Intrusion Prevention Fundamentals

Before you embark upon a NIPS deployment, have realistic expectations about what is involved. This chapter used a real-world NIPS product as an example to illustrate the decisions that need to be made at each phase in a NIPS deployment. You have to perform five major Cisco NIPS deployment phases:

Step 1.

Understand the product

Step 2.

Predeployment planning

Step 3.

Sensor deployment

Step 4.

Tuning

Step 5.

Finalize the project

Understand the Product

The first task in any NIPS deployment is to make sure you fully understand the product you are going to be deploying. Review Chapters 7 and 8 so that you are familiar with the potential components, capabilities, and benefits associated with NIPS products. Then, determine which components, capabilities, and benefits your product includes. Also, be sure to investigate the product's management capabilities.

Predeployment Planning

The planning phase of a NIPS deployment must occur before anything has been implemented. During this phase, you need to

  • Review the security policy Determine what, if any, impact your corporate security product has on the NIPS implementation.

  • Define goals Decide what the goals are for the implementation.

  • Select and classify sensor deployment locations Decide where and what types of sensors are to be deployed on your network.

  • Plan for ongoing management Begin to plan for post-implementation of the product.

  • Choose a management architecture Design the management solution.

Sensor Deployment

The next phase is to deploy the sensors you chose during your planning session. Along with deploying your sensors, you also need to install your management software and make sure that access to the management tool has been secured, because it is a prime target for attack.

Tuning

One purpose of the tuning phase is to locate and eliminate false positives. Another aspect of tuning is to create necessary filters to overcome known false positive situations. Finally, tuning involves configuring signature actions. Generating one or more of the following actions when signatures fire helps to fully utilize the functionality that your IPS sensors provide:

  • Drop traffic (in-line mode only)

  • Block traffic

  • Log traffic

  • Reset a TCP connection

Finalize the Project

In the final phase of your NIPS deployment, you need to create procedures to govern the following:

  • Change control

  • Backup and restore

  • Log archive

  • Incident response

Related

Категории