Thanks!

Also, I see from reading the detailed Cisco docs that you must register your IPS serial number to obtain a valid license.

Without a valid license, having the new signature files does no good as the IPS will not accept the new signature file.

If you want to use the latest signatures, only option is to upgrade the IPS IOS , however the new signatures are "NEW CODE" and you are running the risk of denying good traffic or possible permitting bad, all without alerts.

Frank

yes, you are absolutely right. The IPS subscription ties into the serial# of the IPS. You can still upgrade the IPS software to the latest, however, can't update the signature files to the latest without the IPS subscription.

Hi, We have 2 x standalone IPS and 1 x module.. We have recently purchased the subscription. Will it cover all 3 devices or we need a separate one for each one? 

Can IPS update the subscriptions automatically like Anti-virus sw? 

Regards.

You would need to purchase 3 x subscription for each of the devices as it ties to the serial# of the device.

Yes, you can configure auto update for the IPS signature update.

Thanks Jennifer.  Can you please give me any pointers about an automatic update?  Would automatic updates not cause problems such a increased false positives? 

If you get a chance would you please look at couple of my other queries that I posted last week? Any documents that I could read about step-by-step planning and implementation of the IPS in a real world scenario. I have access to the exam books etc but I am not able to find the info. that I really need in them.

Thanks. Regards.

Automatic updates only update the signature to the latest signature pack. Some signatures gets enabled by default, and some doesn't, however, it will have the latest signature within your IPS. In regards to false positive, it doesn't really matter whether you update your signature or not, you would still need to monitor the logs to decrease the number of false positive because every network environment is difference hence false positive for one organization might not be the same for another organization's network.

In regards to planning, IPS can be deployed in 2 mode: monitor mode and in-line mode. I would suggest that you start with monitor mode first as it will not block anything but just monitor it, and you can tweak the signature accordingly once you have deployed the IPS for a couple of months. Once you are happy with that, if you would like to deploy it to in-line mode, then it is ok and will prevent things getting blocked due to false positive.

Hi Jennifer, Thank you for your reply.

Is monitor mode different to "alerts only" mode?

Is it possible to setup new signatures for "alerts only" so that once the automatic update is performed, new signatures will generate alert only and won't drop packets in inline mode.

Or is that what happens with all the signatures by default.  It would only drop packets if setup explicitly to do so?

With regards to false positives. Is there a good reference resource where I could get more info about the alerts that I am getting.  Especially the one about "TCP window size variation" confuses me a great deal. 

Thanks. Regards