Internet edge router & IPS

Unanswered Question
Sep 5th, 2008
User Badges:
  • Gold, 750 points or more

I am looking for some recommended settings or pointers for what to enable on an Internet facing edge router (ISR). Currently the defaults have pretty much been accepted with regards to the IPS setup. The router was configured initially from the CLI and I am happy with this part, but all the IPS stuff was configured from SDM. At the moment it just reports for the 338 default enabled Signatures, however it can be configured to react (drop or reset connections). I am just looking for some recommendations or pointers as to what should be enabled.

I have noticed a performance hit with IPS enabled but nothing too bad, the main bottleneck is the ISP link.


Thanks


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Mon, 09/08/2008 - 09:29
User Badges:
  • Gold, 750 points or more

Andy,


Generally Cisco only deny packets for the signatures which correspond to the attack sig section,also many of those would be only sending a log message rather then denying the packet.This is done to keep only the relevant signatures enabled and dropping traffic and to avoid false positives.For most of the networks,these settings would be good enough.Intergrating an ips solution into ur n/w is an ongoing process rather then one time implementation.U would need to keep an eye on the events,change the sig. accordingly for a typical cycle of 2 months.So,if you see an event which refers to an ongoing attack,enable the sig.At other times,keep it disabled as it would save a lot of cpu/memory cycles on ips ( and would save permormance bottlenack )



Actions

This Discussion