Solved: IPS 4200 Series

adamgibs7 · ‎04-18-2011

Hello Dears,

I have fresh installed IPS 4200 in Inline interface pair mode, Uptill now i m not getting any packet drops or complains from users.

What else to be done to configure IPS as a Professional setup for corporate Network.

Thanks

rhermes · ‎04-22-2011

For your HTTP CONNECT Tunnel signature, you have several choices;

1. Set the severity lower. It will still report and you could look into the evetns if necesary, but not be a critical analysis item.

2. Create an event action filter to remove events if the end point is your proxy server IP. This should remove your false positives, but you won;t see if anyone is tunneling thru your proxy server.

3. Disable the signature and save yourself the analysis effort.

If you are going to be looking at your signautre events, you ALWAYS want to be inspecting traffic behind yoru firewall. Otherwise you will spend time performing analysis on traffic that may be blocked by your firewall. You will also want to inspect traffic after the VPN encryption has been removed.

- Bob

View solution in original post

rhermes · ‎04-19-2011

Now the hard work begins.

Performing analysis on all medium and high severity signatures and performing these actions:

Tuning the signatures - Recurring false positive signatures that fire should be adjusted down in severity of disabled (if completely useless)

- Turning on packet captures to learn more about why a signature is fireing and help your analysis.

Remediation - Once you've found an infected host inside your network, clean it.

- If the attack is from outside your network, discover how it is getting in and modify the means of access (Firewall, VPN, etc) to prevent future attack vectors.

This should be plenty to get you started and keep you busy. Don't forget to rinse and repeat.

- Bob

adamgibs7 · ‎04-21-2011

Hello,

At present HTTP CONNECT Tunnel signature are triggered because of users going to internet through proxy server ( ISA), this are knows events for me so either i can disable these signatures or i can summarize this please correct me if i m wrong.????????

I have 2 more interface on IPS i m planning to connect between the ASA and the Core is the right place OR it should be place ahead of ASA between the corporate internet router and ASA OR between the ISP and the corporate internet router. Suppose if i m placing ahead of ASA the users coming through VPN they will not be inspected by IPS,Please correct me if i m wrong???????????

Thanks

rhermes · ‎04-22-2011

For your HTTP CONNECT Tunnel signature, you have several choices;

1. Set the severity lower. It will still report and you could look into the evetns if necesary, but not be a critical analysis item.

2. Create an event action filter to remove events if the end point is your proxy server IP. This should remove your false positives, but you won;t see if anyone is tunneling thru your proxy server.

3. Disable the signature and save yourself the analysis effort.

If you are going to be looking at your signautre events, you ALWAYS want to be inspecting traffic behind yoru firewall. Otherwise you will spend time performing analysis on traffic that may be blocked by your firewall. You will also want to inspect traffic after the VPN encryption has been removed.

- Bob