IPS Tuning Best Practices

Unanswered Question
Aug 1st, 2010
User Badges:


We are having a Cisco IPS 4240 in our network since IPS v5.0. Subsequently, we had upgraded to v6.0 and now to v7.0. However, with v7.0 there are a host of new features, which require baselining and tuning. Currently, the sensor is monitoring and actively preventing behind the edge firewall. Since the IPS is already in production environment, it would not be possible to take it out. In such a scenario, what would be the best practices to carry out the baselining of various features like anomaly detection etc. Also, over a period of time, the network has grown and the IP address space has enlarged. Hence it would entail a closer look at the current deployment and modifications to incorporate the larger address space etc. Hopefully, the learned members of this forum can provide sufficient pointers to this from their real-life experiences. I have tried going through the documentation on IPS and some related papers, which recommend staging servers etc. Is it possible to do so with the spare pair of interfaces, while leaving the active pair untouched?

Thanks for any help in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Mon, 08/02/2010 - 10:43
User Badges:
  • Cisco Employee,

You can set an interface pair or a vlan pair that will use a separate sensor in order to add more traffic through the IPS without affecting the working traffic. That is a good practice.

It is not clear exactly what other needs you have for the IPS or what changes you want to implement though.

I hope it helps.


ajay_dand Mon, 08/02/2010 - 23:01
User Badges:


@PK - Thanks for the response. We had implemented the IPS first when v5.0 was current. Since then there have been 2 version upgrades and a lot of new features like Anomaly protection, Global correlation etc which have been introduced. Also, as mentioned, the company has grown, and so also the address space of the company, with newer subnets being introduced. Of late users have been complaining that many a times they experience slow network and slow browsing, and upon investigation we have found that the IPS is causing bottlenecks in many cases. We plan to have a thorough investigation and re-tuning of IPS and at the end we hope to achieve the following:

a) Re-configure settings for existing and new signatures as and where applicable,

b) Incorporate the new subnets & specific IPs of servers etc. into the never block settings wherever necessary, to reduce the bottlenecks.

c) Investigate into the change in traffic flowing through the network, due to the change in the internet usage over time and modify the security posture on the IPS in tune with the investigations.

d) Incorporate the newer features for achieving optimal security for the new and emerging threat landscape.

I would appreciate if someone can share any document or experiences relating to the above activities, particularly in tuning of the newer features as mentioned above.

Thanks for any help in advance.


ajay_dand Mon, 08/02/2010 - 23:03
User Badges:

ALso, are there any tools (preferably open source) which can help simulate the traffic and help in tuning
the box and also stress test the device simulating the current traffic on our network, if possible.


This Discussion

Related Content