IDS mailing list archives
RE: IDS and Bandwidth
From: "Michael Allgeier" <Michael.Allgeier () lcra org>
Date: Fri, 15 Jul 2005 10:19:30 -0500
Out of band connectivity is my preferred method, but sometimes it isn't feasible. Implementing Quality Of Service helps substantially, and always proper IDS tuning. Mike
"Nathan Davidson" <ndavidso () globix com> 7/13/2005 12:10:55 PM >>>
I agree with the concept of Out of Band (OOB) connectivity with security devices. Otherwise, if you are flooded with malicious traffic you may loose contact with your IDSs, this means you will be flying blind just when you need them most. IDS should focus primarily on detecting Intrusions rather than noise. A successful intrusion will typically be most visible outbound (e.g. SSH running over port 80 from a compromised host), conversely if the policy focuses on logging all of the SQL Slammer traffic present on the Internet then you will be overrun with meaningless alerts. By putting an inline blocking device (e.g. IPS, Application proxy, Application firewall) at your perimeter you will not only PROTECT your application but will significantly improve the quality and reduce the volume of your IDS alerts. You may also be able to use network compression to reduce bandwidth requirements e.g. SSH tunnels with the compression option turned on. All the best Nathan -----Original Message----- From: THolman () toplayer com [mailto:THolman () toplayer com] Sent: 13 July 2005 02:10 To: bhaskar.gupta () tcs com; focus-ids () securityfocus com Subject: RE: IDS and Bandwidth Hello Bhaskar, You should look at segmenting your security/management network off, assigning it to a different VLAN, and configuring QoS to give other VLANs priority. A few seconds here or there with respect to lag in your IDS won't make much difference - security incidents will still be detected and reported. Another way to approach this would be to cut down on the Internet white noise that your IDS is forced to report, and implement inline IPS devices at key points within your network to cut down on the data the IDS devices have to process. This will have a marked effect - literally expect a 90-95% decrease in the traffic your IDS has to process.... Regards, Tim -----Original Message----- From: bhaskar.gupta () tcs com [mailto:bhaskar.gupta () tcs com] Sent: 05 July 2005 04:47 To: focus-ids () securityfocus com Subject: IDS and Bandwidth Dear frendz I am working as an IDS operator in my company. Due to big size of the organisation, different IDS nodes are monitoring different centers through a central master node. Since there are lot of incidents ( including false positives ) generated across the organsation, there is a complaint from our networking team that IDS is consuming lot of bandwidth over networking I am really not able to figure out how much IDS can eat up network bandwidth. Please throw some light on this. cheers, Bhaskar ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS and Bandwidth, (continued)
- Re: IDS and Bandwidth Tony Rall (Jul 05)
- Re: IDS and Bandwidth Fergus Brooks (Jul 05)
- Re: IDS and Bandwidth Michael Boman (Jul 05)
- Re: IDS and Bandwidth David W. Goodrum (Jul 05)
- Re: IDS and Bandwidth Mayank Bhatnagar (Jul 05)
- Re: IDS and Bandwidth Mark Teicher (Jul 05)
- RE: IDS and Bandwidth PPowenski (Jul 05)
- RE: IDS and Bandwidth MailTest (Jul 12)
- RE: IDS and Bandwidth THolman (Jul 13)
- RE: IDS and Bandwidth Nathan Davidson (Jul 15)
- RE: IDS and Bandwidth Michael Allgeier (Jul 17)
- Re: IDS and Bandwidth Tony Rall (Jul 05)