RE: IDS and Bandwidth

[MailTest <mailtest () gsecone com>]

Yes that's right its not easy to come to that conclusion that bandwidth is consumed by IDS. There are few things which 
you can check for i.e
Bandwidth fluctuations from your ISP. This happens very frequently in some locations and with some providers. Another way is to do some traffic shaping and control the traffic based on protocol and IP's. More info can be found at lartc.org. There is a possibility that some switch is not working fine or some conjestion taking place. 

Raghu



you need to ask them how are they arriving at that conclusion.
If you are sniffing with taps then there is more impact on your server
and none on 'their' wire.
Now if you are spanning and they are seeing performance drops on the
switche(s) that is not bandwidth on the wire but possibly another
problem.
You really need to isolate where they are having problems.
MOST (maybe not in your case ;-)) network teams I have come across have
little idea about where bandwith is consumed they simply start blaming
the first item they don't understand once they start encountering
problems.


-----Original Message-----
From: bhaskar.gupta () tcs com [mailto:bhaskar.gupta () tcs com]
Sent: 05 July 2005 04:47
To: focus-ids () securityfocus com
Subject: IDS and Bandwidth


Dear frendz

I am working as an IDS operator in my company. Due to big size of the
organisation, different IDS nodes are monitoring different centers
through a central master node. Since there are lot of incidents (
including false positives ) generated across the organsation, there is a
complaint from our networking team that IDS is consuming lot of
bandwidth over networking

I am really not able to figure out how much IDS can eat up network
bandwidth.

Please throw some light on this.

cheers, Bhaskar

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--
NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or confidential information. 
If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail and 
attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email or attachment(s). 
While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd and its affiliate 
companies cannot guarantee that attachments are virus-free or are compatible with your systems, and does not accept 
liability in respect of viruses or computer problems experienced. Thank you.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------