SC Magazine Best of 2009
SC Magazine Recommends

Intrusion Detection FAQs

How many networks can you simultaneously have monitored?
There is virtually no limit to the amount of networks that can be monitored. The solutions we provide are easily scalable to accommodate unforeseen expansion.

How can we receive periodic event and statistic reporting?
Reports may be emailed to you and others on your team on a weekly schedule.

Do you provide live event monitoring?
Expect round the clock 24x7x365 monitoring for security alerts, performance, and availability.

What is your typical response time for critical events?
Clone Systems provides a response time of less than 15 minutes.

How do you tune a typical IDS implementation?
Steps for the initial discovery period:

  1. Enable all available signatures on the IDS unit for one entire month
  2. Discover the false-positive alerts and lower their priority
  3. Tweak and modify the signature database based on these observations

After the initial monitoring/discovery period, IDS tuning will occur on a monthly basis or sooner, if necessary. The tuning timeframe depends on the implementation, since different signatures are required for each unique networking environment. Tuning is a never-ending process, especially for fast growing computing environments.

How often are the IDS signatures updated?
Clone Systems updates IDS signatures minutes after receiving the notification from Sourcefire’s Vulnerability Research Team (VRT). The Sourcefire VRT is a group of leading edge intrusion prevention and detection experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort® community, making it the largest group dedicated to advances in network security.

What exactly is Real-time Network Awareness?
A Sourcefire Real-time Network Awareness (RNA) solution in conjunction with a NIDS, can provide real-time reporting and correlation services between RNA records (network and host vulnerabilities, open ports, threats and their impact level) and IDS records. An IDS solution coupled with RNA is the most intelligent NIDS solution available today.

Do you store historical event records?
IDS historical data is available for at least 7 years.

How can historical data be accessed?
Historical data is stored as MySQL database files. Upon request, Clone Engineers will upload these files to an in-house non-production reporting server. The records can then be accessed and sorted in the same secure manner as the current records are.

How do you manage IDS or IPS components?
Clone Systems uses out-of-band management across a VPN via your existing Internet connection. If preferred, we can perform OOB management across a dedicated point-to-point circuit, between your location and our Philadelphia Data Center. Either management option will include a Firewall to encrypt all data transmitted, even though the Sourcefire hardware encrypts all transmissions by default.

How are alerts delivered?
Alerting methods in use today are: phone calls, emails, SMS messages. The exact sequence and escalation procedures are based on customer preference.

What does a typical IDS alert contain?
A logged event produces the following information:

  • Source IP address
  • Source hostname
  • Source port
  • Destination IP address
  • Destination name
  • Destination port (service)
  • Actual session details (HTTP, SMTP, FTP, etc.)
  • Date and time
  • Event ID#
  • Frequency of occurrence