Ayoi's

One of my colleagues from the technical support department asked me on the best emplacement of the internal sensor (IDS) if one network has IPS implemented as well. So I just give him a simple diagram to show him the usual emplacement of internal sensor when we have IPS implemented as well.

The reason why I would place my internal sensor (in this case DMZ sensor) behind IPS because:

a). I always believe that all the preventive measures will be defeated sooner or later. And if the DMZ sensor emplace in front of IPS, then what kind of indication we can have if the attack bypassed the IPS?

b). IF the sensor emplaced in front of the IPS, how do we know that one particular attack has been blocked or not by IPS?

Usually for this kind of emplacement, a good correlation between the alerts coming from the external IDS and internal IDS will help or assist analyst on determining whether the attack bypassed the preventive measures in form of firewalls and IPS. To enhance the identification process, both of the alerts will be compared against the logs retrieved from the targeted server.

As example let say the external sensor produce one alert stating that there is one remote file inclusion attempt on the web server. IF the internal sensor also produce the same alert, it means that this attempt successfully bypass the firewall (of cause) and the IPS as well. Only then the alert will be produced to the analyst console and IF only external sensor produce the alert, then it can be discarded or not presented to the analyst console. It may be used for statistical purpose perhaps.

Also another step will be if the external and internal sensor produce the same alert, then it will be compared against the web log obtained from the targeted web server. And if the response code for that attempt is 200 then these alerts will be produced to the analyst console, else those will be discarded.

BUT then my colleague said

“That’s what I’ve explained to them but their question is Why internal sensor generate too few alerts compared to the external sensor?”

I told him, “That means that their IPS has done a good job la !”

“Yeah, that’s what I thought so and I told them that but they still asking the same question.”

I’m out of words…

Yeah, despite my ranting on how tiring my brain is lately and how I plan to take a 2 days leave, it seems like I’m in auto mode of waking up early in Monday morning and goes to work I do feel not that comfortable of taking leave on Monday (yeah I do succumbed to Monday’s Blues syndrome) but Monday is the beginning of the week and usually every Monday will somehow indicates how the week will be. I don’t like to be left in the dark or loss the ability of knowing any head or tails of any events in the office. Workaholic ?  Nahh.. I dun think so.

Anyway last weekend I’ve been asked to attend one function held by my company’s Technology Division. Details on that function can only be discussed internally eh. Hehehe. Anyway I need to perform one presentation on NSM (Network Security Monitoring) concept which personally I felt that 30 minutes was not enough but I’ve tried my best to sum up everything in the presentation slides. The outcome? You need to ask the audience lor. One thing for sure, we will incorporate this concept in our processes and human development. So to our competitors, watch out.. Heheheh

I am grateful and glad to be able to participate in those sessions held for that 3 days and also more than happy to be able to give inputs for future improvement. I also made some mental preparation on new tasks, challenges, missions and objectives for not only the company’s growth, but as my personal growth as well.

Anyway here are some pictures (my pics lah of cause) during those sessions.

Ain’t no political “ceramah”

L.L.B (Looked Like Busy)

Crap. THis time I’ve been fooled totally. After reading the posts from Richard’s and geek00l’s, I thought it is for real. My mistake tho, I should have check with CISCO website for the news.

Anyway, April Fool..