TABLE OF CONTENTS There is so much more to intrusion detection than just putting a sensor out on a network and then never addressing it again. Someone has to take the time and manage the sensors. It would not be very efficient to have to go to each of the sensors on a network and look at them on an individual basis. What if you saw something suspicious? Then you would have to go to the others and try and correlate the events. That is not the most efficient way to manage a group of security sensors. Luckily, we have a central management solution to help us manage our Cisco IDS sensors.
There are several items that need to be addressed when managing the IDS sensors on the network:
How secure is the network going to be? Are we looking at everything or looking for specific events driven by our security policy?
How many people will have access to the management console and who can modify the configuration?
How much logging is going to take place? Do we log everything or only the events we care about?
How often do we generate reports?
Will alarms be sent to e-mail/pagers?
Do I shun or carry out TCP resets?
Shunning is the process of blocking traffic from a certain host or network. To most, this sounds like a great idea, but if you have a Web presence for the purpose of e-commerce or marketing, you may be denying...
