 |
|
|
|||
| |||||
Company: JHL publicity
This company has become concerned about external attacks and wants to implement a network intrusion detection/prevention system to trace and manage attacks on its 150-node network.
Approximate budget: AU$600 per monitor.
Requires: One network intrusion detection/prevention system, preferably as an appliance rather than running on a server.
Concerns: The ability to recognise and block external attacks is the key issue, but the network manager wants to be sure the device can intelligently handle the data to reduce management effort. The ability to integrate with existing network/enterprise management software will also be taken into consideration.
Best solution: The best choice here is Juniper with a straightforward range of hardware-based IPS solutions that perfectly meet this scenario. Both McAfee and SonicWALL were potential candidates and very close second, however Juniper adds other options and levels of capabilities that exceeded what we asked for in this scenario.
Things to look out for...
- Off-system storage. You should be able to log and archive data on to external or other systems independent of the IDS itself, ideally a centralised management server. This provides for a more robust infrastructure and allows backups to be created more in line with the company backup policy instead of adding a new system just for the IDS. Remember, IDS information may be one of the most crucial forms of data your enterprise collects and may be needed for referral many months or even years down the track. Also, if you have a large network with several IDS/IPS sensors deployed, having all the data in one location also reduces data management tasks. One thing that IDS/IPS systems are good at is creating massive volumes of data.
- Perfomance matched to your businesses size and requirements. The sheer volume of data that some IDSes need to process from the networks that they watch over can be overwhelming. As we know, the network is only as fast as the slowest link in the chain, so don't let your IDS create that bottleneck. If need be, deploy several IDS sensors on different network segments; this may create more administration overheads, but may not impact so much on performance. Throughput is critical here. Don't put a 100Mbps IDS/IPS machine on a Gigabit backbone.
- Scalability. Along similar lines to the point made with performance, ensure that when you are performing IDS evaluations that the equipment can scale with your security needs as the organisation grows, particularly in respect to data that it processes.
- Standardisation of captured data. Even though most IDSes have their own inbuilt report generators, you never know what or even when reports may be needed to be generated from the data gathered. It may be years after the IDS itself has been replaced, so it is wise to ensure that the data is in a standardised form that can be run through independent systems.
