Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
4
Helpful
1
Replies

IPS configuration?

ms4561
Level 1
Level 1

‎12-12-2006 04:37 PM - edited ‎03-10-2019 03:22 AM

Recently I installed the latest IPS update & noticed all signatures show alarm action only. I thought sdf "action" were pre set by Cisco.

Should any sigs be changed to reset or drop?

How do you determine which sigs to change?

Should an ACL be used with IPS?

Regards

Labels:
Preview file
31 KB
0 Helpful
1 Reply 1

a.kiprawih
Level 7
Level 7

‎12-12-2006 05:39 PM

You're right. Almost all IPS signatures are set to trigger log or alarm only, except for some critical signatures that by default, drop/deny the traffic in.

Normal practise is to monitor your IPS log for at least 1 or 2 days. Review the log for type of violations/misuse. Check for false positive sign as well, as some might not be a real threats.

Once confirmed, you may now start to change the actions for the relevant signatures to either drop/reset. Reset is effective for TCP sessions (between attacker & victim host) only.

Bear in mind, you need to constantly monitor the IPS log for new/missing violations. Frequent review of logs and security postures are highly recommended by Cisco.

Read the SAFE Blueprint for details:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml

Using ACL is good as it can work in tandem with IPS where you only allow certain/known source addresses/services to come in. IPS, in turn, will provide deep packet inspection to ensure no malicious content is flowing into your network/servers from that permitted external/source addresses

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00803eb031.html

HTH

AK

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card