OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: a novice question. -large networks -reply
From: Ron Gula (rgulanetwork-defense.com)
Date: Mon Mar 27 2000 - 06:56:34 CST

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
>So let's go ahead and see if a commercial IDS application can be applied
>and what ruleset should be in place with a network this large.

I missed the actual network description, but we get asked these questions
a lot with respect to Dragon deployments.

>How many sensors (i.e. engines, agents, etc)

Do you want to monitor the perimeter or the entire network?

If its the perimeter, then some questions need to be answered such as if
adding passive taps or spanning switches is acceptable to your network
architecture. If you are simply throwing a 100Mb twisted pair link "over
the wall" at an Above.Net or Xuma, then the IDS may plug right into a
hub. If you have an OC-3 link with speeds above 100Mb/sec, you can still
use Dragon but you need to deploy a custom POS or ATM solution with a
passive optical tap. In one case, we submitted a proposed solution with
two IDS sensors to monitor 6 T3 links which were all switched and spanned
to separate gigabit Ethernet ports. The cost of two Dragons, their hardware,
the two GigE blades was about a third less than purchasing six copies of
the other IDS and separate hardware.

If you want an IDS throughout the network, then I always ask what are you
trying to monitor? For example, I've found that companies are much more
interested in network policy deviations such as looking for old copies of
Sendmail and unknown web servers. Some are much more interesting in being
big brother and collecting information on people's web activities, detecting
email spam and finding people playing games. The reason I bring this up is
that the intent of the IDS should be known when deploying it.

>How many operator consoles?

Typically with Dragon, we advertise a nominal 35 sensors managed from one
console. We have done proposals which increases this to 100+ sensors, but
the architecture keeps most of the sensor data on the sensors. For typical
perimeter IDS logs, we try to tune sensors so they collect ~10Mb of data a
day. 10*100 is about a gig a day which can be a big load on any network.

>Where would the Main Console be located?

Someplace secure, but it should not impact your operations. With SSL web
servers, any authorized users can get to the console with a web browser
or use SSH.

>What types of alerts should be monitored?

Depends what you are logging and the level of competence at the console.
Your responses and monitoring options are completely different based on
the level of competence at the keyboard.

Ron Gula, CTO
Network Security Wizards