| Home Prev |  InCenter 2.2.5 On-Premises Administration Guide
|
Next |
|---|
IDP Deployment Considerations
In order to have an effective and reliable IDP system, the following questions should be considered by the administrator:What kinds of traffic should be analyzed?
What kinds of intrusions should be searched for in that traffic?
What action should be carried out if an intrusion attempt is detected?
IDP Deployment Recommendations
The following are the recommendations for IDP employment:Enable only the IDP signatures for the traffic that is being allowed. For example, if the IP rule set is only allowing HTTP traffic then there is no point enabling FTP signatures.
Once the relevant IDP signatures are selected, initially run in Audit mode.
After running in Audit mode for a sample period with live traffic, examines the log messages generated. Check for the following:
When IDP triggers, what kind of traffic is it triggering on?
Is the correct traffic being identified?
Are there any false positives with the signatures that have been chosen?
Adjust the signature selection and examine the logs again. There may be several adjustments before the logs demonstrate that the desired effect is being achieved, with the very minimum of false positives.
If certain signatures are repeatedly triggering it may indicate a server is under attack.
After a short period running in Audit mode with satisfactory results showing in the logs, switch over IDP to Protect mode so that triggering connections are dropped.
