On Sat, 17 Jun 2000, Keith Yuen wrote:
> 1. Too much false alert generated by the IDS. Hundreds of alert
> notice coming out that administrator is so confused to identify which
> one is a real attack. If he/she choose to respond each of the alert by
> blocking or killing the session, I am sure the network will not
> functioning properly.
Most IDS (host or network) can tell you much more than you want to know
about your network. Most of the systems out there also have default
configurations that tell you much more than you really need to know.
However, as with just about anything "out of the box", you have to
understand what the system can and cannot do and configure it
appropriately for your environment. This means that if you have an
NT network, why are attacks that target unix systems high priority
events that set off pagers?
> 2. Without good tuning mechanism for the IDS, there is a chance the
> network is still hacked before you get right notice from the IDS. Thus,
> the IDS is served as a logging system for you to trace back the attack
> rather than to protect you initially.
This may be true. An IDS is a tool that must be used properly. If the
administrator does not understand what the tool can and cannot do,
training is necessary.
> 3. IDS may not be able to capture all packets to analyze if the
> network is reached to certain level of congestion. Thus, False negative
> result is obtained.
Also true. It is very important to understand your network BEFORE you
purchase an IDS. If you need to monitor networks with sustained 100 Mbps
traffic loads, you have very few choices.
> 4. Attack signature may not be up-to-date for the IDS.
Also true. Go with vendors who have a clue and get updates out on
a regular basis.
> Is anyone can share with me a right mechnaism to manage the IDS
> effectively ?
We do this on a regular basis for our clients. We try to understand
the client's network before we recommend any solutions. As part of
the evaluation, we also look at the client's expertise in the network
and host area.
Eric
---------------------------------------------------------------------
Eric Maiwald, CISSP [EMAIL PROTECTED]
Director Security Services 301-977-6966
Fortrex Technologies, Inc. Gaithersburg, MD
---------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
