Hi Chris,
Moving from an IDS centric world to the IPS side is always
a big
challenge. Much of this challenge has to do with
how much of legitimate traffic can you afford to drop
because of false
positive. While it will be tough to
find any good online book as much of the tuning which you
would need
to do is specific to your
environment and the vendor you are using, there are some
general
guidelines of the sequence in which
you should proceed.
The first thing which you should be enable is the
DOS/DDoS/Scan attack
category. These are useful as
typically the first signs of a machine infected with a
worm/bot would
be to exhibit this behavior.
Safely enable all the TCP and IP flags(example: SYN and FIN
set at the
same time) related signatures as most of the stacks of today
take care
of these anomalies and if there are any such packets roaming
around,
they can be safely dropped without affecting the end machine
behavior.
If your vendor differentiates between exploit and
vulnerability based
signatures, go ahead and enable the exploit signatures as
they typically
have
a very high level of confidence. Ask the vendor about the
network
performance impact of each signature before enabling as some
of these
signatures do pattern match which can be very processing
intensive and
your inline IPS box might become a bottleneck.
Hope this helps.
Regards
Proneet.
------------------------------------------------------------
------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------
|