• Search
• Free Magazines
• Newest Links
• Categories
• Register
• Login

Using IDS to Evaluate Outbound Port Usage for Security and Reduction of IDS Alerts A Case Study

Added by Papergrl

Description: After recently deploying an Intrusion Detection System (IDS) inside our corporate LAN, the issue at hand quickly became apparent, reduction of the amount of alerts that appear to be part of normal traffic. Tuning the IDS or even the network itself to eliminate these alerts is the hardest part. I can see how an IDS Administrator might turn off certain categories of alerts, because they are so numerous that they become an annoyance. One such type are ICMP alerts. After all, in the entire scheme of things, ICMP might appear to fall short on the importance scale, when weighed against buffer overflows, attempted root access and other types of hacking exploits. With the reluctance to give in so easily, I tried to find out the cause of these alerts as many of IDS administrators will attempt to do as well. After a few hit and miss attempts, it started to become clear that some of these could be related to outbound port usage, and that the network border could be misconfigured.