Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS and Bandwidth

from [Michael Allgeier] Network Security [Permanent Link]
Subject: RE: IDS and Bandwidth
Date: Fri, 15 Jul 2005 10:19:30 -0500 
Out of band connectivity is my preferred method, but sometimes it isn't
feasible.  Implementing Quality Of Service helps substantially, and always
proper IDS tuning.

Mike


"Nathan Davidson" <ndavidso@globix.com> 7/13/2005 12:10:55 PM >>>


I agree with the concept of Out of Band (OOB) connectivity with security
devices. Otherwise, if you are flooded with malicious traffic you may
loose contact with your IDSs, this means you will be flying blind just
when you need them most.

IDS should focus primarily on detecting Intrusions rather than noise. A
successful intrusion will typically be most visible outbound (e.g. SSH
running over port 80 from a compromised host), conversely if the policy
focuses on logging all of the SQL Slammer traffic present on the
Internet then you will be overrun with meaningless alerts. 

By putting an inline blocking device (e.g. IPS, Application proxy,
Application firewall) at your perimeter you will not only PROTECT your
application but will significantly improve the quality and reduce the
volume of your IDS alerts.

You may also be able to use network compression to reduce bandwidth
requirements e.g. SSH tunnels with the compression option turned on. 

All the best


Nathan


-----Original Message-----
From: THolman@toplayer.com [mailto:THolman@toplayer.com] 
Sent: 13 July 2005 02:10
To: bhaskar.gupta@tcs.com; focus-ids@securityfocus.com 
Subject: RE: IDS and Bandwidth

Hello Bhaskar,

You should look at segmenting your security/management network off,
assigning it to a different VLAN, and configuring QoS to give other
VLANs
priority.  A few seconds here or there with respect to lag in your IDS
won't
make much difference - security incidents will still be detected and
reported.
Another way to approach this would be to cut down on the Internet white
noise that your IDS is forced to report, and implement inline IPS
devices at
key points within your network to cut down on the data the IDS devices
have
to process.
This will have a marked effect - literally expect a 90-95% decrease in
the
traffic your IDS has to process....

Regards,

Tim 



-----Original Message-----
From: bhaskar.gupta@tcs.com [mailto:bhaskar.gupta@tcs.com] 
Sent: 05 July 2005 04:47
To: focus-ids@securityfocus.com 
Subject: IDS and Bandwidth

Dear frendz

I am working as an IDS operator in my company. Due to big size of the
organisation, different IDS nodes are monitoring different centers
through a
central master node. Since there are lot of incidents ( including false
positives ) generated across the organsation, there is a complaint from
our
networking team that IDS is consuming lot of bandwidth over networking

I am really not able to figure out how much IDS can eat up network
bandwidth.

Please throw some light on this.  

cheers, Bhaskar

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 

to learn more.
------------------------------------------------------------------------
--

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 

to learn more.
------------------------------------------------------------------------
--



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS evaluations procedures, Whodini
Next by Date:  RE: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within), Brunner, Mark
Previous by Thread:  RE: IDS and Bandwidth, Nathan Davidson
Next by Thread:  IDS evaluations procedures, david . sames
Indexes:  [Date] [Thread] [Top] [All Lists]