Gary Halleen (ghalleen) wrote: > Consider the case of a firewall generating many millions of events per > day, as well as an IDS sitting outside the firewall, which is also > probably generating hundreds of thousands, or millions of events.
Then a zero-cost, security-effective, positive-reducing move is place the IDS inside the network, which is arguably the place where you want it :) > A topology-aware > SIM uses those IDS events to classify the traffic that both passes and > is blocked by the firewall. Standard IDS placement rules do the same thing, in a much more cost-effective manner. > You can use the same capabilities to see that web-based attacks are not > actually causing damage to the target host by monitoring things like the > web server's logs, antivirus, host IDS, or system/security logs. This is exactly what any SIM is supposed to do, right ? > often it makes more sense to tune all security devices centrally, at the > SIM, rather than at each security device. Unluckily, this rather supposes a single-vendor approach, which is not the situation most organizations are in :) > Integration with vulnerability assessment systems increases the > intelligence a good SIM has. With caveats (look in the list archives) Best, Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
