IDS mailing list archives
Analysing and configuring IPS/IDS Policies
From: AsTriXs <astrixs () gmail com>
Date: Sat, 30 Jul 2005 11:05:29 +0530
Hello All, I am currently in the process of implementing an IPS at a client site. I have reached the stage where I have to configure and deploy policies. There are various approaches to deploying policies from ground up and then fine tuning them through their lifecycle. I have mentioned the two that I am aware and also the environment in which they need to be deployed. The IPS appliance has been deployed behind a firewall in front of a server farm. The traffic passing through the appliance is what is configured to pass on the firewall. First Approach We analyse alerts observed on the allowed protocols and create exceptions (within trusted domains) for all false positives (or any traffic which is permitted on the network but flagged off as malicious by the IPS) observed. Set a policy (block or log) for all other alerts. Appropriate policies for inbound and outbound traffic flows are set. Alerts are closely monitored and fine tuned over time to avoid self imposed DoS. This way we create exceptions for legitimate traffic and block everything else. There is a possibility that a legitimate action, which was not observed before, may get blocked. However, this approach makes the target environment most secure in my opinion. Second Approach Alerts observed on the allowed protocols are analysed and policies are set only for the malicious traffic observed. Policies are added at each instance of malicious traffic observed on the network. Protocols not allowed in the environment are set to be dropped. Appropriate policies for inbound and outbound traffic flows are set. In this approach, we are open to attacks but the chances of self inflicted DoS are minimal. I request comments & views from all on the advantages and disadvantages of each approach to help me deploy policies effectively. Information on other approaches would also be appreciated. Also, is there a method or a best practice followed while analysing alerts and deploying policies. Thank you, -- [AsTriXs] ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Analysing and configuring IPS/IDS Policies AsTriXs (Aug 01)
- Re: Analysing and configuring IPS/IDS Policies Fergus Brooks (Aug 02)