Analysing and configuring IPS/IDS Policies

From: AsTriXs (astrixs_at_gmail.com)
Date: 07/30/05

  • Next message: Rodrigo Blanco: "Re: Anyone know about a new McAfee IPS coming out?"
    Date: Sat, 30 Jul 2005 11:05:29 +0530
    To: focus-ids@securityfocus.com
    
    

    Hello All,

    I am currently in the process of implementing an IPS at a client site.
    I have reached the stage where I have to configure and deploy
    policies.

    There are various approaches to deploying policies from ground up and
    then fine tuning them through their lifecycle. I have mentioned the
    two that I am aware and also the environment in which they need to be
    deployed.

    The IPS appliance has been deployed behind a firewall in front of a
    server farm.
    The traffic passing through the appliance is what is configured to
    pass on the firewall.

    First Approach

    We analyse alerts observed on the allowed protocols and create
    exceptions (within trusted domains) for all false positives (or any
    traffic which is permitted on the network but flagged off as malicious
    by the IPS) observed. Set a policy (block or log) for all other
    alerts. Appropriate policies for inbound and outbound traffic flows
    are set. Alerts are closely monitored and fine tuned over time to
    avoid self imposed DoS.

    This way we create exceptions for legitimate traffic and block
    everything else. There is a possibility that a legitimate action,
    which was not observed before, may get blocked. However, this approach
    makes the target environment most secure in my opinion.

    Second Approach

    Alerts observed on the allowed protocols are analysed and policies are
    set only for the malicious traffic observed. Policies are added at
    each instance of malicious traffic observed on the network. Protocols
    not allowed in the environment are set to be dropped. Appropriate
    policies for inbound and outbound traffic flows are set.

    In this approach, we are open to attacks but the chances of self
    inflicted DoS are minimal.

    I request comments & views from all on the advantages and
    disadvantages of each approach to help me deploy policies effectively.
    Information on other approaches would also be appreciated.

    Also, is there a method or a best practice followed while analysing
    alerts and deploying policies.

    Thank you,

    -- 
    [AsTriXs]
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    ------------------------------------------------------------------------
    

  • Next message: Rodrigo Blanco: "Re: Anyone know about a new McAfee IPS coming out?"

    Relevant Pages

    • Re: Analysing and configuring IPS/IDS Policies
      ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
      (Focus-IDS)
    • RE: ASA with IPS
      ... Are you looking for tools to test your IPS or suggestions on policies? ... If in stream you want to be very conservative on what gets denied. ... Securing Apache Web Server with thawte Digital Certificate ...
      (Security-Basics)
    • Re: Planning A Group Policy Deployment
      ... and minor management objectives. ... the individual policy settings, is not the way to approach the issue. ... responsibility for deploying Group Policy at a high school. ... For example - there are over 900 group policies in the W2k3 excel ...
      (microsoft.public.windows.group_policy)
    • Re: Domain logon without network connection + group policies
      ... Information Security Analyst ... This provides false security when deploying policies that restrict ... not the intended recipient, you are hereby notified that any review, retransmission, dissemination, ...
      (Focus-Microsoft)
    • Domain logon without network connection + group policies
      ... network connection and bypass the group policies. ... This provides false security when deploying policies that restrict ...
      (Focus-Microsoft)