Re: Newbie question: autoblocking with IDS/IPS

From: Mike Johnson (mike_at_enoch.org)
Date: 12/13/04

  • Next message: p z: "Re: CISCOs new IPS" 
    Date: Mon, 13 Dec 2004 16:59:54 -0500
To: focus-ids@securityfocus.com

    Daniel wrote:

    > I'm thinking of buying one of that new CISCO IDS boxes which can be
    > placed inline in the future.

    Do you mean the 4240? If so, we just received a couple of them and
    intend to put them through their paces in our lab.

    > Is anybody of you using the automatic shunning (I guess it's called
    > so) feature of the CISCO IDS? Does this make sense? (Which signatures
    > should be autoblocked?)

    We were told that the version of the software that handles blocking is
    not yet shipping. If anyone knows any different, do tell. We haven't
    quite figured out our policy on what gets blocked and what doesn't, but
    we'll take it on a signature by signature basis.

    > Or are you just monitoring and then blocking manually?

    We're not 100% convinced we'll put them in blocking mode at this point.
      Ideally, it would be automagic, but false positives lead to blocking
    legitimate traffic by accident.

    Mike

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: p z: "Re: CISCOs new IPS"

    Relevant Pages

    • Re: IPS Implementaion
      ... I also recommend monitoring and blocking different traffic differently. ... critical traffic on the networks with the IPS. ... At this point a small IDS staff should not turn on ... Some large organizations have formal change control procedures. ...
      (Focus-IDS)
    • Re: Zone Alarm versus Sygate
      ... Not only is BlackIce looking at ... You see an attack will not ... IDS engine to be extremely elementary. ... So Sygate as well as BlackIce use a Signature Analysis IDS engine ...
      (comp.security.firewalls)
    • Re: How to choose an IDS/FW MSS provider
      ... What is the best way to evade an IDS? ... Open sigs for an IDS/IPS does more harm then good IMO. ... IE a SKILLED attacker wants to attack my network, ... what is out there, a closed signature set, and the ABILITY to add your ...
      (Focus-IDS)
    • RE: Best Method(s) for signature verifcation.
      ... if the IDS is trying to be "smart" it may not listen on ports ... listening in order to get the IDS to see an attack. ... > Subject: Re: Best Methodfor signature verifcation. ... > false positives ...
      (Focus-IDS)
    • RE: How to choose an IDS/FW MSS provider
      ... Andrew, I can't completely agree with you. ... their IDS - may be this is the reason for thinking that great amount FPs is ... to admin to do something or not. ... Thus my point - while seeing the details of a signature is fascinating ...
      (Focus-IDS)
    • Quantcast