02-14-2012 06:53 AM - edited 03-10-2019 05:36 AM
Hi,
How many types of signatures need to be enable while IDSM-2 deploying in Data Center behind FWSM?
Thanks
02-14-2012 08:59 AM
It all depends on what you want to get out of your IPS sensor.
The most common application of an IPS sensor is to block and report on actionable events (those are events you can do something about, like an infected webserver in your DMZ). The best place to start is to run the sensor with the default signature settings. If you know something about your internal hosts, OS's and applications you can further enable (for example P2P blocking) or disable unused OS/application specific signatures.
Once you start getting events (and that will happen within a few minuites) you will need to investigate them to determine if they are false positives. If they are, then those signatures need to be disabled or reduced in severity.
You will need to repeat the investigation and signature tuning steps as long as you operate your sensor.
- Bob
02-14-2012 10:23 AM
Ok, thank you for your response, if suppose false positive sig is start trggering then how we can configure the device to make is true positive?
02-15-2012 08:53 AM
A "false positive" is a signature that triggers on traffic that does not have an attack or infection in it. You can not change false positives into anything you can only remove them.
If you determine that a signature is being triggered by normal traffic (not part of an attack, or an infected host), then you can disable that signature. This will remove it from the list of signatures you want to investigate.
- Bob
02-15-2012 09:05 AM
Thank you for your response!!!
We are planning to deploy IDSM-2 at client site. Customer is asking few things:
1. If we install it in promiscuous mode then what will be the best utilization and design for this module,
how to configure it
2. If we install it in inline mode then what will be the best utilization and design for this module, how to configure it.
Let me to explain you few things:
They have multiple vlans in Cisco 6509 Switch and the servers are placed behind the firewall (FWSM), they want to inspect all vlans traffic forwarding towards server farm.
To fulfill their requirements, we recommend them to install IDSM-2 in promiscuous mode, as this module has less throughput and also advise them to keep up to date the latest signatures in IDSM-2. On our recommendation, they want some experts to weight it or advise if some other best practices design to install IDSM-2 in their network.
I really appreciate if you add your valuable inputs in this regard, as we have to deploy this module in coming weekend. Your early response will be highly appreciated.
Thanks in advance!
02-15-2012 01:11 PM
You will be installing your IDSM in Promiscuous Mode. You have a choice of using either SPAN or VACL capture.
The 65009 has a limit of 2 SPAN sessions max. If there are 2 existing uses of SPAN on the 6509 you will not be able to configure SPAN.
Here are instruction on how to configure both SPAN and VACL capture
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1206645
- Bob
02-16-2012 12:50 AM
Hi Bob,
Thanks for your response,
Its mean you suggest to install IDSM-2 in promiscuous mode with updated signatures? or you have some other design for IDSM-2 deployment?
Kindly advise
Thanks in advance!
02-16-2012 07:54 AM
Yes, you should install your IDSM in promiscuous mode and update the OS and signatures to the most recent versions.
If your IDSM has internet access, you can also turn up auto-updates to keep the sensor updated automatically.
IDM instructions: http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016040
IME instructions
- Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide