cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
861
Views
3
Helpful
3
Replies

best practices for deploying an IPS ?

carl_townshend
Spotlight
Spotlight

Hi all

Im thinking of putting an IPS on my network, my question is what should the approach be to this, my thinking was to run it in monitor mode to get a baseline etc for a few weeks, then switch on inline mode.

I hear there are different types of protection, signiture based, anomoly etc, can you change this on the device ?

what kind of protection do most people run, would it be the default ?

cheers

Carl

3 Replies 3

Andrew Phirsov
Level 7
Level 7

In general:

Disable all preventive actions, except for signatures, wich are 100% malicious. For other signatures just enable logging without denying anything. Install inline (cause it shouldn't deny legitimate traffic with most preventive actions disabled) and watch what's happening. While watching, tune signature actions properly and with caution). That tuning can take a mounth or two if you want that ips to be really usefull.

hi there

how do I know which signitures are 100% malicious ?

and when you say tune them, what do you mean ?

also should I enable anomaly detection?

how do I know which signitures are 100% malicious ?

Usually, by default, when you first install IPS (cisco or not), all signatures with deny/drop-kind of action are targeted for really malicious traffic wich shouldn't appear on your network. I would say you can just plug ips in inline mode in your network and it won't block any legitimate traffic (from my own experience). Plus, in cisco IPS you can manage behaviour globally by tuning Event Action Overrides and Event Action Filters depending on Risk Rating values. But you should be ready to disable/change event action of a certain signature if it blocks smth that it shouldn't.

and when you say tune them, what do you mean ?

I mean that you should analyze logs and take certain actions, i.e.: disabling or enabling certain signatures, changing actions that certain signatures do, changing anomaly detection policies if u use tnem, etc. For example, you see that some signature trigers tonns of loggs every day, but you know that there's nothing special about it, it's all legitimate - so you just disable that signature. Or you see that some log  indicates something that shouldn't appear on your network, but doesn't block it, cause IPS is not sure what do do with it. In that case you should change action of that signature from log to some kind of deny/drop. And many other things.

also should I enable anomaly detection?

First you should know how it works, and then you'll know if you should))

Review Cisco Networking for a $25 gift card