Educause Security Discussion mailing list archives
Re: IPS recommendations
From: Walter Petruska <wpetruska () USFCA EDU>
Date: Fri, 9 Nov 2012 08:32:05 -0700
Use of the 'exception' option in building the policy related to the threat or event activity. You may then include or exclude particular IP addresses, ranges, MAC addresses, users, ports, protocols, applications, etc as you wish from the action prescribed by your policy. Or create an entry which is more granular and specifies different behavior for a subset of rules, threats or systems and place the item higher in your policy. You may also build the exception right from the alert view, should you decide you're getting too many and you wish to suppress them in the future. On Nov 8, 2012 10:35 PM, "Bryan Zimmer" <bzimmer () ucsc edu> wrote:
We demoed a PA box and were impressed, but I'm a bit concerned about using them to replace an IPS in a large environment. We do hope to get some some PA boxes for smaller environments around campus though. The biggest thing that bothered me was the inability to tune alerts. Say there's a rule that's alerting a lot and we want to tune it so that it only alerts on certain IP addresses, or doesn't alert on certain IP addresses. I don't remember the exact steps but it seemed like a very convoluted and non-scalable process to accomplish that. I'm no PA expert though. What are the PA owners out there doing to tune their alerts? ---- Bryan Zimmer Senior Security Analyst UCSC Security Team On Nov 8, 2012, at 1:57 PM, Walter Petruska <wpetruska () USFCA EDU> wrote: Same situation here- our Tipping Point was EOL, and we replaced it with Palo Alto Networks device. It's been working great, we're retiring the Tipping Point box next week, and expect to add more PANs in the near future. Walter Petruska University of San Francisco On Thu, Nov 8, 2012 at 12:27 PM, Entwistle, Bruce < Bruce_Entwistle () redlands edu> wrote:Our current IPS is reaching EOS, so we would take this opportunity to look at alternatives to our existing Tipping Point unit. I was looking to see what everyone else is using and how well it is working for them.**** ** ** Thank you**** Bruce Entwistle**** University of Redlands**** ** **-- *Walter Petruska CISSP, CISA, CGEIT* *Information Security Officer* infosec.usfca.edu *University of San Francisco* Lone Mountain North - 2nd Floor 2130 Fulton Street San Francisco, CA 94117 *ITS Help Desk*, Phone: 415-422-6668 Fax: 415-422-6719
Current thread:
- IPS recommendations Entwistle, Bruce (Nov 08)
- Re: IPS recommendations Roger A Safian (Nov 08)
- Re: IPS recommendations Bradley, Stephen W. Mr. (Nov 08)
- Re: IPS recommendations Dave Koontz (Nov 08)
- Re: IPS recommendations Jeff Giacobbe (Nov 08)
- Re: IPS recommendations Walter Petruska (Nov 08)
- Re: IPS recommendations Bryan Zimmer (Nov 08)
- Re: IPS recommendations Walter Petruska (Nov 09)
- Re: IPS recommendations Bryan Zimmer (Nov 08)
- Re: IPS recommendations King, Ronald A. (Nov 09)
- Re: IPS recommendations Jeff Kell (Nov 09)
- Re: IPS recommendations Bob Williamson (Nov 09)
- Re: IPS recommendations Jeff Kell (Nov 09)
- <Possible follow-ups>
- Re: IPS recommendations Gioia, Matthew P. (Nov 09)
- Re: IPS recommendations Roger A Safian (Nov 09)
- Re: IPS recommendations Robert Rudloff (Nov 12)
- Re: IPS recommendations Roger A Safian (Nov 08)