RE: [ISSForum] Desktop Protector Reporting URL

Sun, 28 Dec 2003 09:40:51 -0800 

In response to your 2nd question...

There are 2 other options besides Trusting an entire IP.
Both are described in the documentation.

Trust.pair will trust a particular IssueID against a particular IP.
 --This is very effective in eliminating IDS events from legitimate
sources 
        -(e.g. your DNS Servers, Mail Servers, etc.)
        -the bulk of the Events are tripped by only a handful of systems

Trust.issue is handy to shut of IDS and Event for a particular check
 --This will apply to all addresses
 --Use this to get rid of Suspicious Events you may not care about

Trusting an address or address range is overkill and risky for the
reasons you've stated.

Judicious use of both Trust.Issue and Trust.Pair is a far better way to
eliminate the "noise" while keeping up your defenses.

-----Original Message-----
From: [EMAIL PROTECTED] On Behalf Of Bob Erwin
Sent: Wednesday, December 24, 2003 10:34 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Desktop Protector Reporting URL


Hey,

I have been setting up the Desktop Protector for this client and have an
issue that I cannot find any settings for.  The Reporting URL is showing
up as an IP address instead of a DNS Name.  Where do I change that at
the server level?  I have checked the templates and can't find it...

Also, on another note, I was wondering how other people are setting up
their desktop protection.  At first I thought that I would include the
local network as a trusted network, however, I discovered that once you
do that, those IP's pretty much bypass the IDS.  Which means that if you
get a vulnerability expliot worm in your network it can replicate
without problem.  However, if you take out the trusting network, you get
a ton of false alarms.  I guess I'm just looking for strategy here....

Thanks for your help,
Bob

_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo

_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo

Reply via email to