Q & A: The best way to use IDS/IPS effectively

In our Webcast entitled "the secret to effectively use IDS and IPS" based on the user's on-demand video, the guest speaker Jeff Posluns provides the skills to use IDS/IPS to actively manage security vulnerabilities and thoroughly examine the security status of an enterprise. The following are some questions that Jeff answered during the live broadcast.

Q: Should I receive IDS alerts only from one information system security team member, or should multiple members and company management members receive such alerts?

A: The answer to your question is based on the following facts:

1. Many alarms from IDS are error reports.

2. Many alerts from IDS are irrelevant to urgent issues.

3. Many alerts from IDS do not need to be taken immediately.

4. A few alerts from IDS need to be investigated.

5. Few alarms need immediate action.

This is my thoughts on this issue. If one person wants to receive a visit or has a plan to receive a visit, only this person should be notified. If you have spent a lot of time, effort, and money adjusting your alarm system, you will not get many alarms and need to track them. Maybe a ticket system is the most suitable. In this case, the IDS system creates a ticket, and a member of the security group is responsible for receiving calls and alarms. If the ticket is not updated within four hours, use a pager to call a manager. I have seen such a ticket system.

Q: Is IPSes dangerous because it may block normal communication?

A: IPSes has caused more problems than solved in history. However, the use of today's technology rarely blocks normal communication by mistake. Remember, you can't buy or install an IPS, and then let it do everything on its own. IPS or IDS need to take care of themselves like a child, but try to correct its mistakes and pass on your wisdom to it.

I have seen about 200 running IPS cases, and I can recall only three of them. These problems are caused by abnormal communication between http servers. IPS detects such communication as bad communication. Once the rules are fixed, there are no many issues worth worrying about.

Q: I am using an intrusion detection system named Snort. I don't think there are many error alarms. I really don't trust this system as I trust OTS technology. Did I miss something?

A: The default Snort rule does not need to be adjusted in most networks. You may see many ICMP (Internet-controlled Message Protocol) alarms and some wrong DNS and HTTP alarms. If you install the Bleeding Edge rule, you will see more things.

To effectively adopt the Snort System, it may take several days for you to adjust these rules, close something and modify something else.

The advantage of using the Snort System is that you will get updates, modify rules, create your own rules, and formulate output content. If you are looking to insert a solution, commercial software such as ISS, NAI, Cisco, and other products can be considered. If you are a technician who wants to spend a few days or even weeks learning, Snort is a good choice.

I suggest you contact SourceFire. People there have a commercial Snort System. Ask them about the error report and what measures they can take. I have seen IDS devices in applications. This type of device requires fewer adjustments than the default open-source software Snort System.

Q: Can IDS detect port scans? How to perform detection?

A: IDS can be used to identify port scanning:

1. IDS can search for attempts to connect several connected ports of the same address (for example, attempts to connect ports X, X1, and X2 in five seconds ).

2. IDS can be used to find connection activities performed on ports that are not commonly used or that are commonly used by some Trojans (for example, trying to connect ports 31337 and 12345, or connect more than two ports in 10 seconds ).

3. IDS can be used to query the number of connections between a host and another host in a specific period of time (for example, a host with the same IP address sends more than 10 connection requests within 10 seconds ). This is one of the reasons why DNS servers are often mistaken for port scanning of hosts. The ns1.securitysage.com website said that when your computer uses a DNS server, it will randomly connect to the ns1.securitysage.com website from the high port to the lower 53 port, the ns1.securitysage.com website usually uses port 53 to respond to the same connection. For IDS, this is like the ns1.securitysage.com website is scanning the port of another host, sending several queries in seconds.