Re: IDS causing troubles



On 2/11/11 10:23 AM, Matthew Fitzgerald wrote:
Joel, its inline because prevention requires intervention.

It doesn't actually require that, plenty of ips systems can do their job
with a tap and another port for injection.

the fact of the matter is if the ids can't keep up with the presented
load that's going to be a problem whether it's inline or presented
through a tap, in the later case however it's not going to cause an outage.

You bring
up a good point though, perhaps the issue should be taken outside of
the technical arena and brought to the business/contract folks to
reset expectations around prevention/detection.



-----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Joel Jaeggli Sent:
February 11, 2011 3:41 AM To: Andrew Plato Cc: 'Shang Tsung';
focus-ids@xxxxxxxxxxxxxxxxx Subject: Re: IDS causing troubles

You might ask yourself why it's inline rather than an on on monitor
port or a tap.

There are serious scalability and performance problems to be had
when putting an inspection device in some locations in the network
and you should be mindful of that, ultimately if availability is a
consideration and it generally is and the thing causes outages them
you have a rather a big problem.

joel

On 2/1/11 12:26 PM, Andrew Plato wrote:
All network engineers want to burn down the IPS. That's nothing
new.


Disruptions should not be common. Most modern IPS/IDS solutions
are pretty good about minimizing the downtime. ISS stuff is pretty
good about this, although not great.

I'd say your outsourced provider may have some issues or you need
to update to the latest versions.

Firmware updates should be scheduled to coincide with normal
maintenance windows in case there is any downtime. Signature
updates can also be scheduled for a reasonable daily or weekly
window.

Network admins will blame EVERYTHING on the IDS/IPS because it's
easier for them to blame the IPS then for them to do their jobs.
There is a possibility you have network infrastructure issues. You
might want to consider getting a third party assessment of your
network. That way you can get an objective analysis that will hold
more weight with management.

Good luck.


Andrew Plato, CISSP, CISM, QSA Anitian Enterprise Security



-----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Shang Tsung
Sent: Tuesday, February 01, 2011 1:53 AM To:
focus-ids@xxxxxxxxxxxxxxxxx Subject: IDS causing troubles

Hello,

We have the following problem. Now and then, the IDS will cause
disruptions to the network, especially after updates. We have an
IBM (ex ISS) Intrusion Detection System with a few network sensors
and several host sensors. The IDS is not managed by us but we have
it outsourced.

The disruptions mentioned above cause our network engineers
extreme dissatisfaction (and anxiety) about the IDS and they would
"burn the damn thing", if they could. We have 2 - 3 serious issues,
causing downtime, per year.

My questions are:

- Are any of you experience the same issues? - Is these
disruptions common to others or should we seriously consider
replacing the IDS and/or the outsourcing company? - Could this be
an issue with our network infrastructure?

I will appreciate any thoughts.

Thanks, ST

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL. A guide to
understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web
server, you can securely collect sensitive information online, and
increase business by giving your customers confidence that their
transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194










-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL. A guide to
understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web
server, you can securely collect sensitive information online, and
increase business by giving your customers confidence that their
transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194







-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL. A guide to understanding
SSL certificates, how they operate and their application. By making
use of an SSL certificate on your web server, you can securely
collect sensitive information online, and increase business by giving
your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194







-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194