We are having a Cisco IPS 4240 in our network since IPS v5.0. Subsequently, we had upgraded to v6.0 and now to v7.0. However, with v7.0 there are a host of new features, which require baselining and tuning. Currently, the sensor is monitoring and actively preventing behind the edge firewall. Since the IPS is already in production environment, it would not be possible to take it out. In such a scenario, what would be the best practices to carry out the baselining of various features like anomaly detection etc. Also, over a period of time, the network has grown and the IP address space has enlarged. Hence it would entail a closer look at the current deployment and modifications to incorporate the larger address space etc. Hopefully, the learned members of this forum can provide sufficient pointers to this from their real-life experiences. I have tried going through the documentation on IPS and some related papers, which recommend staging servers etc. Is it possible to do so with the spare pair of interfaces, while leaving the active pair untouched?
Thanks for any help in advance.