What is the best way in configuring the NetRanger? Is it based on the default configuration or custom configuration. My current configuration which using the default configuration is giving us a lot of severity level 6 notification.
And how to make the IDS very useful to the environment, so that I can detect any attempts to my network?
The short answer is you need to tune it. The long answer follows:
NetRanger really needs to be tuned to your network. Out of the box, we default the configuration to a sane setup; however, the setup is pretty open in its interpretation of whats important. This generally results in a very "chatty" sensor...thus the number of Level 5 alarms you're seeing.
The general recommendation is to review the alarms being generated (consult the NSDB entries and other appropriate logs you may have) and if it is determined that the alarm is a false positive for your network, use one of the tuning parameters (RecordofExcludedXXXX options) to either mask the offensive (but known good) host or network. In some cases, you can disable signatures entirely if they make no sense in your network (for instance, Microsoft NetBios signatures in a Unix/Linux environment).
The ideal way of setting up the Netranger is a customised configuration. As most corporate environments and requirements differ so do the needs. Using a customised configuration you can set and alter alarm and severity levels to suit your circumstance. Place Sensors in strategic places in your network and use in conjunction with Access Control Lists (ACL) on Routers.
You realistically cannot and do not need to detect every inbound/outbound traffic packet or else you would burn out all resource.
Select what type of intrusion you can ignore and only deal with ones with high severity levels. i.e (DoS attacks, Pings of Death and Port Sweeps/Scans.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...