Saturday, December 20, 2008

NIDS: Administration, Management & Provisioning

We often find many resources that discuss about NIDS technologies, and how can you setup one, however things that are really missed out there(even in the internet) should be the following.

If you are managing tons of Network Intrusion Detection systems(NIDS), for tons I mean more than 50, I would like to hear from you about -

1. What tools do you use to manage all the NIDS, and why you choose them over others?
- For example ssh, however I would like to know more about tools you use to manage massive NIDS instead of one, and the reason you choose it.

2. How do you perform efficient administration securely? For examples,
- System changes/updates
- NIDS tools' changes/updates
- NIDS rules' changes/updates
- NIDS Configuration files' changes/updates
- NIDS Policies' changes/updates

3. Which method you like to use in order to manage them, and why? For example,
- Server pushes rules update to all the sensors(Push)
- Sensors pull the rules update from server(Pull)

3. NIDS health monitoring and self-healing
- I'm talking about something like this, if the system is in incosistent state, operators will be notified. If certain process die, it should recover by itself.

I consider NIDS as critical system and it should be managed wisely to prevent misconfiguration, downtime and so forth. Therefore we should have solid answers for the questions above if we are going for massive NIDS implementation and deployment.

Any in sight or valuable thoughts to share are welcomed!

Peace ;]


Nathaniel Richmond said...

geek00l, I posted a few ideas and comments on my blog, but the one thing I will mention here is puppet. I've heard good things about using puppet for centralized management though it could require quite a lot of effort to get tested, configured and running.

Joe said...

1. I use ssh/scp and cron jobs
2. I'm still doing this manually. I don't have a solution.
3. Push is best.
4. SNMP monitoring system can give you lots of data. One thing I monitor is the bandwidth of the interface snort is using. I get notified if it goes down or if bandwidth is zero, which would tell me if a network admin disconnected me from a tap. I also monitor for the snort process. The key is to leverage your existing monitoring system if you have one.

Hopefully you'll post more of your findings because there are not a lot here.

Anonymous said...

aanval ?

Anonymous said...

1. SSH/Cron/RSync (via ssh tunnels)/Oinkmaster (for Snort)
2. See #1
3. Revese SSH tunnels reaching out (push), but the IDS pulls data in over the tunnels. They work in lockstep via cron, with tunnels living only as long as needed. Keeps from having open FW ports.
4 (aka the second #3 :). Munin, Nagios, and possibly soon cfEngine. Puppy looks good, but cfEngine looks more stable and better supported. There are others that look promising (bcfg2?).

And lots of perl/ruby/awk/sed/language of your choice. :)

College Term Papers said...

Hi, interesting blog. I also get knowledge from your blog.That was a great help to me.