> though, this practice of half-baked security will continue,
> vendors will make bucketloads of money, consumers of IPS/IDS
> devices will still complain how much the product sucks, and
> I as a pentester... I stay hap
On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
> By itself, a single install of Snort/Bro is not necessarily a complete
> IDS, as it cannot inspect the contents of outgoing SSL sessions, so
> there can still be Javascript/attacks against the browser, or SQL
> injection attempts encap
On Sat, Feb 14, 2015 at 10:19 AM, Rich Kulawiec wrote:
> On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
> > What is the alternative then... Does he have the time to become a BSD
> guru
> > and master ipfw and pf? Probably not feasible with all other job duties,
> > unless he loc
On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai wrote:
> I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
> use a fairly well tested security appliance like Cisco's ASA.
Or maybe Juniper, Cisco's Ironport, IPSO?
They are all FreeBSD based, big and large critical netw
Checkout security onion. Its got a pretty nice suite of tools and can run a (or
many) dedicated sensor system and communicate back to a central system.
As for SSL MITM, see the recent nanog thread for a full layer 2 to layer 8
ramifications of that activity.
For ssh mitm, I don't know of any t
On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush wrote:
Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.
By itself, a single install of Snort/Bro is not necessarily a complete
IDS, as it cannot inspect the contents of outgoing SSL sessions, so
there can still be Javascript/attacks aga
Thanks for the awesome response, you have valid points. This could be me
trying to simplify things by suggesting something like Cisco ASA, but the
FreeBSD solution will need much more than just a well written ipfw or pf
set of rules. In his scenario, I would also most likely need to setup VPN,
CARP
On Fri, 13 Feb 2015, Rich Kulawiec wrote:
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
> What is the alternative then... Does he have the time to become a BSD guru
> and master ipfw and pf? Probably not feasible with all other job duties,
> unless he locks himself in his mom's basement for the next 5 years.
I know this
> I've been tasked by our company president to learn about, investigate and
> recommend an intrusion detection system for our company.
>
> We're a smaller outfit, less than 100 employees, entirely Apple-based.
> Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
> world. We
German Shepherd Dogs are wonderful intrusion detection devices. In a lot of
cases they also server as excellent intrusion prevention devices as well.
(Must be Friday night)
:-)
---
Theory is when you know everything but nothing works. Practice is when
everything works but no one knows why.
On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth wrote:
> NANOG'ers,
> I've been tasked by our company president to learn about, investigate and
> recommend an intrusion detection system for our company.
An important thing to realize is that an Intrusion Detection System is
not a "product" you c
Of course it is. You say that like faith is a bad thing.
The illogic of claiming to have no faith in anything is this: it's impractical
to assume the role of quality assurance for everything in your life.
The question is your faith reasonable. Ever use an elevator? Faith. Drive a
car? Faith.
tl;dr
dc
-mel
> On Feb 13, 2015, at 1:13 PM, "J. Oquendo" wrote:
>
>> On Fri, 13 Feb 2015, Mel Beckman wrote:
>>
>> JO,
>>
>> IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets
>> specific notification and logging requirements. SNORT-based systems fall
>> into this categ
Hello Andy,
I believe you are very good set up the way you are in technology. I see you are
surrounded by BSD systems everywhere, on servers, mobile and desktop. And I
suggest you keep running FreeBSD for this new security requirement you have.
We run FreeBSD as IDS/IPS system on several sites, a
On Fri, 13 Feb 2015, Rafael Possamai wrote:
> What is the alternative then... Does he have the time to become a BSD guru
> and master ipfw and pf? Probably not feasible with all other job duties,
> unless he locks himself in his mom's basement for the next 5 years.
>
The alternative is to unders
On Fri, 13 Feb 2015 15:45:30 -0600, Rafael Possamai said:
> What is the alternative then... Does he have the time to become a BSD guru
> and master ipfw and pf? Probably not feasible with all other job duties,
> unless he locks himself in his mom's basement for the next 5 years.
By the time you le
What is the alternative then... Does he have the time to become a BSD guru
and master ipfw and pf? Probably not feasible with all other job duties,
unless he locks himself in his mom's basement for the next 5 years.
On Fri, Feb 13, 2015 at 3:27 PM, Rich Kulawiec wrote:
> On Fri, Feb 13, 2015 at
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
> I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
> use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
---rsk
On Fri, 13 Feb 2015, Mel Beckman wrote:
> JO,
>
> IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets
> specific notification and logging requirements. SNORT-based systems fall into
> this category.
>
tl;dr (even I don't read what I write)
You failed to see the snark in "m
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
use a fairly well tested security appliance like Cisco's ASA. Depending on
the traffic you have on your fiber uplink, you can get a redundant pair of
ASAs running for less than $2,000 in the US. I just find it less stressful
JO,
IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets specific
notification and logging requirements. SNORT-based systems fall into this
category.
-mel beckman
> On Feb 13, 2015, at 10:00 AM, "J. Oquendo" wrote:
>
>> On Fri, 13 Feb 2015, Mel Beckman wrote:
>>
>> Unless
On 13/02/15 17:45 +, Mel Beckman wrote:
Unless you need regulatory-grade IDS, your best bet is a Unified Threat
Management (UTM) appliance, essentially any modern enterprise grade firewall
such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS
options for a fee.
-
On Fri, 13 Feb 2015, Mel Beckman wrote:
> Unless you need regulatory-grade IDS, your best bet is a Unified Threat
> Management (UTM) appliance, essentially any modern enterprise grade firewall
> such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in
> IDS/IPS options for a fee.
On Fri, 13 Feb 2015, Andy Ringsmuth wrote:
> NANOG'ers,
>
> I've been tasked by our company president to learn about, investigate and
> recommend an intrusion detection system for our company.
>
> We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs,
> iPhones, some Mac
Unless you need regulatory-grade IDS, your best bet is a Unified Threat
Management (UTM) appliance, essentially any modern enterprise grade firewall
such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS
options for a fee.
-mel
On Feb 13, 2015, at 9:40 AM, Andy Ringsm
34 matches
Mail list logo
