Snort is another favorite tool since it rivals a lot of commercial IDS' and is easy to install and configure. It's pretty easy to write simple or complex rules and I like that you see the offending packet when it alerts. If you don't have access to the guts of the rule that triggered the alert and the dump of offending packet, you don't know if an alert is real or a false positive. Too many commercial IDS' don't let you see the signatures, rules, etc. and don't dump the packet. You are at the mercy of the IDS with no way of validating the accuracy of the alert. You can end up crying wolf if you believe the IDS all of the time or you end up simply ignoring it if you don't.
We just finished up a red team exercise using nothing more than freeware - nmap, nessus, and the Center for Internet Security (CIS) benchmark tools. This gave us a combination of tools to map the network using nmap, expose the vulnerabilities remotely using nessus, and examine host configurations using the CIS benchmark tools.
How long did it take you to co-write "Network Intrusion Detection 3/e" and what was it like?
For my portion of the 3rd edition, it took about 6 months. But, many of the chapters were based on SANS material I'd previously written and chapters from the 2nd edition. It's a pretty intense experience trying to create material that is useful and coherent without taking yourself too seriously. Luckily, I had Stephen's footsteps to follow from his solo rendition of the 1st edition. His was one of the first technical books I'd read that had a lot of humor that allowed his light-hearted character show through.
In your opinion, what are the most important things an administrator has to do in order to keep a network secure?
I don't think I can offer any startling insight into the standard precautions of using VPN's, stateful packet-filtering or proxy firewalls, IDS, anti-virus, applying patches, etc. Obviously, the administrator(s) have to have management support in supplying strong policies and ample manpower to maintain and watch the network.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.