We're considering switching our IPS from promiscuous to inline, but we want to be careful not to interrupt normal traffic when we do so. We have it tuned pretty well at the moment, and we don't appear to get a lot of false positives that would be denied.
So I have a couple questions about this. First, is there anything I should be careful of that can trip people up when doing this? I know that some of the signatures on the IPS are set to deny without alerting, but most of those seem to be bad packets that should probably be this way. Is there anything known to cause issues? (In general that is. I know you guys don't know what's on our network.)
Also, we're using MARS to monitor all of this, so I'd like to set a rule to send an email to a few people whenever something is blocked. So when creating this rule, will the events that trigger the rule be the "AttacksProtected" group? Also, will the alerting device be the ASA when a packet is denied, or will it actually show it came from the IPS module?
We're using MARS 4.3.5, and our IPS is running 6.1-1.
Thanks for any help! Let me know if you need more information.
You can do a number of things for a smooth transition. You can disable the inspection on the IPS (software bypass setting) and then test all network connectivity after placing the sensor inline. Then you could set an event action filter to subtract the deny action from all signatures/events OR you could select all signatures and modify the action to product alert only. However if you are really confident you can go ahead without doing any of the above two, but I would'nt :)
The AIP-SSM will be added to the MARS 'inside' the ASA. It will know that the event came from the module. To receive emails, configure the SMTP/domain settings in the 'Admin' tab and then set the action for the rule to email (by default you can add the admin users group as the recipient).