hi bhaskar,
Your problem is about monitoring IDS and bandwidth issues.
I feel the architecture of your IDS could be the bottleneck.
Try to troubleshoot on the following points
1) Are the number of nodes that are deployed separately
processing/analysisng the traffic or are just dumping the same to the
central master node for further processing.
If its the latter then ofcourse you have duplicacy of traffic redirection
that is happening, in that case see if you can possibly change the IDS
nodes from (most probably) logging mode to detection mode.
I presume thats not the case as you mentioned about the false positives.
2) If there is a possibility for your IDS nodes to accumulate the alerts
at the nodes itself and you as an IDS operator them would have to bear the
additional responsibility of managing them regularly ie "be on your toes"
rather than depending on only the central master.
I am pointing towards a Web based or Remote monitoring interface to your
individual IDS agents.
This will reduce the traffic flow.
But then you reduce the chances of the central master to be doing any
further processing, like for eg any correlation work/ alerts analysis work
being carried out.
3) You can verify what kinds of false positives the IDS nodes
generate and whether you can tune the individual to reduce the same.The
manuals of your IDS could help in this regard and this is where an IDS
operator's true skills are a test :)
4) Probably you can actually see what kind of traffic flow is it and
verify that it is really generated by your IDS nodes. You need to confirm
what kind of traffic it is and is it really coming from the IDS nodes
only.
Regards,
Mayank
On 5 Jul 2005 bhaskar.gupta@tcs.com wrote:
Dear frendz
I am working as an IDS operator in my company. Due to big size of the
organisation, different IDS nodes are monitoring different centers
through a central master node. Since there are lot of incidents (
including false positives ) generated across the organsation, there is a
complaint from our networking team that IDS is consuming lot of
bandwidth over networking
I am really not able to figure out how much IDS can eat up network
bandwidth.
Please throw some light on this.
cheers, Bhaskar
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
