[c-nsp] IDS Recommendations - Cisco?

Paul Stewart paul at paulstewart.org
Mon Feb 9 13:15:38 EST 2009


Thanks very much for the reply (and other replies I got to date as well)....

So, you are doing passive monitoring today - would that mean that when your
IDP systems alarm that this generates an alert to your NOC for immediate
investigation (on a serious issue)?  I'm just wanting to understand your
process a bit to see how it might fit into our plans here....;)

Cheers,

Paul


-----Original Message-----
From: Ross Vandegrift [mailto:ross at kallisti.us] 
Sent: Saturday, February 07, 2009 10:50 AM
To: Paul Stewart
Cc: 'Gregori Parker'; 'Cisco-nsp'
Subject: Re: [c-nsp] IDS Recommendations - Cisco?

On Fri, Feb 06, 2009 at 07:24:34PM -0500, Paul Stewart wrote:
> A good example to paint a picture here is that some of these servers are
for
> web hosting.  If a client uploads a php script (example) that has a
> vulnerability we would like the IDS to trip on it - again we can't have
the
> world but that's kind of what I have in mind.

It's a good thought, but watch your session count.  All of the devices
have limits as to the number of sessions they can handle.  When
that's exhausted, expect to be offline.

I also work in hosting, and I have to say, the IDP is a great tool.
But there's nothing we could find that grew in performance with the
size of our installation.

> I could think of many more scenarios but at a high level I'm looking for
> vendor/product recommendations based on actual usage if possible.

If you know your traffic and session levels well, and you want to do
inline blocking, the Juniper ISG with integrated IDP modules are
pretty great tools.  You use NSM to write usual firewall policy, some
rules can optionally have IDP processing enabled.  Very granular.

Like I said - I abandoned it.  Our hosting grew much faster than their
performance could.  Monitoring the session and traffic levels of the
blades was always awkward, and we didn't have such good ideas of our
traffic/session levels.

Finally, remember that your IDP will be the weakest link in the
network.  A firewall is a bad enough single point of failure (ie,
having a session table that can be attacked), the IDP is many times
worse because of the level of processing it requires for each session.

So more power to you - but be very careful, or be prepared for some pain.
All of the IDP implementations we do today are passive.

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie



More information about the cisco-nsp mailing list