| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
IPS Deployment Considerations
In order to have an effective and reliable IPS system, the following questions should be considered by the administrator:IPS Deployment Recommendations
The following are the recommendations for IPS employment:Enable only the IPS signatures for the traffic that is being allowed. For example, if the IP rule set is only allowing HTTP traffic then there is no point enabling FTP signatures.
Once the relevant IPS signatures are selected, initially run in Audit mode.
After running in Audit mode for a sample period with live traffic, examines the log messages generated. Check for the following:
When IPS triggers, what kind of traffic is it triggering on?
Is the correct traffic being identified?
Are there any false positives with the signatures that have been chosen?
Adjust the signature selection and examine the logs again. There may be several adjustments before the logs demonstrate that the desired effect is being achieved, with the very minimum of false positives.
If certain signatures are repeatedly triggering it may indicate a server is under attack.
After a short period running in Audit mode with satisfactory results showing in the logs, switch over IPS to Protect mode so that triggering connections are dropped by cOS Stream.
