Cisco Cisco IPS 4255 Sensor Libro blanco
Technical Overview
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 18 of 18
80 and 94 will be dynamically denied inline. Finally, events with any Risk Rating (between 0 and
100) will trigger an alert in the log.
The implementation of event action overrides is a useful tool that extends the quarantine of hosts
by Cisco Security Agent to the IPS, delivering a true end-to-end enforcement, from the endpoint to
the network. While the use of this practice yields clear benefits, there are some important aspects
that should be considered prior to its adoption:
●
After an event action override is set it applies to all events with Risk Ratings falling in the
range configured, not only those concerning to hosts in the Watch List.
●
The IPS will not enforce any action until the host present in the Watch List triggers an event
with a resulting Risk Rating falling in the range specified for the event action override. This
means the IPS will not quarantine a host immediately after it receives a quarantine event
from Cisco Security Agent MC. An action on the host will be enforced only after the host
triggers an event in the IPS.
Related Docs
Listed in alphabetical order:
●
Cisco IPS Risk Rating Explained:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_pa
per0900aecd80191021.shtml
●
Installing and Using Cisco Intrusion Prevention System Device Manager 6.0:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_b
ook09186a00807a8a2a.html
●
Using Management Center for Cisco Security Agents 5.0:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_b
ook09186a00805ae89c.html
●
Using Management Center for Cisco Security Agents 5.1:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_configuration_guide_b
ook09186a008067b6a5.html
Printed in USA
C11-387679-01 08/07