Cisco Cisco IPS 4255 Sensor Weißbuch
Overview
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 7
IPS features include risk rating, which identifies high-risk events, and policy-based management,
which easily lets you deploy rules that enforce an IPS signature action based on risk rating.
In the real-life case study and tuning process that follows, basic steps will be taken to reduce
alerts. When finished, you will see that the remaining results are actionable IPS events that you
can use to determine if a real attack has been attempted on your network.
The network topology for this case study includes six devices, each with a specific purpose.
1. A Cisco Advanced Inspection and Prevention Security Services Module 40 (AIP-SSM 40)
protecting a data center server. The management IP address is 172.16.254.204. This device
will detect and report all data traversing the network that matches a signature or threat
protection algorithm used by the Cisco IPS.
2. A scanning device that is known to network and security administrators. This device is used by
network and security administrators to find security holes (vulnerabilities) in their network
devices. A scanning device like this is usually running 24x7; for simplicity in this case study,
we are running it on demand so the alerts being tuned are manageable. The IP address is
172.16.50.40.
3. Two devices used to generate real attacks on the server. The IP addresses are 172.16.50.60
and 10.1.1.1.
4. Two data center servers that are being protected by the IPS. These servers are unpatched
and the IP addresses are 172.16.50.70 and 10.1.1.2.
Following is the topology of the lab used in this case study.
Figure 1.
Following is a basic step-by-step process for tuning using Cisco IPS Manager Express, which is
available in Cisco IPS Sensor Software v6.1 or later.
1. The first and most critical task for ensuring that the IPS does not overburden you with alerts is
to place the IPS in your network behind a perimeter filtering device. This simple placement
task may reduce the number of alerts that you need to filter by several thousand events per
day.
2. Deploy your IPS with the default signatures in place. There are no specialized profiles or
specialized parameters that need to be configured to deploy a Cisco IPS. The default