beginning work with an ips system

I have been working at my current job now into my 5th month. A lot of my time has been spent getting used to the environment and culture of working here, along with a majority of the time spent supporting and working with our .NET/ASP application development team. This basically means I’ve been more involved in Windows systems administration than I’d like to be doing, especially for someone who is not pursuing .NET programming. Windows sysadmin is not that difficult in the long run (you can make it as difficult as you want, by adding scripting, etc), but it is not all that fun or glamorous. I’d pretty much rather be doing anything but, however, I will admit there is plenty of demand in the role in business.
Anyway, starting this week I get to begin working on and taking control of our McAfee Intrushield IPS device. This device sits inline with our external firewall and our internal DMZ firewall and logs intrusions attempts. Right now it is passive and set to IDS-mode only, as no one has had time to really sit down and configure it properly while minimizing the risk of preventing legitimate traffic. That will end up being my role here, forthcoming.
I’m not the biggest of fans of IPS devices. I believe that a company like ours which is small and has a good amount of money to spend on IT is better served by installing only an IDS system and staffing to monitor it properly, as opposed to an IPS that will automatically block traffic based on various turned-on rules.
However, this is still majorly exciting and almost as good as managing the firewall. This device straddles the two areas I would like to grow in: networking and security/insecurity. So, that was some good news in the past few weeks in regards to my job, and I’m really looking forward to talk to our Accuvant guest this week and getting my fingers deeper into this device.
I will be very disappointed in the device if I am not able to see the actual packets and payload for various detections and alerts. Installing and playing with an IDS (Snort) at home has been on my extended list of things to do, but I have some bigger fish to try lately. So to be able to do this at work is actually the first ray of sunshine that I have had at this new job.
UPDATE: I did some research on case studies for Intrushield and found one (pdf warning) that doesn’t name the company, but it does name the CSO. Turns out it’s the CSO from McAfee itself. While I can say, “d’oh” to see a company use itself as a case study, I have to say I like the idea that a product is in use internally. In my short career, I’ve already felt the irony of a company that doesn’t use its own products or follow its own paradigms that it tries to sell.