Thanks very much for the reply (and other replies I got to date as well)....
So, you are doing passive monitoring today - would that mean that when your IDP systems alarm that this generates an alert to your NOC for immediate investigation (on a serious issue)? I'm just wanting to understand your process a bit to see how it might fit into our plans here....;) Cheers, Paul -----Original Message----- From: Ross Vandegrift [mailto:r...@kallisti.us] Sent: Saturday, February 07, 2009 10:50 AM To: Paul Stewart Cc: 'Gregori Parker'; 'Cisco-nsp' Subject: Re: [c-nsp] IDS Recommendations - Cisco? On Fri, Feb 06, 2009 at 07:24:34PM -0500, Paul Stewart wrote: > A good example to paint a picture here is that some of these servers are for > web hosting. If a client uploads a php script (example) that has a > vulnerability we would like the IDS to trip on it - again we can't have the > world but that's kind of what I have in mind. It's a good thought, but watch your session count. All of the devices have limits as to the number of sessions they can handle. When that's exhausted, expect to be offline. I also work in hosting, and I have to say, the IDP is a great tool. But there's nothing we could find that grew in performance with the size of our installation. > I could think of many more scenarios but at a high level I'm looking for > vendor/product recommendations based on actual usage if possible. If you know your traffic and session levels well, and you want to do inline blocking, the Juniper ISG with integrated IDP modules are pretty great tools. You use NSM to write usual firewall policy, some rules can optionally have IDP processing enabled. Very granular. Like I said - I abandoned it. Our hosting grew much faster than their performance could. Monitoring the session and traffic levels of the blades was always awkward, and we didn't have such good ideas of our traffic/session levels. Finally, remember that your IDP will be the weakest link in the network. A firewall is a bad enough single point of failure (ie, having a session table that can be attacked), the IDP is many times worse because of the level of processing it requires for each session. So more power to you - but be very careful, or be prepared for some pain. All of the IDP implementations we do today are passive. -- Ross Vandegrift r...@kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/