We are having a Cisco IPS 4240 in our network since IPS v5.0. Subsequently, we had upgraded to v6.0 and now to v7.0. However, with v7.0 there are a host of new features, which require baselining and tuning. Currently, the sensor is monitoring and actively preventing behind the edge firewall. Since the IPS is already in production environment, it would not be possible to take it out. In such a scenario, what would be the best practices to carry out the baselining of various features like anomaly detection etc. Also, over a period of time, the network has grown and the IP address space has enlarged. Hence it would entail a closer look at the current deployment and modifications to incorporate the larger address space etc. Hopefully, the learned members of this forum can provide sufficient pointers to this from their real-life experiences. I have tried going through the documentation on IPS and some related papers, which recommend staging servers etc. Is it possible to do so with the spare pair of interfaces, while leaving the active pair untouched?
@PK - Thanks for the response. We had implemented the IPS first when v5.0 was current. Since then there have been 2 version upgrades and a lot of new features like Anomaly protection, Global correlation etc which have been introduced. Also, as mentioned, the company has grown, and so also the address space of the company, with newer subnets being introduced. Of late users have been complaining that many a times they experience slow network and slow browsing, and upon investigation we have found that the IPS is causing bottlenecks in many cases. We plan to have a thorough investigation and re-tuning of IPS and at the end we hope to achieve the following:
a) Re-configure settings for existing and new signatures as and where applicable,
b) Incorporate the new subnets & specific IPs of servers etc. into the never block settings wherever necessary, to reduce the bottlenecks.
c) Investigate into the change in traffic flowing through the network, due to the change in the internet usage over time and modify the security posture on the IPS in tune with the investigations.
d) Incorporate the newer features for achieving optimal security for the new and emerging threat landscape.
I would appreciate if someone can share any document or experiences relating to the above activities, particularly in tuning of the newer features as mentioned above.
ALso, are there any tools (preferably open source) which can help simulate the traffic and help in tuning the box and also stress test the device simulating the current traffic on our network, if possible.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...