Re: IDP/IDS products

["King, Ronald A." <raking () NSU EDU>]

1. Inline
2. Traffic based with certain filters triggering the Quarantine/Responder
feature.
3. In my 2.5 years of working with it, 1 false positive on our profile.  At
the time, the particular filter preventing the traffic was set to "Block"
and it took us a bit of investigating to figure that out.  Now we ensure all
filters are set to "Block + Notify."
4. Tippingpoint.  I wasn't part of the selection process, but we have
compared it to ISS (IBM) and NitroSecurity and found each to be lacking in
key areas that Tippingpoint provides.
5. The few we have found have been related to the SMS server and they where
minor.

Ronald King
Security Engineer
Norfolk State University


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert Riley
Sent: Tuesday, September 16, 2008 3:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IDP/IDS products

We are seeking peer feedback on the use of Intrusion Detection/Prevention
systems.

If your organization has deployed an enterprise IDP/IDS, are you:

1. Using the product inline or in bypass mode?
2. Are you using the product to shun hosts?
3. How are you managing false positives?
4. Which product do you use and what was your selection criteria?
5. Have you documented any known issues with the product?

Please feel free to contact me offlist if you prefer.

Thank you.
--
Robert Riley
Information Security Professional
University of Notre Dame

Attachment: smime.p7s
Description: