Tuning IPS Signatures in an Industrial Network

rene.schmid · ‎12-10-2013

Hi IPS Experts,

I have a Question in configuring of the IPS moduls of a ASA5515-X. But first let me explain a little bit about the network and the structure.

We are using the ASA5515-X Firewall Cluster internal of our process network. The firewall routes about 20 different subnets with industrial control traffic (SCADA) and normal network traffic with operating systems from windows xp to windows 7 and windows server 2000 to 2008R2. No internet access is allowed in the process network. But there are some win7 laptops with internet access outside of the process network. Every traffic between the subnets will be sent to the IPS modul of the ASA. The average bandwith is approximately 25 Mbit/s and the event action is log and alert only. The reason for that is, that we can't block a industrial control session from the SCADA server to the endpoint equipment (in case of a false positive).

Now I deceided to enable all signatures because the load of the network bandwith isn't so high and to better see the traffic coming from the user laptops (to analyze if they are sending bad traffic).

So what are the experts thinking about? Should I enable only the active signatures or is into consideration of the network bandwith from 25 Mbit/s no problem to enable all signatures?

Any ideas or informations are very helpful.

Many thanks

Rene

mzeiser · ‎12-10-2013

Hi Rene

Over the past decade and more, we created thousands of signatures, many of which are not relevant anymore today.This is why we create a carefully selected default signature set which is a good starting point for most networks, and from there an administrator will usually start to add and remove signatures to perfectly fit the network surroundings.

Enabling all signatures is way too much, will probably flood you with more information than is desireable, and it will also overload the hardware. Enabling all signatures was never something we intended to happen, and the 'more is better' approach doesn't always hold true.

I suggest you evaluate the existing signatures, maybe sort by category and search for titles that are of interest to you, enable the relevant ones(including subsignatures!) and see if the results are what you are looking for.

Regards

Martin

IPS Signature Team

rene.schmid · ‎12-10-2013

Hi Martin,

thank your for your reply. I will sort by the retired section and disable all retired signatures. But I will leave the signatures under the SCADA group enabled. And I will look into the other signature groups and enable the high risk signatures (if they are not retired).

Best Regards

Rene

rhermes · ‎12-11-2013

Rene -

Enabling all the signatures on your IPS may not be in your best interests. Even with ample sensor bandwidth, you should be performing analysis on the signatures that fire to determine of they are true or false positives (and take the necessary remedial actions if true of course). With a pile of unnecessary signatures that can (and many eventually will) fire, you will burn up your (human) analysis resources.

By all means enable any signature or family of signatures that you think apply to what you are running in production, but be ready to tune them (disable) when you discover that the false positive rate isn;t worth seeing those events.

Beating your signature set into a good working Best Practices set of solid, actionable signature takes constant work and time. No IPS sensor gives you their best out of the box.

A good analysis tool is to configure the sensor to capture PCAPs surrounding the event. This will allow your analysts to determine if there was truly a compromise and possibly determine if it was successful.

Good luck

- Bob

Ravi Singh · ‎02-02-2014

I do agree with rhermes