Rule based, commercial IDS systems need to be protected from "the flood"
by the border router ACLs and firewall. Otherwise, they just cry all day
long from the flood and report everything as a serious attack . . . even
the failures. For example, a Web cgi attack was reported by a commercial
IDS raised everyone's attention only we later verified that the Web
server had 404ed the requests. It was just one of a flood of false alarms
reported everyday and hour.
We also use a TCPDUMP (aka, shadow) IDS in front of the border router and
firewall to detect the "holes" by analysis of the outbound traffic. The
external IDS takes skill but it gives insights the commercial IDS miss or
mask in the flood.
Bob Wilson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
