![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Intrusion Prevention Systems Question
- Thread starter breadtk
- Start date
A couple thoughts.
- If you've got a contract with Gartner or some other "respected authority" that your company trusts, try and get something from them explaining the importance of IPS and how it's a mature technology.
- Explain that and IDS system that is not being actively monitored provides no benefit.
- Talk with the networking group and reassure them that you will work hard to reduce false positives and only turn on signatures that are low false positive. They're likely worried that your system will increase their work. Do what you can to dispel that.
- Go for a phased approach. Start with just IDS functionality. As you tune the system and you're confident start turning on the good signatures. Limit the amount of people who know when you are putting sigs into blocking mode. That way you won't be blamed incorrectly for system problems.
- If you're having trouble getting buy in consider pushing the IDP product as a better IDS substitute then what you have now. Better signatures, easier to investigate and respond, etc. Then once people are more comfortable with the product start pushing to move into blocking mode.
- Understand that your company has "survived" all of these years and likely has not had a significant intrusion. Thats a difficult sell to upper management. Especially in tough times like these. Why should you spend $x resources on something that wasn't needed in the past? If you can't get management buy in then focus on the stuff you can fix. Maybe in a year or two the organizational mentality will change.
- If you've got a contract with Gartner or some other "respected authority" that your company trusts, try and get something from them explaining the importance of IPS and how it's a mature technology.
- Explain that and IDS system that is not being actively monitored provides no benefit.
- Talk with the networking group and reassure them that you will work hard to reduce false positives and only turn on signatures that are low false positive. They're likely worried that your system will increase their work. Do what you can to dispel that.
- Go for a phased approach. Start with just IDS functionality. As you tune the system and you're confident start turning on the good signatures. Limit the amount of people who know when you are putting sigs into blocking mode. That way you won't be blamed incorrectly for system problems.
- If you're having trouble getting buy in consider pushing the IDP product as a better IDS substitute then what you have now. Better signatures, easier to investigate and respond, etc. Then once people are more comfortable with the product start pushing to move into blocking mode.
- Understand that your company has "survived" all of these years and likely has not had a significant intrusion. Thats a difficult sell to upper management. Especially in tough times like these. Why should you spend $x resources on something that wasn't needed in the past? If you can't get management buy in then focus on the stuff you can fix. Maybe in a year or two the organizational mentality will change.
If your looking for quality layer 4+ IDS systems you will need a balance between a HIDS and NIDS system.
I recommend have a red team (always a fun additional tasking, my personal favorite is putting a wrt54gl router in a ups, and social engineering you way in...) Have them hack the network, to prove the need for the system. I am not sure how far you are up the tot-um pole at work, dont stick your neck out too far...
How locked down is your network? sometimes HIDS can be a HUGE pain if network is running IPSEC... (from experience.. twitch...you want QOS and HIDS on WHAT!!!???!!!)
If you want to implement something quickly, put a HIDS between your server vlans and your user vlans.
Ive worked on a few LARGE network (cough cough...) and Ive used eeye retina a lot. They make a great IDS product.
I recommend have a red team (always a fun additional tasking, my personal favorite is putting a wrt54gl router in a ups, and social engineering you way in...) Have them hack the network, to prove the need for the system. I am not sure how far you are up the tot-um pole at work, dont stick your neck out too far...
How locked down is your network? sometimes HIDS can be a HUGE pain if network is running IPSEC... (from experience.. twitch...you want QOS and HIDS on WHAT!!!???!!!)
If you want to implement something quickly, put a HIDS between your server vlans and your user vlans.
Ive worked on a few LARGE network (cough cough...) and Ive used eeye retina a lot. They make a great IDS product.