Educause Security Discussion mailing list archives
Re: IDP/IDS products
From: "Greene, Chip" <cgreene2 () RICHMOND EDU>
Date: Wed, 17 Sep 2008 08:51:25 -0400
We are a complete Cisco shop so our decision was based on past history with Cisco products and our teams current training. Having the Cisco 6500 on the edge we installed two IDSM-2 blades. We have also been on the phone with TAC and have an open case with them almost constantly with various issues. It may have been just the way we implemented the IDSMs and our configurations, but we successfully identified almost every critical bug known to these devices. The support has been OUTSTANDING, but a little frustrating having to troubleshoot constantly. We are currently waiting for the release of the new code before we place them back in-line as the new fix has been added to this code. Cisco Connection Online (CCO) is what we use to view documentation and bugs for these devices These two blades are used primarily to drop packets and log signature hits that we have determined are a detriment to our network. Not all standard signatures are still active, and some that are rated as low in the industry are rated high on our campus. If it is determined there is a false positive, or something is being dropped that shouldn't be we (keeping it simple) 1. determine the source application 2. study the traffic flows of the application/server in question 3. make a decision as to if we adjust the signature, modify the application, continue to support or replace the application We have also deployed 3 Cisco IPS-4240 appliances to monitor only our PCI VLANS. These devices are used only to monitor traffic and report on intrusions as per the PCI Compliance requirements. We have had no issues with these devices and have deployed the new Cisco IPS Manager Express software to manage these. All of our Cisco Security devices are also managed with the Cisco Security Manager. We have had no problems with these devices. Hope this helps, feel free to contact me if you have any other questions. Chip Greene Senior Network Specialist, CCSP University of Richmond -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert Riley Sent: Tuesday, September 16, 2008 3:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] IDP/IDS products We are seeking peer feedback on the use of Intrusion Detection/Prevention systems. If your organization has deployed an enterprise IDP/IDS, are you: 1. Using the product inline or in bypass mode? 2. Are you using the product to shun hosts? 3. How are you managing false positives? 4. Which product do you use and what was your selection criteria? 5. Have you documented any known issues with the product? Please feel free to contact me offlist if you prefer. Thank you. -- Robert Riley Information Security Professional University of Notre Dame
Current thread:
- IDP/IDS products Robert Riley (Sep 16)
- <Possible follow-ups>
- Re: IDP/IDS products Chuck Braden (Sep 16)
- Re: IDP/IDS products Basgen, Brian (Sep 16)
- Re: IDP/IDS products DAVID R. MORTON (Sep 16)
- Re: IDP/IDS products DAVID R. MORTON (Sep 16)
- Re: IDP/IDS products Consolvo, Corbett D (Sep 16)
- Re: IDP/IDS products Avdagic, Indir (Sep 16)
- Re: IDP/IDS products Greene, Chip (Sep 17)
- Re: IDP/IDS products King, Ronald A. (Sep 17)
- Re: IDP/IDS products Joseph Clark (Sep 17)