Re: IDS and Bandwidth

[Mayank Bhatnagar <mayank () ncb ernet in>]

hi bhaskar,

Your problem is about monitoring IDS and bandwidth issues. 
I feel the architecture of your IDS could be the bottleneck.

Try to troubleshoot on the following points

1) Are the number of nodes that are deployed separately
processing/analysisng the traffic or are just dumping the same to the 
central master node for further processing.

If its the latter then ofcourse you have duplicacy of traffic redirection
that is happening, in that case see if you can possibly change the IDS
nodes from (most probably) logging mode to detection mode.  

I presume thats not the case as you mentioned about the false positives.

2) If there is a possibility for your IDS nodes to accumulate the alerts
at the nodes itself and you as an IDS operator them would have to bear the
additional responsibility of managing them regularly ie "be on your toes"
rather than depending on only the central master.

I am pointing towards a Web based or Remote monitoring interface to your 
individual IDS agents. 

This will reduce the traffic flow. 

But then you reduce the chances of the central master to be doing any
further processing, like for eg any correlation work/ alerts analysis work
being carried out.

3) You can verify what kinds of false positives the IDS nodes 
generate and whether you can tune the individual to reduce the same.The 
manuals of your IDS could help in this regard and this is where an IDS 
operator's true skills are a test :)

4) Probably you can actually see what kind of traffic flow is it and 
verify that it is really generated by your IDS nodes. You need to confirm 
what kind of traffic it is and is it really coming from the IDS nodes 
only.


Regards,
Mayank 


On 5 Jul 2005 bhaskar.gupta () tcs com wrote:

> Dear frendz
>
> I am working as an IDS operator in my company. Due to big size of the
> organisation, different IDS nodes are monitoring different centers
> through a central master node. Since there are lot of incidents (
> including false positives ) generated across the organsation, there is a
> complaint from our networking team that IDS is consuming lot of
> bandwidth over networking
>
> I am really not able to figure out how much IDS can eat up network
> bandwidth.
>
> Please throw some light on this.
>
> cheers, Bhaskar
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------