Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS and Bandwidth

from [Michael Boman] Network Security [Permanent Link]
Subject: Re: IDS and Bandwidth
Date: Tue, 5 Jul 2005 16:38:26 +0800 
On 5 Jul 2005 03:46:39 -0000, bhaskar.gupta@tcs.com
<bhaskar.gupta@tcs.com> wrote:

Dear frendz

I am working as an IDS operator in my company. Due to big size of the 
organisation, different IDS nodes are monitoring different centers through a 
central master node. Since there are lot of incidents ( including false 
positives ) generated across the organsation, there is a complaint from our 
networking team that IDS is consuming lot of bandwidth over networking

I am really not able to figure out how much IDS can eat up network bandwidth.

Please throw some light on this.


Hi  bhaskar,

While an IDS does not consume any bandwidth in the data acquisition
mode itself, sending the alerts to a central server does take up some
bandwidth - and the more data you need to send (alert size and
frequency), the more bandwidth it consumes.

You can limit this by having the alert collector (central server, as
you call it) as close as possible to the IDS sensor (by using the
notion of LAN bandwidth is cheaper then WAN bandwidth). I would also
trim down as much of the alerts as you can that you really not
interested in. Not only will it save bandwidth and storage, but the
IDS will also work faster and better when it needs to care about less.
However, don't remove too much because then you might miss something
important.

Depending on how timely you want the attacks on the alert collector
you may want to investigate into traffic shaping between IDS sensor
and alert collector, but be aware that less traffic available for
sending alert data = longer latency before you get the bells and
whistles activated on the alert console.

Best regards
  Michael Boman

-- 
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS and Bandwidth, Fergus Brooks
Next by Date:  Re: IDS and Bandwidth, Mayank Bhatnagar
Previous by Thread:  Re: IDS and Bandwidth, Fergus Brooks
Next by Thread:  Re: IDS and Bandwidth, David W. Goodrum
Indexes:  [Date] [Thread] [Top] [All Lists]