Hi Chris,
Moving from an IDS centric world to the IPS side is always a big
challenge. Much of this challenge has to do with
how much of legitimate traffic can you afford to drop because of false
positive. While it will be tough to
find any good online book as much of the tuning which you would need
to do is specific to your
environment and the vendor you are using, there are some general
guidelines of the sequence in which
you should proceed.
The first thing which you should be enable is the DOS/DDoS/Scan attack
category. These are useful as
typically the first signs of a machine infected with a worm/bot would
be to exhibit this behavior.
Safely enable all the TCP and IP flags(example: SYN and FIN set at the
same time) related signatures as most of the stacks of today take care
of these anomalies and if there are any such packets roaming around,
they can be safely dropped without affecting the end machine behavior.
If your vendor differentiates between exploit and vulnerability based
signatures, go ahead and enable the exploit signatures as they typically
have
a very high level of confidence. Ask the vendor about the network
performance impact of each signature before enabling as some of these
signatures do pattern match which can be very processing intensive and
your inline IPS box might become a bottleneck.
Hope this helps.
Regards
Proneet.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
