Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TVR Ratings

Hi,

I have an AIP-SSM-10 Module running version 7.01. Do i need to configure the Target Value Rating for all the machines on the network, or does it work by default?

Eitherway what would be the recomended proceedure?

Thanks for the help.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: TVR Ratings

Configuring the TVR is 'optional'. The sensor will work without it.

However you set TVR values for your hosts/servers based on their criticality. But be careful, you might actually drop all traffic to this 'critical' server by doing so. Have a look at these white papers for more details:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd80191021.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/overview_c17-464691.html

Please rate if helpful.

Regards

Farrukh

2 REPLIES

Re: TVR Ratings

Configuring the TVR is 'optional'. The sensor will work without it.

However you set TVR values for your hosts/servers based on their criticality. But be careful, you might actually drop all traffic to this 'critical' server by doing so. Have a look at these white papers for more details:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd80191021.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/overview_c17-464691.html

Please rate if helpful.

Regards

Farrukh

Cisco Employee

Re: TVR Ratings

By default all addresses will default to a Medium TVR value which winds up with a neutral affect to the Risk Rating of the alerts (neither raises nor lowers the Risk Rating).

If you aren't really using Risk Rating for anything, then you are better off just leaving the TVR settings with the defaults.

If you do make use of Risk Rating (such as the default Event Action Override for denying packets, or use it rank which events you want to spend time looking at), then modifying TVR for "special" boxes in your network can help. Specific servers that are closely monitored may be given high TVR values so attacks against them pop up to the top of your list of events to look into. Lab Machines might wind up with Low TVR values because you may not want to spend time analyzing attacks against those machines.

All others you wouldn't configure a TVR for, and they will default to Medium TVR.

281
Views
0
Helpful
2
Replies