- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2021 04:03 AM
Hi All.
Where can I find a good resource detailing best practices when it comes to IPS inspection enabled on access rules. So in other words which rules should always be enabled for IPS inspection/enforcement (inbound, web server, sql access rules)? I have not been able to find a resource from Cisco on this. This will be for firepower mainly.
Kind Regards,
Adam
Solved! Go to Solution.
- Labels:
-
IPS and IDS
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2021 04:40 AM
No worries,
If the post answered your question, could you please select it as a correct answer.
Thanks.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2021 04:43 AM
I don't think there is a document describing this in detail because it
varies per environment. The right approach is to enable discovery only for
sometime in order for FTD to build context about your environment (apps,
hosts types, OS versions, etc). Once this is done, you can schedule IPS
recommendations to be executed daily and enforced. The recommendations from
IPS will be based on the fingerprinting done during discovery.
Now, this is not 100% taken that all recommendations are valid. But it can
be a baseline for the engineer to review the IPS logs periodically and see
if there are false positives or more tweaks to be done for rules.
This is a quick summary but once you start the process, you will get more
questions which generate different strategies suited to your environment.
**** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2021 08:23 AM
When enabling IPS, I have used the following rule of thumb, "Enable IPS on all rules except those going from local LAN towards internet."
Disable IPS on rules that are between databases, that would be types of traffic like backups, DR site synchronisation, Umbrella VA to internal DNS, etc.
Ideally you would already have port based access control (for example. SGT using ISE or similar) restricting access between host machines and internal LAN subnets. In this case IPS on rules between host subnets would not be necessary, but still good to have incase there is a misconfiguration. But from hosts towards all internal servers is, in my opinion, a must.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2021 02:49 AM
Thanks, Guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2021 04:40 AM
No worries,
If the post answered your question, could you please select it as a correct answer.
Thanks.
Please remember to select a correct answer and rate helpful posts
