No subject


Thu Nov 23 16:36:19 EST 2017


linux (and possibly open source in general) is their 'truth'. If
you are a lone crusader pushing opensource in a large
organisation it is an up hill battle (although sometimes this is
not really a hill, but more like a sheer rock face, and you don't
have any safety ropes). Over time, with several small 'wins'
under your belt. Ideally, these small wins from my experience are
based on the merits of a deployment, and not based on FUD against
the alternatives (even if the FUD happens to be true).

For a commercial IDS with distributed sensor deployment, you
rarely get change out of $50k USD. Some hardware costs for both
commercial and opensource IDS deployments would be the
approximately same, so if you are confronted with the situation
of justifying costs, take this into account. Also, where
possibly, use the same class of hardware as used by your NT and
netware infrastructure (for instance, IBMs serverguide based
installs support RH 62 and soon 7.2 natively). I have found that
hardware vendor support for any opensource solutions is extremely
important - most companies still want 4hr replacement if there is
a hardware failure. If you are using a supported o/s, this makes
the warranty process faster and easier (here in australia, the
IBM techs that I have met that perform onsite hardware
replacement appear to have excellent linux skills also).=20

If it were me in your situation, I would try and develop a plan
to fulfil the requirements that your have given you, and then
take this plan to then (rather than just hacking away to get it
to work). This does not mean you have to agree with the
requirements, this is to appease the politicians in your
organisation. I would probably include the following (at a
minimum) in the plan:

1. why you have used snort in this deployment
- $$$
	- for the past year, I have not actually used $$$ as=20=20
	justification of using open source against a commercial=20
	product, mainly because the clients I deal with are=20
	prepared to pay for a solution that fulfils their=20
	business requirements and thus look for technical merit=20
	and ease of management instead.
- features against the 2 main commercial IDS offerings (the
following come to mind)
	- ISS only allow custom signatures for HTTP and SMTP
traffic
	- cisco's custom signature definition language requires=20
	fairly advanced knowledge to get working
- improving your security posture
	- assuming your already have at least 1 firewall
	- I usually use the scenario the firewall is equivalent=20
	to the airline check-in, and the IDS is the x-ray machine

	to ensure that you are not carrying any weapons
(management=20
	for some reason love explanations like this)

- maintenance of the rule set and how this meets the
organisations security policies

- management of data (reports, backup, etc)
	- needs to fulfil current policies in your organisation
	- benefits of using a database server rather than access=20
	(most likely from the suits point of view, you have just
come=20
	out of left field)
		- an existing database server in you organisation
		(mssql, oracle, etc)
		- use of an alternative o/s database server on
your=20
		NT / 2000 infrastructure=20
			- postgres
			- mysql
			- sapdb (the suits they certainly can't
say=20
			the SAP would include a trojan in their
product)
			- interbase (once again, would borland
include=20
			a trojan in their product)
	- method transferring data from your existing snort
database to this internal database server
	- then (hopefully) alleviates the need to perform daily
backups of your IDS deployment???

- anything else that comes to mind

You also have to remember that most organisation have security
policies that refer to various documents that they must adhere to
- some of the time, these are requirements that are set in stone,
and thus there is nothing you can do if the product you wish to
use is not listed as approved for use (for instance, here in
Australia, all federal government departments that are not
classified as 'military', 'secret' or 'cabinet in confidence',
and thus are classified as 'protected' must use security products
that are certified to EAL4 or better). For opensource to get into
this arena, target systems or software have to be submitted for
evaluation (which is a $20k USD exercise). this does not
guarantee certification though...

I hope this helps you, even in a small way. I would be interested
to know how you progress with this in your organisation
(hopefully others on this would also be interested in hearing how
you go)

Enjoy,

Darren Mackay




More information about the Snort-users mailing list