IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Analysing and configuring IPS/IDS Policies

From: AsTriXs <astrixs () gmail com>
Date: Sat, 30 Jul 2005 11:05:29 +0530
Hello All,

I am currently in the process of implementing an IPS at a client site.
I have reached the stage where I have to configure and deploy
policies.

There are various approaches to deploying policies from ground up and
then fine tuning them through their lifecycle. I have mentioned the
two that I am aware and also the environment in which they need to be
deployed.

The IPS appliance has been deployed behind a firewall in front of a
server farm.
The traffic passing through the appliance is what is configured to
pass on the firewall.

First Approach

We analyse alerts observed on the allowed protocols and create
exceptions (within trusted domains) for all false positives (or any
traffic which is permitted on the network but flagged off as malicious
by the IPS) observed. Set a policy (block or log) for all other
alerts. Appropriate policies for inbound and outbound traffic flows
are set. Alerts are closely monitored and fine tuned over time to
avoid self imposed DoS.

This way we create exceptions for legitimate traffic and block
everything else. There is a possibility that a legitimate action,
which was not observed before, may get blocked. However, this approach
makes the target environment most secure in my opinion.

Second Approach

Alerts observed on the allowed protocols are analysed and policies are
set only for the malicious traffic observed.  Policies are added at
each instance of malicious traffic observed on the network. Protocols
not allowed in the environment are set to be dropped. Appropriate
policies for inbound and outbound traffic flows are set.

In this approach, we are open to attacks but the chances of self
inflicted DoS are minimal.

I request comments & views from all on the advantages and
disadvantages of each approach to help me deploy policies effectively.
Information on other approaches would also be appreciated.

Also, is there a method or a best practice followed while analysing
alerts and deploying policies.

Thank you,

-- 
[AsTriXs]

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: