You can span/mirror 2 ports into one so we only have one set at each ISP connection.
Most of the action is manual with the exception of some fairly proven exploits that we use ISS "kills" to handle, such as Napster traffic ( not a big deal now that it's gone ), gnutella, code red, DNS I-queries, etc. If I turn all of the automatic stuff on, when a known signature match is made, whomever that was is no longer able to gain access as via OPSEC connections ( http://www.opsec.com/solutions/sec_intrusion_detection.html ) , that block that connection and future connections for that IP for a pre-determined time. Cisco have the same type of deal for controlling Cisco devices via the Cisco IDS but I don't like IDS doing too much automatically though. It's all kinda like virus protection though, you have to have a signature match to detect it. Which means you have to have a signature written before that attack can be recognized. It's all a "belt-and-suspenders" approach really. With a combination of ACL's on the ISP connection router and firewall rules and then ACL's on the router after the firewall, we get most of the stuff. Snort requires a hardare investment and a lot of tuning. It's not for the novice but it is on my list of yet another IDS at some point. Probably after we do the Cisco blades on the 6500's...... Scotty Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63506&t=63461 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
