Home > Articles > Cisco

  • Print
  • + Share This
This chapter is from the book

IPS Best Practices

You should follow some configuration best practices to improve IPS efficiency when deploying IPS in your network.

When setting up a large deployment of sensors, automatically update signature packs rather than manually upgrading every sensor. Then security operations personnel have more time to analyze events. When new signature packs are available, download the new signature packs to a secure server within the management network.

Place the signature packs on a dedicated FTP server within the management network. If a signature update is not available, a custom signature can be created to detect and mitigate a specific attack. You should configure the FTP server to allow read-only access to the files within the directory on which the signature packs are placed only from the account that the sensors will use. The sensors can then be configured to automatically check the FTP server periodically, such as once a week on a certain day, to look for the new signature packs and to update the sensors. You can use an IPS to protect this server from attack by an outside party.

You should stagger the time of day when the sensors check the FTP server for new signature packs, perhaps through a predetermined change window. This prevents multiple sensors from overwhelming the FTP server by asking for the same file at the same time. The need to upgrade sensors with the latest signature packs must be balanced against the momentary downtime—and, therefore, the vulnerability to attack—incurred while upgrading them. Finally, the signature levels supported on the management console must remain synchronized with the signature packs on the sensors themselves.

You should group IPS sensors together under a few larger profiles. Every signature upgrade requires that all new signatures be appropriately tuned on every sensor. Tuning signatures for groups of sensors rather than for each sensor on the network significantly reduces configuration time. This administrative advantage must be balanced against the ability to finely tune sensor configuration by establishing a separate profile for each sensor.

Refer to the release notes of signatures to confirm that the new update will not overwrite the tuning you might have performed on a signature.

  • + Share This
  • 🔖 Save To Your Account