Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
1
Replies

IDS General Problematics

raymond.eringaard
Level 1
Level 1

‎10-23-2002 04:15 AM - edited ‎03-09-2019 12:47 AM

Lots of posts on in-depth technical questions on this forum, while mine is a lot more generic.

As a service provider we manage many seperate customer networks, some internet connected, some not. We have been looking at several IDS systems for a while now, and it´s not technical problems which are causing us headaches but more functional.

If we would to roll out IDS for several networks, no doubt we´ll be hit around the head with lots of events, intrusions, logs what have ya. To maintain a 24 h service on this level is downright nearly impossible. You would need Level 3 technical personel to look at these events, even if they can be cut down to a few a day, it would still mean looking into these alerts on a daily/nightly basis and determine the next cause of action. In my opinion large environments will result in many (to many) alerts, filtering them will help, but will also improve changes you might be missing a serious event.

Obviously to have this much manpower on it would be very expensive. I would like to receive some comments on how some of you are coping with this, or is it not as bad as it all looks? Maybe if you tune it right a few alerts a week? I have no idea what to expect, that part of the problem.

Thanks

Labels:
0 Helpful
1 Reply 1

gmauchamer
Level 1
Level 1

‎10-29-2002 10:36 AM

First, make sure you install the IDS behind a firewall. That will stop a lot of unwanted alarms. Thats really all you want to monitor anyway, what gets through the FW. Then its a matter of tweeking the IDS until you are only being notified by true intrusions and not a bunch of false positives. It takes several days/weeks to get the signature list trimmed down. There will be a lot of false positives at first. The IDS does all the work (eventually ) anyway by resetting and blocking connections. Takes some time to get it settled down though.

0 Helpful
Customers Also Viewed These Support Documents