Cisco Cisco IPS 4255 Sensor Libro blanco
Overview
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 7
Cisco IPS Tuning Overview
Overview
Increasingly sophisticated attacks on business networks can impede business productivity,
obstruct access to applications and resources, and significantly disrupt communications. And
because of compliance regulations and consumer privacy laws, business priorities now include
minimizing legal liability, protecting brand reputation, and safeguarding intellectual property.
Cisco
®
Intrusion Prevention System (IPS) solutions are an integral part of the Cisco Self-Defending
Network and Cisco Threat Control solutions, providing end-to-end protection for your network. This
inline, network-based defense can identify, classify, and stop known and unknown threats,
including worms, network viruses, application threats, system intrusion attempts, and application
misuse. In addition, a Cisco IPS solution will protect against new day-zero threats, botnet data
leakage, and security evasion attempts.
Cisco IPS 4200 Series Sensors and Cisco IPS Sensor Software deliver high-performance,
intelligent detection with precision response, from the network edge to the data center. This
technology evaluates metrics in both multimedia and transactional environments, so you can
anticipate true IPS performance tailored to your business.
About This Paper
This paper explains the basics of IPS tuning and guides you through the tuning process to provide
you with actionable information that you can research to help ensure the security of your network
assets. This paper is geared toward Cisco partners, Cisco customers, or anyone who needs a
basic understanding of Cisco IPS.
Tuning Step 1: Correct IPS Deployment
An IPS device should always be placed behind a perimeter filtering device such as a firewall or an
adaptive security appliance (such as a Cisco 5500 Series Adaptive Security Appliance). The
perimeter device will filter traffic to match your security policy, allowing only expected acceptable
traffic into your network. Correct placement significantly reduces the number of alerts, thereby
increasing actionable data that you can use to investigate security violations. Conversely, if you
have an IPS device on the edge of your network in front of the firewall, your IPS would fire on
every single scan and attempted attack even if there is no significance to your network
implementation. This could result in hundreds, thousands, or—in the case of larger enterprises—
possibly millions of alerts that are not considered critical or actionable in your environment.
Wading through this data would be a costly and near-impossible process.
Step 2: The IPS Tuning Process
IPS tuning helps ensure that the alerts you are seeing are real, actionable information. Without
tuning, you will potentially have thousands of benign events, making it difficult for you to conduct
any security research or forensics on your network. Benign events, also known as false positives,
exist in all IPS devices, but they happen much less in devices such as Cisco IPS devices, which
are stateful and normalized, and use vulnerability signatures for attack evaluation. Additional Cisco