Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: IPS recommendations
From: Walter Petruska <wpetruska () USFCA EDU>
Date: Fri, 9 Nov 2012 08:32:05 -0700

Use of the 'exception' option in building the policy related to the threat
or event activity.  You may then include or exclude particular IP
addresses, ranges, MAC addresses, users, ports, protocols, applications,
etc as you wish from the action prescribed by your policy.

Or create an entry which is more granular and specifies different behavior
for a subset of rules, threats or systems and place the item higher in your
policy.

You may also build the exception right from the alert view, should you
decide you're getting too many and you wish to suppress them in the future.
On Nov 8, 2012 10:35 PM, "Bryan Zimmer" <bzimmer () ucsc edu> wrote:

We demoed a PA box and were impressed, but I'm a bit concerned about using
them to replace an IPS in a large environment. We do hope to get some some
PA boxes for smaller environments around campus though. The biggest thing
that bothered me was the inability to tune alerts. Say there's a rule
that's alerting a lot and we want to tune it so that it only alerts on
certain IP addresses, or doesn't alert on certain IP addresses. I don't
remember the exact steps but it seemed like a very convoluted and
non-scalable process to accomplish that. I'm no PA expert though.
What are the PA owners out there doing to tune their alerts?

----
Bryan Zimmer
Senior Security Analyst
UCSC Security Team


On Nov 8, 2012, at 1:57 PM, Walter Petruska <wpetruska () USFCA EDU> wrote:

Same situation here- our Tipping Point was EOL, and we replaced it with
Palo Alto Networks device. It's been working great, we're retiring the
Tipping Point box next week, and expect to add more PANs in the near future.

Walter Petruska
University of San Francisco

On Thu, Nov 8, 2012 at 12:27 PM, Entwistle, Bruce <
Bruce_Entwistle () redlands edu> wrote:

Our current IPS is reaching EOS, so we would take this opportunity to
look at alternatives to our existing Tipping Point unit.  I was looking to
see what everyone else is using and how well it is working for them.****

** **

Thank you****

Bruce Entwistle****

University of Redlands****

** **




--
*Walter Petruska CISSP, CISA, CGEIT*
*Information Security Officer*
infosec.usfca.edu



*University of San Francisco*
Lone Mountain North - 2nd Floor
2130 Fulton Street
San Francisco, CA 94117
*ITS Help Desk*, Phone: 415-422-6668
Fax: 415-422-6719







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]