Intrusion Detection System
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by Anthony Fischer on January 13, 2006, 12:26 pm
Please log in for more thread options We're starting to test IDS and are noticing that when it is enabled, even with only 1 signature turned on, web browsing is significantly slowed down. Can anyone shed some light on this subject or provide any suggestions, besides disabling IDS, to solve the problem? When we turn IDS off completely, web traffic flows at a much higher rate. I'm happy to explain any details further if necessary. Thank you. -- Tony | |||||||||||||||||||
|
Posted by Wil on January 13, 2006, 1:51 pm
Please log in for more thread options frustratingly slow. All layer 3-4 testing showed no issues though. I had a TAC case open because of it crashing the router for various reasons as well. I just disabled IPS and told TAC to close the case after 2 months :) IPS is NOT ready for production yet, IMHO. Wil my 3¢ | |||||||||||||||||||
|
Posted by Anthony Fischer on January 13, 2006, 2:12 pm
Please log in for more thread options Wil -
Thank you greatly for your response. When I was doing initial testing, with one PC behind the router, all traffic but web browsing worked just like expected. But as soon as I would try to browse the web or download someting from a web page, average speed was about 9K/sec if I recall correctly. It was like port 80 was the only traffic that was being effected and all I did was turn IPS on and didn't even touch the signatures. I was using the 128MB.sdf file at the time. Most other reports I'm seeing on the web seem to end with disablin IPS alltogether as well unfortunately. I'm curious... How was your experience with TAC on this particular issue? Were they willing to help or were they resistant because it's so new? Did it seem like they were just fumbeling around in the dark? Did the tech happen to express any of his/her views on the state of IPS? I only ask because we'll most likely be opening up a ticket soon. Thanks again. -- Tony | |||||||||||||||||||
|
Posted by Wil on January 13, 2006, 2:24 pm
Please log in for more thread options I was using the 256.sdf file, 3845 router. The reason that I originally
opened a TAC case was because I caught the bugger crashing in my logs, I just so happened to be on the console while it dumped. Once I opend the case they asked me to send them the 256.dsf file, they couldn't locate it because it was so new. No problem, they found the problem signiture and had me disable it, then later delete it. I left the case open planning to update the 256.sdf file, or image, or whatever the recommended fix was and viola, started to get crashes again two weeks later. Deleted another recommended signiture. Users were complaining about slowness that I had wrongly attributed to distance (since I couldn't see any problems at L2-4), so one day I figured that I would strip the config to see if things got better for them, and it did! Reapplied features one at a time and found that it was the IPS that was slowing everything down. I asked TAC about it and they told me it was a different issue, open another case, etc. Instead I just closed the current one and turned off IPS, logs are a little lighter but my users aren't complaining. Still running with ACL's and CBAC, no problems. Wil my 3¢ | |||||||||||||||||||
|
Posted by Anthony Fischer on January 13, 2006, 6:03 pm
Please log in for more thread options Fantastic. Thanks for your replies Wil. Have a great weekend!
-- Tony >I was using the 256.sdf file, 3845 router. The reason that I originally
>opened a TAC case was because I caught the bugger crashing in my logs, I >just so happened to be on the console while it dumped. > > Once I opend the case they asked me to send them the 256.dsf file, they > couldn't locate it because it was so new. No problem, they found the > problem signiture and had me disable it, then later delete it. I left the > case open planning to update the 256.sdf file, or image, or whatever the > recommended fix was and viola, started to get crashes again two weeks > later. Deleted another recommended signiture. > > Users were complaining about slowness that I had wrongly attributed to > distance (since I couldn't see any problems at L2-4), so one day I figured > that I would strip the config to see if things got better for them, and it > did! Reapplied features one at a time and found that it was the IPS that > was slowing everything down. I asked TAC about it and they told me it was > a different issue, open another case, etc. Instead I just closed the > current one and turned off IPS, logs are a little lighter but my users > aren't complaining. Still running with ACL's and CBAC, no problems. > > Wil > my 3¢ | |||||||||||||||||||
| Similar Threads | Posted |
| Intrusion Detection System | January 13, 2006, 12:26 pm |
| Anomaly detection | May 2, 2007, 11:47 am |
| ASA 7.2 - Dead Connection Detection (DCD) | September 25, 2006, 2:58 pm |
| Solutions Fast Track - Monitoring and Intrusion | July 20, 2008, 11:14 pm |
| good cisco and juniper IPS site for intrusion prevention and cisco switch info | January 5, 2007, 4:59 pm |
| Basic IPCC Lab System | May 10, 2006, 11:32 am |
| fwsm backup system | November 1, 2006, 5:14 am |
| boot system command | April 11, 2007, 6:05 am |
| setting system name on a css 11503 | July 19, 2007, 9:47 pm |
| PCI System Error Exception | March 27, 2008, 3:24 pm |
| looking for the best cisco network management system | February 12, 2006, 3:58 am |
| setting default IOS system image | February 22, 2006, 1:21 pm |
| adding an IP to the system portion of an ASA or FWSM | June 29, 2006, 9:31 pm |
| Flash File System - 3660 | July 6, 2006, 1:52 pm |
| System received a Bus Error exception | October 19, 2007, 11:58 am |
>frustratingly slow. All layer 3-4 testing showed no issues though. I had a
>TAC case open because of it crashing the router for various reasons as
>well. I just disabled IPS and told TAC to close the case after 2 months :)
>
> IPS is NOT ready for production yet, IMHO.
>
> Wil
> my 3¢