Re: IDS causing troubles



ST,

In my first deployment of IPS (vs. IDS) years ago, I thankfully
learned why I put in audit mode first, when upon checking the logs, I
found that it thought the CEO's emails were malicious (they weren't).

The first place to look, considering that your 3rd party will allow
you access to unfiltered records, is to look in the IPS logs. It will
plainly tell you whether it is at fault or not. If the logs are clean
(not cleaned by your 3rd party mind you), then you can present a copy
to your boss and networking, and tell them to look elsewhere. If it is
at fault, it is likely that your 3rd party does not understand your
infrastructure. Which is why I use managed security services to a very
limited and a very specific use.

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
infosysec@xxxxxxxxx
purdy@xxxxxxxxxx



On Fri, Feb 11, 2011 at 1:23 PM, Matthew Fitzgerald
<matthew.fitzgerald@xxxxxxx> wrote:
Joel, its inline because prevention requires intervention.  You bring up a good point though, perhaps the issue should be taken outside of the technical arena and brought to the business/contract folks to reset expectations around prevention/detection.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Joel Jaeggli
Sent: February 11, 2011 3:41 AM
To: Andrew Plato
Cc: 'Shang Tsung'; focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: IDS causing troubles

You might ask yourself why it's inline rather than an on on monitor port
or a tap.

There are serious scalability and performance problems to be had when
putting an inspection device in some locations in the network and you
should be mindful of that, ultimately if availability is a consideration
and it generally is and the thing causes outages them you have a rather
a big problem.

joel

On 2/1/11 12:26 PM, Andrew Plato wrote:
All network engineers want to burn down the IPS. That's nothing new.


Disruptions should not be common. Most modern IPS/IDS solutions are
pretty good about minimizing the downtime. ISS stuff is pretty good
about this, although not great.

I'd say your outsourced provider may have some issues or you need to
update to the latest versions.

Firmware updates should be scheduled to coincide with normal
maintenance windows in case there is any downtime. Signature updates
can also be scheduled for a reasonable daily or weekly window.

Network admins will blame EVERYTHING on the IDS/IPS because it's
easier for them to blame the IPS then for them to do their jobs.
There is a possibility you have network infrastructure issues. You
might want to consider getting a third party assessment of your
network. That way you can get an objective analysis that will hold
more weight with management.

Good luck.


Andrew Plato, CISSP, CISM, QSA Anitian Enterprise Security



-----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Shang Tsung Sent:
Tuesday, February 01, 2011 1:53 AM To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: IDS causing troubles

Hello,

We have the following problem. Now and then, the IDS will cause
disruptions to the network, especially after updates. We have an IBM
(ex ISS) Intrusion Detection System with a few network sensors and
several host sensors. The IDS is not managed by us but we have it
outsourced.

The disruptions mentioned above cause our network engineers extreme
dissatisfaction (and anxiety) about the IDS and they would "burn the
damn thing", if they could. We have 2 - 3 serious issues, causing
downtime, per year.

My questions are:

- Are any of you experience the same issues? - Is these disruptions
common to others or should we seriously consider replacing the IDS
and/or the outsourcing company? - Could this be an issue with our
network infrastructure?

I will appreciate any thoughts.

Thanks, ST

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL. A guide to understanding
SSL certificates, how they operate and their application. By making
use of an SSL certificate on your web server, you can securely
collect sensitive information online, and increase business by giving
your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194








-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL. A guide to understanding
SSL certificates, how they operate and their application. By making
use of an SSL certificate on your web server, you can securely
collect sensitive information online, and increase business by giving
your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194






-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194




-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194




-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194



Relevant Pages

  • Re: IDS causing troubles
    ... the fact of the matter is if the ids can't keep up with the presented ... Network admins will blame EVERYTHING on the IDS/IPS because it's ... Securing Your Online Data Transfer with SSL. ... understanding SSL certificates, ...
    (Focus-IDS)
  • RE: IDS causing troubles
    ... Subject: IDS causing troubles ... Network admins will blame EVERYTHING on the IDS/IPS because it's ... Securing Your Online Data Transfer with SSL. ... SSL certificates, how they operate and their application. ...
    (Focus-IDS)
  • Re: IDS causing troubles
    ... Network admins will blame EVERYTHING on the IDS/IPS because it's ... Now and then, the IDS will cause ... Securing Your Online Data Transfer with SSL. ... SSL certificates, how they operate and their application. ...
    (Focus-IDS)
  • RE: IDS causing troubles
    ... Now and then, the IDS will cause ... disruptions to the network, especially after updates. ... The disruptions mentioned above cause our network engineers extreme ... Securing Your Online Data Transfer with SSL. ...
    (Focus-IDS)
  • Re: IDS causing troubles
    ... How are you feeding data to your IDS? ... Are you using the proper type of TAP or Bypass switch? ... disruptions to the network, especially after updates. ... Securing Your Online Data Transfer with SSL. ...
    (Focus-IDS)