IPS configuration guide
Skip to IPS maintenance tuning and response guide
Go back to IPS installation guide
Configuration is and will be vendor specific however the below list can be used as a universal baselines when configuring your IPS sensor. How to configure IPS sensors is a science and art!
- IPS sensor is installed properly (you may have just read this article)
- Configure NTP server
- Central logging server
- Trusted host and out of band connectivity
- Signature definition sets and event actions
Configure NTP server
If you plan on being able to perform incident response with any precision you
must have network time protocol (NTP) configured on all your network devices that produce logs and this includes your IPS sensor. Most importantly you’ll want your servers, network devices and PC’s gathering time from the same source as your IPS sensor. A lot of information is on the web about this so give it a search. It doesn’t take long to configure and must be done securely. As a recommendation you need two devices in your network gathering NTP from a source such as http://tf.nist.gov/service/time-servers.html these will be your internal NTP servers. You need access list protecting the source and destination of all NTP traffic. Now configure all internal devices to pull NTP from the internal servers for time (don’t forget your ACL’s)
Central logging server
A central logging server such as a stripped down UNIX box, Cisco MARS, or Linux logging server will help with correlating events and other notifications to better assist you with incident response. Many IPS systems have independent event correlation GUI’s for example Cisco brings us MARS or you can download IEV (Cisco IPS event viewer) and for SNORT you could use ACID.
Trusted host and out of band connectivity
Now define the trusted host allowed to administer your IPS. In most cases this can be configured within the appliance or optionally via an external access list. Incase the IPS monitoring interface is ever flooded with traffic or is facing a VLAN which you don’t have direct access you’ll need to be sure to configure an out of band management interface. This interface is only used for management and will allow you access to the device for management purposes.
Signature definition sets and event actions
Signature definition sets and event actions. Signature sets are what the IPS sensor is looking for when inspecting traffic. Event actions define what the IPS will do when the signature set it triggered, this doesn’t apply to IDS systems as they only produce an alarm. If possible you want all your traffic for windows boxes coming into one interface or sensor and all UNIX boxes coming into another interface or sensor. Apply this principle where applicable. Why? Well you want your signature set to be tuned to look for specific traffic per interface or sensor due to performance hits the sensor takes when it’s looking for matches against to many signatures. If you’re monitoring a server farm of UNIX boxes then why look for windows vulnerabilities and waste your IPS CPU?
Conclusion
When you first configure your IPS you’ll need to tune out all the noise and false positives. False positives are normal network traffic which triggers the IPS signature set. Be sure to initially configure the IPS to NOT deny any traffic or else you’ll be denying connections all over the place for no reason. Once you have all the noise filtered out you can let your IPS loose and tell it to deny traffic as needed. If you have any questions or comments please feel free to post them below.
Now you’re ready for IPS maintenance Tuning and response guide
Drear All,
You had just infom about IPS information. I need, how to complite practical on IPS 4240.
Mahadev Patil
If you’re in need a complete configuration guides then visit cisco’s website …