Re: Two VMS Servers managing the same sensors

tednie · ‎02-19-2004

Has anyone used two VMS servers to monitor/manage the same sensors? I have the need to have two separate VMS servers collect the event data from the same sensors. What is the best practice in this situation?

nikhil_m · ‎02-25-2004

I believe this is not a good idea...performance wise may be you will have some problems.

a.arndt · ‎03-08-2004

We used to do a very similar thing using two different Unix Directors to monitor the same group of IDS sensors. In our case, it was for redundancy between a primary site and secondary site. The real question is whether or not both VMS systems need to make changes to the sensors or if only one needs to manage the sensors while both receive event data from them.

As long as both monitoring stations are configured properly to obtain the data from the sensors, I can see no reason why there would be a problem. The only time you might run into a problem will be with managing the sensors’ configurations. In our case we only managed the configuration of the sensors from the "primary" management station and synchronized the configuration info on the "secondary" whenever a change did in fact take place (for example, a signature update). By doing this, we were able to ensure that we could still change any of the managed sensors’ configurations from the secondary site if necessary, however confusion was avoided by normally only making changes from the primary site.

Since I lack familiarity with how VMS / IDSMC tracks configuration info when compared with Unix Director, I can only suggest that this would probably still work for you, but I cannot make any guarantees.

Hope this helps,

Alex

marcabal · ‎03-08-2004

Good response.

A few additional pieces of information:

There are 2 tools within VMS for managing of the sensors:

IDS MC - IDS Management Center used for configuring the sensors.

SecMon - Security Monitor used for viewing alerts and running reports.

Using 2 SecMons for viewing events from the same sensor is fully supported.

Simply add the sensor to both SecMons.

NOTE: There is no communication between the 2 SecMons. So for example, if you delete an alert in one, then the alert will still be in the other.

It is using 2 IDS MCs for configuring the same sensor that could cause issues.

When the configuration is updated in the IDS MC, the IDS MC will simply create a brand new configuration based on the previously saved configuration within IDS MC and the new modifications.

It does not check to see what may have changed in the sensor configuration prior to this.

So one IDS MC can wind up overwriting the configuration modifications of another IDS MC.

Possible solutions:

1) Use only IDS MC for configuration under normal cases. Have a second one installed but not used. If the first IDS MC ever crashes, then you can ADD the sensors to the second IDS MC. During the ADD there is an option to import the sensors configuration. If the import option is functioning properly then the second IDS MC shoudl be able to pull in the current configuration of the sensor and begin working properly.

When the first IDS MC is brought back online, the sensor could be deleted and readded back in (with the import configuration option) so the changes made by the second IDS MC coudl be pulled into the first IDS MC.

2) Option 2 would be to use IDS MC for normal configuration. If the IDS MC ever fails then the user can revert to using IDM directly on the sensor until IDS MC can be brought back online. Once the IDS MC is brought back online the user can manually make the changes in IDS MC to match what has been modified in IDM, or the sensor can be deleted and readded with the option to import the configuration.