SonicWALL TZ 180 manual Specifying Global Attack Level Protection, Fine-tuningthe IPS

TotalSecure Configuration Task List

To disable IPS, uncheck the Enable IPS check box. This will prevent blocking of traffic that matches the IPS signatures. However, some signatures belong to Application Filter category sets as well as other types of category sets such as GAV, IPS, Anti-Spyware, or Web Filters. If Application Filtering is enabled, these signatures are blocked by the Application Filter process even when you configure the other filters to allow them.

Caution Checking the Enable IPS check box does not automatically start SonicWALL IPS protection. You must also update the IPS Global Settings section.You must specify a Prevent All action in the Signature Groups table to activate Intrusion Prevention on the SonicWALL security appliance, and specify the interface or zones you want to protect.

Specifying Global Attack Level Protection

SonicWALL IPS allows you to globally manage your network protection against attacks by simply selecting the class of attacks: High Priority Attacks, Medium Priority Attacks, and Low Priority Attacks. Selecting the Prevent All and Detect All check boxes for High Priority Attacks and Medium Priority Attacks in the Signature Groups table, and then clicking Apply protects your network against the most dangerous and disruptive attacks. For more detailed information on configuring global signature groups, refer to “Configuring Global Signature Groups” in the SonicWALL Intrusion Prevention Service Administrator’s Guide available on the SonicWALL Resource CD or at<http://www.sonicwall.com/us/3396.html>

Fine-tuning the IPS

To really take advantage of the SonicWALL IPS, it is sometimes necessary to fine-tune the behavior of certain IPS Categories and/or IPS Signatures.

Since all network are not alike, it can be quite difficult to exactly tell what IPS Categories or IPS Signatures should be Prevented or Detected.

However, what can be done is to create a Baseline Setup where as much hostile traffic as possible is Prevented and Detected regardless of what traffic may flow in an individual network.

Refer to the descriptions in this document for instructions on how to change the behavior of a certain IPS Category and/or IPS Signature.

A Baseline Setup can be accomplished in two different ways. The outcome is basically the same, but involves somewhat different steps, both depends heavily on logging of the correct

Enable IPS Logging

To view IPS-related events in the log, ensure that the correct log categories are enabled.

The more categories enabled while fine-tuning, the better, although the logs fill fast. Always make sure the categories Intrusion Prevention and Security Services are enabled.

The Brute-force Baseline Setup

The Brute-force Baseline setup is quite brutal and will in most cases break valid traffic flowing in the network.

•Use the IPS Global Setting to enable the option Detect All for all three IPS Signature Groups.