Re: IPS Implementaion

[proneetb () redback com]

Hi Chris,
  Moving from an IDS centric world to the IPS side is always a big 
challenge. Much of this challenge has  to do with
  how much of legitimate traffic can you afford to drop because of false 
positive. While it will be tough to
  find any good online book as much of the tuning which you would need 
to do is specific to your
  environment and the vendor you are using, there are some general 
guidelines of the sequence in which
  you should proceed.

  The first thing which you should be enable is the DOS/DDoS/Scan attack 
category. These are useful as
  typically the first signs of a machine infected with a worm/bot would 
be to exhibit this behavior.

 Safely enable all the TCP and IP flags(example: SYN and FIN set at the 
same time) related signatures as most of the stacks of today take care 
of these anomalies and if there are any such packets roaming around, 
they can be safely dropped without affecting the end machine behavior.

 If your vendor differentiates between exploit and vulnerability based 
signatures, go ahead and enable the exploit signatures as they typically 
have
 a very high level of confidence. Ask the vendor about the network 
performance impact of each signature before enabling as some of these
 signatures do pattern match which can be very processing intensive and 
your inline IPS box might become a bottleneck.

Hope this helps.


Regards
Proneet.
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------