Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA guru

Folks,

Does anyone on this forum have a good understanding of the CSA product, specifically policy tuning?

3 REPLIES
Silver

Re: CSA guru

Prioritize the security features you want to implement with CSA policies. You can also prioritize applications and groups. By having clear priorities and working through a single policy improvement at a time, you can manage the complexity of deploying large policy sets in large networks. For example, based on priorities, you can keep a specific rule module in test mode while the rest of the rule modules in the policy are in live mode. For more information refer the following link http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_installation_guide_chapter09186a00805aec7a.html#wp962106

New Member

Re: CSA guru

Take a look at the book:

Advanced Host Intrusion Prevention with CSA

ISBN 1-58705-252-0

Cisco Press

It covers CSA deployments and the descision processes to use in tuning.

New Member

Re: CSA guru

Here's how I've been doing it:

- Start with a brand new policy<->module. I assign a test group to this policy.

- Create all my rules from scratch. Every day, I add one ore two more rules. I do this so I know EXACTLY what my rule is doing, and I have an objective I want to fulfill. I also make the rule as granular/specific as possible.

- Every day I open the module and look at how many events were generated per rule in the last 24 hours. If they're higher than I want, I review the events, then adjust the rule. Sometimes I further break down the rule into even more granular rules.

- When I am satisfied with my rule module, I'm going to sort out the rules into multiple modules attached the same policy. Then I will attach my active groups to the policy.

Keep in mind I'm covering a lot of hosts and not focusing on any one service, so in the end all of my groups/hosts will use this new policy/modules. Then I will add exceptions to each group when needed.

114
Views
5
Helpful
3
Replies
CreatePlease login to create content