Placing Management Consoles

Previous page
Table of content
Next page

Although the main problem with deployment of IDS components concerns choosing the correct positions for network sensors, you still must not forget about management consoles. This problem becomes especially important in large, geographically diverse networks.

One of the first questions that needs an answer is: how many management consoles do you actually need? The answer to this question depends on the following parameters:

  • The number of managed agents. Even if technically the console is able to support an unlimited number of agents, inherent human limitations in information procession may not be conducive to adequately tracing events from a large number of agents. In large networks, it is not advisable for more than 50 agents to be connected to the same console.

  • Types of agents. Network and system components are intended for controlling different events, which results in different amounts of data transferred to the console. Network components transmit much more frequently - approximately 10 times more event data than a host-level IDS running on a specific host.

  • Types of responses. Depending on the response types used and the IDS operators' capabilities, you might need to use more than one management console. For example, when focusing attention on a real-time response, the user should not connect more than 10-15 network sensors to a single console. If the user must concentrate on further analysis of events, then it is possible to connect 20-25 network sensors to a single console. For system sensors, these numbers must be increased by 5-7 times.

  • Interaction between departments. This parameter is more organizational than technical. In most organizations, information security functions are distributed between several departments. The IT department monitors specific network parameters, while the information security department traces other parameters. Most operations to be performed are independent, which requires at least two management consoles, each of which is configured to perform specific tasks.

  • The necessity of hierarchical management. If the organization implements the hierarchical management scheme, described in Chapter 6, the number of consoles must be no less than the number of management hierarchies, and there can be multiple consoles at each level.

However, I can not give any universal recommendations in this area. Depending on several factors, the recommendations provided here might not prove to be useful. For example, grouping sensors and protected resources implemented in the RealSecure SiteProtector system allows one to overcome the limitation of 10-15 network sensors per console. However, even in this case connecting too many sensors to a single console is still not the best idea.

One more aspect must be considered in relation to the management console. If all sensors use a separate network interface to interact with the console, it makes sense to localize all management within a single VLAN, which would improve system security and quickly detect any problems that may arise.


Previous page
Table of content
Next page
Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152
Authors: A. Lukatsky, Alex Lukatsky
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
High-Speed Signal Propagation[c] Advanced Black Magic
Visual C# 2005 How to Program (2nd Edition)
MySQL Cookbook
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy