35-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 5 Getting Started with IPS Configuration
Overview of IPS Configuration
Filter out known false positives caused by specialized software, such as vulnerability scanner and
load balancers by one of the following methods:
You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load
balancer.
You can configure the sensor to allow these alerts and then use Event Viewer to filter out the
false positives.
Filter the Informational alerts.
These low priority events notifications could indicate that another device is doing reconnaissance
on a device protected by the IPS. Research the source IP addresses from these Informational alerts
to determine what the source is.
Analyze the remaining actionable alerts:
Research the alert.
Fix the attack source.
Fix the destination host.
Modify the IPS policy to provide more information.
Overview of IPS Configuration
There are a wide variety of devices on which you can configure the Intrusion Prevention System. From
a configuration point-of-view, you can separate the devices into two groups: dedicated appliances and
service modules (for routers, switches, and ASA devices) that run the full IPS software; and IPS-enabled
routers running Cisco IOS Software 12.4(11)T and later (Cisco IOS IPS).
The following procedure is an overview of IPS configuration on dedicated appliances and service
modules. For Cisco IOS IPS devices (which does not include IPS service modules installed in a router),
see Overview of Cisco IOS IPS Configuration, page44-3.
Step 1 Install and connect the device to your network. Install the device software and perform basic device
configuration. Install the licenses required for all of the services running on the device. The amount of
initial configuration that you perform influences what you will need to configure in Security Manager.
Follow the instructions in the Installing Cisco Intrusion Prevention System Appliances and Modules
document for the IPS version you are using.
Step 2 Add the device to the Security Manager device inventory (see Adding Devices to the Device Inventory,
page 3-6).
Tip You can discover router and Catalyst switch modules when adding the device in which the
module is installed. For ASA devices, you must add the service module separately.
Step 3 Configure the interfaces as described in Configuring Interfaces, page 36-6. You must enable the
interfaces connected to your network for the device to function.
For certain types of service module, there are additional policies to configure:
Router-hosted service modules—Configure the IPS Module interface settings policy on the router.
For more information, see IPS Module Interface Settings on Cisco IOS Routers, page 59-22.