cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1398
Views
10
Helpful
4
Replies

Best Practices for IPS enablement (Firepower).

adamgerber
Beginner
Beginner

Hi All.

 

Where can I find a good resource detailing best practices when it comes to IPS inspection enabled on access rules. So in other words which rules should always be enabled for IPS inspection/enforcement (inbound, web server, sql access rules)? I have not been able to find a resource from Cisco on this. This will be for firepower mainly.

 

Kind Regards,
Adam

1 Accepted Solution

Accepted Solutions

No worries,

If the post answered your question, could you please select it as a correct answer.

Thanks.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Hi Adam,

I don't think there is a document describing this in detail because it
varies per environment. The right approach is to enable discovery only for
sometime in order for FTD to build context about your environment (apps,
hosts types, OS versions, etc). Once this is done, you can schedule IPS
recommendations to be executed daily and enforced. The recommendations from
IPS will be based on the fingerprinting done during discovery.

Now, this is not 100% taken that all recommendations are valid. But it can
be a baseline for the engineer to review the IPS logs periodically and see
if there are false positives or more tweaks to be done for rules.

This is a quick summary but once you start the process, you will get more
questions which generate different strategies suited to your environment.

**** please remember to rate useful posts

When enabling IPS, I have used the following rule of thumb, "Enable IPS on all rules except those going from local LAN towards internet."

Disable IPS on rules that are between databases, that would be types of traffic like backups, DR site synchronisation, Umbrella VA to internal DNS, etc.

Ideally you would already have port based access control (for example. SGT using ISE or similar) restricting access between host machines and internal LAN subnets. In this case IPS on rules between host subnets would not be necessary, but still good to have incase there is a misconfiguration.  But from hosts towards all internal servers is, in my opinion, a must.

--
Please remember to select a correct answer and rate helpful posts

adamgerber
Beginner
Beginner

Thanks, Guys.

No worries,

If the post answered your question, could you please select it as a correct answer.

Thanks.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: