IDSM-2 best practices

Shaikh Aman Uddin · ‎02-14-2012

Hi,

How many types of signatures need to be enable while IDSM-2 deploying in Data Center behind FWSM?

Thanks

rhermes · ‎02-14-2012

It all depends on what you want to get out of your IPS sensor.

The most common application of an IPS sensor is to block and report on actionable events (those are events you can do something about, like an infected webserver in your DMZ). The best place to start is to run the sensor with the default signature settings. If you know something about your internal hosts, OS's and applications you can further enable (for example P2P blocking) or disable unused OS/application specific signatures.

Once you start getting events (and that will happen within a few minuites) you will need to investigate them to determine if they are false positives. If they are, then those signatures need to be disabled or reduced in severity.

You will need to repeat the investigation and signature tuning steps as long as you operate your sensor.

- Bob

Shaikh Aman Uddin · ‎02-14-2012

Ok, thank you for your response, if suppose false positive sig is start trggering then how we can configure the device to make is true positive?

rhermes · ‎02-15-2012

A "false positive" is a signature that triggers on traffic that does not have an attack or infection in it. You can not change false positives into anything you can only remove them.

If you determine that a signature is being triggered by normal traffic (not part of an attack, or an infected host), then you can disable that signature. This will remove it from the list of signatures you want to investigate.

- Bob

Shaikh Aman Uddin · ‎02-15-2012

Thank you for your response!!!

We are planning to deploy IDSM-2 at client site. Customer is asking few things:

1. If we install it in promiscuous mode then what will be the best utilization and design for this module,
how to configure it

2. If we install it in inline mode then what will be the best utilization and design for this module, how to configure it.

Let me to explain you few things:

They have multiple vlans in Cisco 6509 Switch and the servers are placed behind the firewall (FWSM), they want to inspect all vlans traffic forwarding towards server farm.

To fulfill their requirements, we recommend them to install IDSM-2 in promiscuous mode, as this module has less throughput and also advise them to keep up to date the latest signatures in IDSM-2. On our recommendation, they want some experts to weight it or advise if some other best practices design to install IDSM-2 in their network.

I really appreciate if you add your valuable inputs in this regard, as we have to deploy this module in coming weekend. Your early response will be highly appreciated.

Thanks in advance!

rhermes · ‎02-15-2012

You will be installing your IDSM in Promiscuous Mode. You have a choice of using either SPAN or VACL capture.

The 65009 has a limit of 2 SPAN sessions max. If there are 2 existing uses of SPAN on the 6509 you will not be able to configure SPAN.

Here are instruction on how to configure both SPAN and VACL capture

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1206645

- Bob

Shaikh Aman Uddin · ‎02-16-2012

Hi Bob,

Thanks for your response,

Its mean you suggest to install IDSM-2 in promiscuous mode with updated signatures? or you have some other design for IDSM-2 deployment?

Kindly advise

Thanks in advance!

rhermes · ‎02-16-2012

Yes, you should install your IDSM in promiscuous mode and update the OS and signatures to the most recent versions.

If your IDSM has internet access, you can also turn up auto-updates to keep the sensor updated automatically.

IDM instructions: http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016040

IME instructions

http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/ime/ime_sensor_management.html#wp2016040

- Bob