It all depends on what you want to get out of your IPS sensor.
The most common application of an IPS sensor is to block and report on actionable events (those are events you can do something about, like an infected webserver in your DMZ). The best place to start is to run the sensor with the default signature settings. If you know something about your internal hosts, OS's and applications you can further enable (for example P2P blocking) or disable unused OS/application specific signatures.
Once you start getting events (and that will happen within a few minuites) you will need to investigate them to determine if they are false positives. If they are, then those signatures need to be disabled or reduced in severity.
You will need to repeat the investigation and signature tuning steps as long as you operate your sensor.
A "false positive" is a signature that triggers on traffic that does not have an attack or infection in it. You can not change false positives into anything you can only remove them.
If you determine that a signature is being triggered by normal traffic (not part of an attack, or an infected host), then you can disable that signature. This will remove it from the list of signatures you want to investigate.
We are planning to deploy IDSM-2 at client site. Customer is asking few things:
1. If we install it in promiscuous mode then what will be the best utilization and design for this module, how to configure it
2. If we install it in inline mode then what will be the best utilization and design for this module, how to configure it.
Let me to explain you few things:
They have multiple vlans in Cisco 6509 Switch and the servers are placed behind the firewall (FWSM), they want to inspect all vlans traffic forwarding towards server farm.
To fulfill their requirements, we recommend them to install IDSM-2 in promiscuous mode, as this module has less throughput and also advise them to keep up to date the latest signatures in IDSM-2. On our recommendation, they want some experts to weight it or advise if some other best practices design to install IDSM-2 in their network.
I really appreciate if you add your valuable inputs in this regard, as we have to deploy this module in coming weekend. Your early response will be highly appreciated.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :