IPS SIG's

Ok everyone I would like everyone’s help on this!! I am trying to put together a standard deployment guide image as you will for my customer or potential customer as I am a Consultant and I work in a lot of different environments but not all so I come to you the people for you expertise and experience with cisco IPS 6.x or 5.x so this is what I am looking for I am looking for sigs that you hade to turn off right away because A. it broke your environment B. slowed down your environment u do not need to tell me what your Config is or how you are setup im just trying to put together a data mold so that I may be able to put together a Config that will work right out of the box!!! :idea:



The CSMGUY

Hi,

It is not recommended to use the same configuration file for all the IPS devices in different environment. First you need to study about the network architecture and the traffic which is flowing on the network.

Depending up on the network traffic flow you need to enable the right signature

For example in your office the web service is on IIS then you then you need to enable the IIS related signature and not the Apache related signature, in this way you can reduce the load on the device.

Make sure while creating the costume signature because it will lead to the high CPU utilization if you are not configuring it properly.

If you are using CISCO products then you can use the MySND to know more about the signature depending on that you can enable or disable the signature.

From version 6.x you can configure the virtual sensor and bind different interface pair to different virtual sensor.

For example you can assign 1 pair of interface to virtual sensor 1 and place it on internet segment, for that sensor enable the Virus, sperm, worm, http signatures etc.

Assign the other pair of interface to the 2nd virtual sensor and place it in the LAN segment which is not having Internet access and enable the right signature. So that no need to inspect all the traffic with all the signature.