Cisco Cisco IPS 4255 Sensor Weißbuch

Technical Overview

Page 18 of 18

80 and 94 will be dynamically denied inline. Finally, events with any Risk Rating (between 0 and

100) will trigger an alert in the log.

The implementation of event action overrides is a useful tool that extends the quarantine of hosts

by Cisco Security Agent to the IPS, delivering a true end-to-end enforcement, from the endpoint to

the network. While the use of this practice yields clear benefits, there are some important aspects

that should be considered prior to its adoption:

●

After an event action override is set it applies to all events with Risk Ratings falling in the

range configured, not only those concerning to hosts in the Watch List.

●

The IPS will not enforce any action until the host present in the Watch List triggers an event

with a resulting Risk Rating falling in the range specified for the event action override. This

means the IPS will not quarantine a host immediately after it receives a quarantine event

from Cisco Security Agent MC. An action on the host will be enforced only after the host

triggers an event in the IPS.

Related Docs

Listed in alphabetical order:

●

Cisco IPS Risk Rating Explained:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_pa

per0900aecd80191021.shtml

●

Installing and Using Cisco Intrusion Prevention System Device Manager 6.0:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_b

ook09186a00807a8a2a.html

●

Using Management Center for Cisco Security Agents 5.0:

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_b

ook09186a00805ae89c.html

●

Using Management Center for Cisco Security Agents 5.1:

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_b

ook09186a008067b6a5.html

Printed in USA

C11-387679-01 08/07