TVR Ratings

Answered Question
Aug 28th, 2009
User Badges:

Hi,


I have an AIP-SSM-10 Module running version 7.01. Do i need to configure the Target Value Rating for all the machines on the network, or does it work by default?


Eitherway what would be the recomended proceedure?


Thanks for the help.

Correct Answer by Farrukh Haroon about 7 years 9 months ago

Configuring the TVR is 'optional'. The sensor will work without it.


However you set TVR values for your hosts/servers based on their criticality. But be careful, you might actually drop all traffic to this 'critical' server by doing so. Have a look at these white papers for more details:


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd80191021.html


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/overview_c17-464691.html


Please rate if helpful.

Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Fri, 08/28/2009 - 06:27
User Badges:
  • Red, 2250 points or more

Configuring the TVR is 'optional'. The sensor will work without it.


However you set TVR values for your hosts/servers based on their criticality. But be careful, you might actually drop all traffic to this 'critical' server by doing so. Have a look at these white papers for more details:


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd80191021.html


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/overview_c17-464691.html


Please rate if helpful.

Regards


Farrukh

marcabal Fri, 08/28/2009 - 06:28
User Badges:
  • Cisco Employee,

By default all addresses will default to a Medium TVR value which winds up with a neutral affect to the Risk Rating of the alerts (neither raises nor lowers the Risk Rating).


If you aren't really using Risk Rating for anything, then you are better off just leaving the TVR settings with the defaults.


If you do make use of Risk Rating (such as the default Event Action Override for denying packets, or use it rank which events you want to spend time looking at), then modifying TVR for "special" boxes in your network can help. Specific servers that are closely monitored may be given high TVR values so attacks against them pop up to the top of your list of events to look into. Lab Machines might wind up with Low TVR values because you may not want to spend time analyzing attacks against those machines.

All others you wouldn't configure a TVR for, and they will default to Medium TVR.



Actions

This Discussion