35-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 35 Getting Started with IPS Configuration
Understanding IPS Network Sensing
Generate IP session logs, session replay, and trigger packets display.
IP session logs are used to gather information about unauthorized use. IP log files are written when
events occur that you have configured the appliance to look for.
Implement multiple packet drop actions to stop worms and viruses.
Correctly Deploying the Sensor
Before you deploy and configure your sensors, you should understand the following about your network:
The size and complexity of your network.
Connections between your network and other networks, including the Internet.
The amount and type of traffic on your network.
This knowledge will help you determine how many sensors are required, the hardware configuration for
each sensor (for example, the size and type of network interface cards), and how many managers are
needed.
You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall or
adaptive security appliance. The perimeter device filters traffic to match your security policy thus
allowing acceptable traffic in to your network. Correct placement significantly reduces the number of
alerts, which increases the amount of actionable data you can use to investigate security violations. If
you position the IPS sensor on the edge of your network in front of a firewall, your sensor will produce
alerts on every single scan and attempted attack even if they have no significance to your network
implementation. You will receive hundreds, thousands, or even millions of alerts (in a large enterprise
environment) that are not really critical or actionable in your environment. Analyzing this type of data
is time consuming and costly.
Tuning the IPS
Tuning the IPS ensures that the alerts you see reflect true actionable information. Without tuning the IPS,
it is difficult to do security research or forensics on your network because you will have thousands of
benign events, also known as false positives. False positives are a by-product of all IPS devices, but they
occur much less frequently in Cisco IPS devices because Cisco IPS devices are stateful, normalized, and
use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which
identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS
signature actions based on risk rating.
Follow these tips when tuning your IPS sensors:
Place your sensor on your network behind a perimeter-filtering device.
Proper sensor placement can reduce the number of alerts you need to examine by several thousands
a day.
Deploy the sensor with the default signatures in place.
The default signature set provides you with a very high security protection posture. The Cisco
signature team has spent many hours on testing the defaults to give your sensor the highest
protection. If you think that you have lost these defaults, you can restore them.
Make sure that the event action override is set to drop packets with a risk rating greater than 90.
This is the default and ensures that high risk alerts are stopped immediately.