"...however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions."
Clearly, you don't pay much attention to the glossy ads in Infoworld and CIO magazine. FUD marketing out the wazoo for exactly these types of devices.
This is actually a very hard problem to solve. I've written quite a bit on the subject, but I'll attempt to provide a few quick helpful points.
If you have some form of perimeter security, it becomes easier, but still very resource-intensive (both technology resources and human resources). I'm assuming that you're not at a university, or some other type of organization that has a wide open network, because if you were, you wouldn't care.
But beyond the rinky-dink stuff, at the most basic level, you want to make two choices right up front:
How important is the real-time interdiction to you?
Do you want signature-based tools, anomaly-based tools, or both?
If you would be content with a good system that doesn't have the ability to mitigate threats in real-time, then that widens your possible solution space quite a bit. In this area, you definitely get what you pay for. FOSS tools that have this capability are way behind commercial tools in ease of maintenance, configuration, and how many types of attacks they work against. So that requirement limits your options considerably.
A similar situation exists when we look at the detection method, signature vs. anomaly. Signature-based systems are a dime a dozen, but they don't cover the really dangerous stuff. Anomaly-based systems are somewhat more useful against the scarier threats, but no FOSS solution comes anywhere close to the commercial offerings. If you choose a FOSS alternative for an anomaly-based IDS/IPS, you will spend so much effort tuning and maintaining that you won't have any time left to respond to issues, and you will still not get adequate results.
I should point out that you have also limited yourself by considering only NIDS/IPS systems. The proper bundle of technologies and tools could give you the real intelligence that you need, whether or not it included NIDS/IPS. Other classes of tools, like SIMS, accounting systems, or deception environments have their uses too.
There are plenty of other aspects to consider, but that would take pages to discuss. All of this could be moot depending on your traffic loads, user demographics, platform constituency, infrastructure design, org chart, geographic distribution, existing IT policies, etc. etc. etc. There's just no universal solution.
Slashdot Mirror
Clearly, you don't pay much attention to the glossy ads in Infoworld and CIO magazine. FUD marketing out the wazoo for exactly these types of devices.
This is actually a very hard problem to solve. I've written quite a bit on the subject, but I'll attempt to provide a few quick helpful points.
If you have some form of perimeter security, it becomes easier, but still very resource-intensive (both technology resources and human resources). I'm assuming that you're not at a university, or some other type of organization that has a wide open network, because if you were, you wouldn't care.
For a good list of fun tools, look here:. html
http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools
But beyond the rinky-dink stuff, at the most basic level, you want to make two choices right up front:
How important is the real-time interdiction to you?
Do you want signature-based tools, anomaly-based tools, or both?
If you would be content with a good system that doesn't have the ability to mitigate threats in real-time, then that widens your possible solution space quite a bit. In this area, you definitely get what you pay for. FOSS tools that have this capability are way behind commercial tools in ease of maintenance, configuration, and how many types of attacks they work against. So that requirement limits your options considerably.
A similar situation exists when we look at the detection method, signature vs. anomaly. Signature-based systems are a dime a dozen, but they don't cover the really dangerous stuff. Anomaly-based systems are somewhat more useful against the scarier threats, but no FOSS solution comes anywhere close to the commercial offerings. If you choose a FOSS alternative for an anomaly-based IDS/IPS, you will spend so much effort tuning and maintaining that you won't have any time left to respond to issues, and you will still not get adequate results.
I should point out that you have also limited yourself by considering only NIDS/IPS systems. The proper bundle of technologies and tools could give you the real intelligence that you need, whether or not it included NIDS/IPS. Other classes of tools, like SIMS, accounting systems, or deception environments have their uses too.
There are plenty of other aspects to consider, but that would take pages to discuss. All of this could be moot depending on your traffic loads, user demographics, platform constituency, infrastructure design, org chart, geographic distribution, existing IT policies, etc. etc. etc. There's just no universal solution.
Psh. Doesn't anyone remember AltaVista Discovery? If this works even half as well as that did, it will be a welcome tool.