08-04-2008 06:47 AM - edited 03-10-2019 04:14 AM
Purchased an IPS 4255 to replace a TippingPoint unit we have use for a number of year. I configured the 4255 so I can talk to the mangement interface to get used to the Web Interface. I have loaded the latest software code and SIGs.
Should I run the unit in promiscuous for awhile before going inline? Our TippingPoint updated its SIGs automatic and I reviewed the release to see if I should change the default action. Since I'm new to the 4255 and the Cisco SIGs. How does one get a feel for what all is enabled for denied by default? Would running in promiscuous allow me to see what SIGs when be denied and allow me to adjust until I go inline?
The latest code for the 4255 allow for auto update from Cisco. There isn't a means to force a manual update? We had that with the TippingPoint. The TippingPoint only did auto updates on SIGs. The 4255 appears to do both code and SIGs. I see no way to just select auto SIG updates?
Craig
08-05-2008 04:56 AM
"Should I run the unit in promiscuous for awhile before going inline? "
Unless you have a high tolerance for dropped traffic...yes.
"Would running in promiscuous allow me to see what SIGs when be denied and allow me to adjust until I go inline?"
yes, but you won't be in "promiscious mode per say". You will create your inline pair as normal and then create an event action filter that removes any actions that interfere with the normal flow of traffic:
Deny Attacker Inline
Deny Attacker Service Pair Inline
Deny Attacker Victim Pair Inline
Deny Connection Inline
Deny Packet Inline
Request Block Connection
Request Block Host
Request Rate Limit
Request Snmp Trap
Reset Tcp Connection
You might also want to open your SIG policy using "select by: active signatures" and sort by engine (click the engine column header). Find any normalizer sigs that have an deny/modify action and add the "product alert" and "produce verbose alert" actions. You probably shouldn't add actions to sigs that don't have any action. There are a couple normalizer sigs like this, the point of which I don't know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide