I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA. Depending on the traffic you have on your fiber uplink, you can get a redundant pair of ASAs running for less than $2,000 in the US. I just find it less stressful to use a solution like ASA rather than worrying about patching your kernel every so often and worrying about possible vulns in the ipfw/pf codes. That, and you have to make sure EVERYTHING is taken into account when you create your rules, which requires some intense knowledge on either ipfw, pf or both. I am not an expert in intrusion detection, so with regards to that, I'd just setup a honeypot and monitor activity. You can also regularly run penetration tests on your own network and see how well you are protected. Just make sure the appropriate people know about these tests so you don't get wrongfully reported. Rafael On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular