"Drew - Home" <simonismyself.com> writes:
> that how many people depends on how many management consoles, and
> how many management consoles depends on both the size and type of
> installation.
>
> What product are you using? Do you have an "out of band" network for
> management connectivity, or will the management consoles need to be
> attached to different logical networks? Are you a high profile network?
> Do you want analyst staffing 24/7, or would sending pager alerts to a
> on call admin do the trick?
>
> So many factors, I probably didn't name half of them.

Probably would be good to get people to iterate through them all so
they can be recorded somewhere as it is a common question.

How much traffic needs to be looked at?
How many networks?
How integrated is the IDS team with the admin team?
How dynamic are the resources you are expected to monitor? ( changing
targets are much harder to do IDS against )
How heterogenous is the network?
Are you doing internal <-> internal detection as well as
external->internal?

The "high profile" network question relates I believe to the
sophistication you expect of your attackers.

The less heteorogenous the network, the easier it is to come up with
rulesets that target your specific installations.

I too probably left out a good number of factors

-- 
Chris Green <cmguab.edu>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]