Educause Security Discussion mailing list archives
Re: IPS signature update process
From: Chris Green <cmgreen () UAB EDU>
Date: Wed, 19 Aug 2009 17:23:37 -0500
We first had a very paranoid "try it out on RESNET first" process. Once we got some trust in our chosen IPS vendor, we got it approved as a routine change with a security "accept the vendor recommendations as tested" and a "do we need to augment it" hall conversation (default alow -> default block). The major issues we've recalled amounted to deadlock-style issues where we had "power fail" open but not deadlock open. More money could have engineered around some of the deadlock issues but not all. Get more insight into your vendors signature process and leverage that to help make the decision of how much QA you should add on top of it. Microsoft -> Does a very good job on patch process with partners IMO. Oracle (and just about everyone else) -> you'd better test everything they ship you completely. Having been on both sides of the vendor/customer, I think the big thing at this point you are paying for is the rules + QA process for rules and if people are not willing to talk about it, you probably have a bad IPS vendor (or sales droid).
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Grinnell Sent: Monday, August 17, 2009 10:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] IPS signature update process On 8/17/2009 11:15 PM, Fields, Kimberly wrote:Hello All, We are currently trying to formalize a process for updating our IPSsignatures. I was looking to see what other people out there are doing. Management would like to incorporate a review committee to help ensure legitimate traffic doesn't get blocked. I'm struggling to come up with a model that would incorporate this.Any feedback would be helpful. _____________________________________________________________________ Confidentiality Notice: This e-mail message, including any attachments, isfor the sole use of the intended recipient(s) and may includeAMERIGROUP member(s) information that is legally privileged. Anyunauthorized review, use, disclosure or distribution is prohibited.If you are not the intended recipient, please contact the sender by reply e-mail and destroy copies of the original message._____________________________________________________________________Is this a big problem for you? We've been running an IPS for 3 - 4 years now and had 2 cases of rules that blocked legitimate traffic. Only one of those rules was on by default, and in both cases, it was the result of poorly coded applications. In general, I think IPS/IDS signature updates, like AV updates, are too frequent and granular to justify extensive change control and review. I think you're better off with regularly scheduled updates, a good record of the changes, and good logs of any blocked traffic. You can then refer to these artifacts if an issue comes up and resolve it quickly. SLAs, etc. may change the equation a bit, but if your IPS is blocking legitimate traffic frequently enough to warrant a review committee, I would start looking for a replacement. Regards, Michael Grinnell Senior Information Security Engineer The American University
Current thread:
- IPS signature update process Fields, Kimberly (Aug 17)
- <Possible follow-ups>
- Re: IPS signature update process Michael Grinnell (Aug 17)
- Re: IPS signature update process Bradley, Stephen W. Mr. (Aug 18)
- Re: IPS signature update process Gary Dobbins (Aug 18)
- Re: IPS signature update process Mike Peterson (Aug 18)
- Re: IPS signature update process Chris Green (Aug 19)