Ronald A. Weist

Network Engineer Candidate



 Network Experience   Hardware Experience   Software Experience   Resume Home   Network Diagrams   Scopes of Work   Internal Proposals 



Internal Proposals

 Citrix Based Disaster Recovery Center   Intrusion Detection System 


The Case for Intrusion Detection System Sales and Installation


I believe that the future for IDS is very good.  Where firewalls were being seen as an absolute necessity beginning about 5 years ago, IDS will do the same in the very near future, especially as hackers make more and more news around the world.  Even Universities who claim that they can not have a firewall on their system due to their professors’ First Amendment rights may be required to put in some type of IDS system to stop malicious traffic.

 

Testimonials found on IDS vendor’s sites around the web mention a combination of devices (signature, host and behavior based devices at the minimum) for doing IDS.  The consensus seems to be that as different types of attacks are possible, a multi-layered approach is necessary to thoroughly protect any system.  Checking both the inside and outside of an organization’s private network is also mentioned everywhere I have looked.  This can mean multiple devices and/or multi-interfaced devices.

 

Cost, for most of the organizations we service, seems to be a deciding factor in what they will do.  Due to a requirement to have some sort of IDS solutions to comply with privacy regulations by mid 2003, most want the bare minimum, rather than a useful and truly protective layer between hackers and their customers’ private data.  I believe this is where we should focus our energy in educating our customer base.

 

While it may be true that we can implement a simple system log reporting tool that sends an alert to pager or email box when an attack causes a certain log line to be sent, but is that going to stop the private data from being copied, taken, changed or destroyed?  Perhaps offering a solid solution at the start and then backing up to a minimal solution would be wise.  I would hate for us to be blamed for selling a weak solution when we know a stronger solution is out there.  We can start weak, but must realize that our clients will be coming to us looking for a stronger solution in the near future when their data gets hacked.

 

 

The Purpose of an IDS System

 

The purpose of IDS is to alert you of intruders in all internal areas of a given network.  These attacks can come from anywhere and need to be watched from everywhere.  Our strong recommendation is to employ IDS services at every ingress point into the critical areas of the network.  These areas will include: the DMZ, the UNIX host server area, and the standard user networks.

 

While detecting and alerting is good, dynamic blocking of harmful network activity is better.  The systems looked into include Intrusion Protection as well as Detection; meaning, they do not merely log files and page people when they smell something bad, they also stop the malicious activities from taking place as they are happening.  Intrusion Protection Systems (IPS) are very proactive, when compared with a human’s reactive nature to stopping such an attack.

 

There are a few different ways to deploy an IPS solution.  The most obvious is to set an IDS appliance in each area of the network that needs detection and use a centralized management station to configure them, receive alarms, and generate reports.  Protection of the network comes with TCP resets, and dynamically written access-lists that are set on firewalls and routers that are tied to the system.  For added protection. it will also be necessary offer a Host based IDS system that specifically identifies and stops actions on servers that are abnormal and pernicious.  The costs of this total solution system can be very high, but the benefits are priceless.

 

A secondary method of deployment is to use a combination of items that lowers cost but provides a wide footprint of protection.  Specifically, PIX firewalls can have IDS functionality configured and Cisco routers can have FW/IDS installed, both of which are manageable through a centralized security system.  As these devices can adjust their own access-lists and spurn harmful traffic, they will become protectors and not just detectors.  Host based IDS systems should also be deployed on critical servers. 

 

I have included below four different lists of equipment that offer different levels of protection.  The overall costs may seem high, but when considered against the threats and potential liabilities of losing customer privacy and risking their data’s security, they are very worth while and cost effective.

 

 

Cisco IDS Parts, Pieces and Prices

 

  1. Signature Based IDS:  $12,300
    1. IDS-4210 placed in the same network as the Host Servers, $8,000
    2. Compaq DL320  placed inside the most secure part of the network, $2,000
    3. Windows 2000 Server, $1,000
    4. VMWare Workstation, $350
    5. Windows XP Pro (use WinNT 4.0 Workstation), $300
    6. CSPM 2.3i Lite, $2,000

 

  1. Host Based IDS:  $24,300
    1. CWVMS-2.3, $8,000
    2. HIDS-AGNT-K9, $0
    3. HIDS-WEB-WIN-K9, $2,150 each (1 Ultra Access)
    4. HIDS-STD-WIN-K9, $1,750 each (3 Citrix, 1 File, 1 Email, 1 Voice Access)
    5. Compaq DL320 placed inside the most secure part of the network, $2,000
    6. Windows 2000 Server, $1,000
    7. VMWare Workstation, $350
    8. Windows XP Pro (use WinNT 4.0 Workstation), $300

 

  1. Host and Limited Signature Based IDS:  $29,500
    1. CWVMS-2.3, $8,000
    2. HIDS-AGNT-K9, $0
    3. HIDS-WEB-WIN-K9, $2,150 each (1 Ultra Access)
    4. HIDS-STD-WIN-K9, $1,750 each (3 Citrix, 1 File, 1 Email, 1 Voice Access)
    5. IOS/FW/IDS, $1,500
    6. Compaq DL320 placed inside the most secure part of the network, $2,000
    7. Windows 2000 Server, $1,000
    8. VMWare Workstation, $350
    9. Windows XP Pro (use WinNT 4.0 Workstation), $300
    10. PIX-515-R-DMZ, $3,700 (some may already have this)

 

  1. Host and Intense Signature Based IDS:  $41,150
    1. IDS-4210 placed in the same network as the Host Servers, $8,000
    2. CWVMS-2.3, $8,000
    3. HIDS-AGNT-K9, $0
    4. HIDS-WEB-WIN-K9, $2,150 each (1 Ultra Access)
    5. HIDS-STD-WIN-K9, $1,750 each (3 Citrix, 1 File, 1 Email, 1 Voice Access)
    6. IOS/FW/IDS, $1,500
    7. Compaq DL320 placed inside the most secure part of the network, (need 2) $2,000
    8. Windows 2000 Server, (need 2) $1,000
    9. VMWare Workstation, (need 2) $350
    10. Windows XP Pro (use WinNT 4.0 Workstation), (need 2) $300
    11. PIX-515-R-DMZ, $3,700 (some may already have this)

 

For those customers who want to have high level reporting that comes as close as possible to what the government regulators are looking for, we can suggest they use Envision (or Private I for small applications).  This program was written with the help of Paul Reyman who helped the government come up with the privacy regulations.  He was hired by Network-Intelligence to teach them what reports the bureaucrats would be looking for when they show up for an audit.

 

Pricing for this system is as follows:

 

Private I is a program that is licensed per device monitored:

 

            Cisco IDS-4210                                                                                  $  3,500

            Cisco 3600 IOS/FW/IDS                                                                    $  1,500

Cisco PIX-515E-R-DMZ                                                                      $  1,500

Cisco PIX-515E-UR                                                                            $  2,500

Cisco PIX-520-R                                                                                 $  1,500

Cisco PIX-520-UR                                                                              $  3,500

Cisco PIX-535-UR                                                                              $  4,500

 

Each license allows you to deploy another server or add it to an existing server.

 

Examples:

 

Scotts Valley Bank, for example, will be monitoring a PIX-515-R for $1500 plus the cost of a W2K Server (hardware and OS).

 

An organization that wants to monitor a PIX-515-R, an IDS-4210 and a Cisco 3600 Series router will spend $1500 + $3500 + $1500 = $6500 plus the cost of a W2K server.

 

Envision is like Private I, but adds Windows NT/2K logging and is sold in events per second.

 

            EPS-500   software only                                                                     $  8,500

            EPS-1000 software only                                                                     $14,000

            EPS-1000 on hardened W2K 1U Server                                            $19,000

            EPS-2000 on hardened W2K 2U Server                                            $32,000

            Additional 1K block on new EPS-X000 (up to 6000)                          $11,000

            Additional 1K block over 90 days after original purchase                   $15,000

 

Example:

 

Customer CU wants to have and IDS that watches a PIX-520-UR, an

IDS-4210, a WWW server, an email server, and a file server.  He will have to purchase Envision for $14,000, plus the cost of a W2K server.

 

Network Intelligence will allow a trade-in upgrade on all products for up to 90 days to make sure that the product matches the need.  (The faster the trade-in the better).

 

Our discount will start at 25% on appliances and can go as high as 35% if we do about $200,000 volume in a year.  Software only gets a 10% discount.

 

To be a reseller, we must purchase an EPS-1000 at 50% off (we can resell it after 30 days or so).  We must complete some WebEx training classes (no test) and fill out the normal credit applications with references.

 

 

Client Network Requirements

 

  1. Client must use a Cisco PIX-515E-R-DMZ firewall on their Internet connection.
  2. Client must allow a Cisco based VPN from enveloptech into their network for monitoring.
  3. Unix Host must be in its own network and isolated by a Cisco router running FW/IDS IOS.
  4. Management system will be on a Windows 2000 Server with Administrator terminal services running and a Windows NT Workstation system hosted on it via VMWare.
  5. A 24/7 support contract is required for enveloptech to handle attack reports and reconfigure the system as needed to allow normal data flow to occur.

 


Additional IDS Options

 

In the world of intrusion detection, there are almost as many companies trying to detect and protect you as there are successful attackers.  Some OEMs make software for detecting intrusions.  Some make appliances with hardened OSs that do the same.  Along with these are numerous policy managers, log servers and reporting agents that keep track of what is considered a threat (in a nice GUI format), record what happened and alarm, page or email you when a programmed threshold is reached.  In the interest of comparisons to the Cisco supplied solution, I will mention a few that I found below.

 

Lanscope’s Stealthwatch, a behavior based IDS is also a potential choice, though it rates in expense equal to or greater than that of Cisco’s IDS 4210 ($10,000), especially when you consider the hardware purchase and  OS purchase to run the system on.

 

Snort is another very well known and well liked program among the Linux crowd.  It is freeware under the GNU licensing and liability agreement.  Support for such a program will be difficult if not impossible to obtain, and thus, we will probably avoid it.

 

Kiwi produces a free and/or low cost log server software package that can output data to a spread sheet for sorting and review as well as generate emails or pages when certain alarm thresholds are reached.  This would be the most simple, but potentially labor intensive system for collecting warnings and displaying them.  (We should probably test this in house for one week to see what we get.  Don has a scanner that we can put on the “outside” machine to attack ourselves and see how hard it is to sort, search and find problems).