March 18th, 2004 12:13 PM
Vikram7000 Just an FYI here - If you are new to the IDS arena, one of the challanges I have seen many organizations face, is that most IDS platforms do not have a reliable backup plan. Most of the IDS companies claim that their products are recoverable if you will simply back-up the database. In reality this is normally far from the truth. For instance if you loose the HDD that the, I'll say "event collector" for lack of a better term, ... that the event collector is stored on, your first challange will be with the encryption scheme that allows the database on the event collector to communicate with your remote detectors. Normally this is not a big challange, but most of the IDS platforms tie the encryption key into an "instance per installation" type of schema. This means that while you still have your database and can get to the information, you will be unable to integrate it with any new data going forward.
The second challange is with the custom policies that you build to reduce displaying false positives, e-mail or text notifications, etc. Most of these polices have flags that are tied to the old database, which are once again tied to the encryption key installation instance, even though the policy is in essence a flat file. Typically this requires the administrator to rebuild any custom policies from scratch, because the expected pointers become no longer valid.
The third challenge I have seen, is that after you have brought up a new database, you will have to reinstall all of you remote detectors to make the encryption schemes match.
This is all based on my personal experience with different products, and may not be applicable to what you are running, but it is definantly something to look at before a failure occurs. If anybody else has experience playing with backup availavbility for IDS, pleas post your thoughts. I look forward any info on an easily recoverable IDS solution.
The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!