Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Apple tops the $100B+ tech club
How to get the IRS' attention: Forge nearly $8 million in tax returns, steal identities
Microsoft details Windows 8 for ARM devices
Blogger exposes major Google Wallet security flaw
Web app lets enterprise set security, sharing for Google Apps users
Cloudscaling to offer OpenStack private cloud platform
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
Resume Makeover: How an Information Security Professional Can Target CSO Jobs
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise


/
Send to a friend Feedback

Three tips for reducing false alarms

Related linksToday's breaking news
Send to a friendFeedback

Network World, 06/24/02

If you decide to dive into intrusion-detection systems, these tips might help reduce your level of false positives and false alarms:

1. Map your network
Build a map of your entire internal network, identifying all the hosts and services running on them. The more you tell the IDS about what is important in your network, the fewer false alarms you'll get.

For example, if you have Apache Web servers, you should tell the IDS not to look for attacks that are based on Microsoft Internet Information Server vulnerabilities on those servers.

If you've patched a server for Code Red, tell the IDS not to bother reporting Code Red attacks on that server.

2. Firewall your IDS
If you don't put the IDS behind your firewall, you'll learn lots of interesting things about knob-twisting out on the Internet.

Unfortunately, there's no point and nothing you can do with the information - you can spend all day complaining about port scans, and it won't do any good. The less traffic the IDS sees, the less it can complain about.

3. Use reporting tools
Sifting through a pile of events only gets you mired down in details without giving you much of a big picture. IDS reports, which provide summary information on what's going on over a macro scale, such as a 72-hour period, are more useful. Caution: You might have to write some of these tools yourself!

- Joel Snyder

Related Links

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.

To top

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.