[ALUG] Intrusion Prevention and Detection System (IPDS)

[Andreas Tauscher]

> Any one who knows the supplier of IPDS (software or hardware) for network in arusha?

Experience with hardware/appliances: Most are crap. Promising things
they can not fulfil.

First questions what kind of intrusion has to be detected or more exact:
What do you want to protect and why does it need protection?

If it is for example a web service you need, can not replace but the
supplier does not fix some bugs. A proxy like privoxy can help you
filtering.

And the best IDS is useless if it is not permanent updated or nobody is
reading and understanding the reports or receiving alerts.
Happened all: Spending thousands of dollars on snake oil hardware and it
stopped working years ago (and nobody recognized) because nobody was
clearing the alerts: Storage full. And why: The addresses and phone
numbers for alerts have been wrong.

The mentioned SNORT is fine. Working really good, but if nobody
understands how it is working and for what you are really looking it
ends up usually with a lot (all available) of rules enabled, causing
thousands of false alarms every day so nobody is giving attention to it
any more.

You must know exact for what you are looking.
A IDS is not a glass ball.
If you hope you buy it, switch it on and it will protect you: Better
place a cup of holy water beside the router. It will do the same job and
the saved money you invest then better in Nyama choma and beer.
And the prevention: It can only prevent what it knows about. But then is
my question always: Why is this not fixed in the protected software?

Andreas