Best Practices

For seamless operation and deployment of IPS Sensor in your network, you should take some proactive actions and do proper planning before IPS Sensor deployment. This section alerts you to some of the important issues that will make your IPS deployment and operations problem free.

Preventive Maintenance

Recovering IPS in the time of failure is crucial. Take the following preventive steps, so that you will be capable of recovering IPS in the event of failure.

Creation of Service Account

A service account is a special user account that gives you access to the Linux shell and eventually root access of the sensor. If you lost all other users' passwords, you could reset them using the service account. Additionally, the service account can be used to log in to the sensor to collect additional data for problem analysis. If you have not created the service account or if you have lost the password of the service account, along with the administrator account password of the sensor, then the only work-around is to re-image the sensor. More details on how to create a service account can be found under the "User Management Issues" section of this chapter.

Back up a Good Configuration

There are three ways you can back up the current configuration of the sensor:

• Back up locally on the sensor It is extremely useful to keep a good working configuration before making any changes to the current configuration. This is extremely convenient because you can both erase the current configuration with the backup configuration or merge it.

• Backup in Remote Server This is important at the time of a crash. You can recover the sensor from a crash. You can also copy a working copy of the sensor to multiple sensors that need the same configuration.

• Using IPS MC If IPS Sensor is managed by IPS MC, you have a working configuration copy on the local database of IPS MC.

Sections that follow discuss the configuration steps required to use the backup configuration of the sensor both locally and to a remote server.

Backup Locally on the Sensor

Work through the following steps to back up the configuration of the Sensor:

sensor# copy current-config backup-config 

sensor# more backup-config 

sensor# copy backup-config current-config 

sensor# copy /erase backup-config current-config 

sensor# erase current-config 

Backup in Remote Server

You can use FTP/SCP/HTTP/HTTPS servers as remote servers to back up and restore the Sensor configuration. Work through the following steps using FTP to back up and restore the sensor's configuration:

sensor# copy current-config   ftp://admin_user@10.1.1.100//tftpboot/update/sensor100.cfg Password: ******** 

sensor# copy ftp://admin_user@10.1.1.100//tftpboot/update/   sensor100.cfg current-config Password: ******** Warning: Copying over the current configuration may leave the box in an   unstable state. Would you like to copy current-config to backup-config before   proceeding? [yes]: Sensor# 

sensor# copy /erase ftp://admin_user@10.1.1.100//tftpboot/update/   sensor100.cfg current-config Password: ******** Warning: Copying over the current configuration may leave the box in an   unstable state. Would you like to copy current-config to backup-config before   proceeding? [yes] Sensor# 

Recommendation on Connecting Sensor to the Network

The proper placement of the sensor in the network dictates the performance and functionality of the sensor. In this section, you are presented with some recommendations on where to connect the Sensing and Command and Control interfaces in Promiscuous mode.

Recommendation on Connecting the Sniffing Interface of the Sensor to the Network

The location at which you connect your sensor's sniffing interface to the network depends on how much traffic you want to analyze. A general recommendation is to monitor the internal connections of the firewall. This way you will not spend time filtering through alarms for packets that are already stopped by the firewall. If you are interested in understanding the attacks coming to your network before they are filtered by the firewall, connect the sniffing interface on the outside of the firewall. But, this should be done if you have enough human time and proper tools to go through the log. Otherwise, having an overwhelming amount of log information to analyze might be the cause of a legitimate attack going unanalyzed or unmitigated for longer than it should.

Rating IPS Sensor

Just as with any other network devices such as switches, routers, and firewalls, you must rate the IPS sensor higher than the normal traffic that is captured using the sniffing interface. This way the IPS sensor can keep up with usage spikes in the network.

Recommendation on Connecting Command and Control Interface

It is recommended to connect the Command and Control interface to either a specific network for configuring and managing your security devices (often known as the out of band secure management network), or at a minimum, to a VLAN that is used only for managing your security devices. If you are using a VLAN, then the Command and Control interface of the Sensor, interface of your IPS MC and the Security Monitor, and a firewall interface and other security devices, should be placed in this VLAN. You may then route to other VLANs in your network through your firewall to further protect this VLAN. Connections to and from your security devices should be over encrypted connections. The Cisco IPS comes loaded and running with SSH for CLI access, and TLS/SSL for access to its web server.

Recommendation on Settings of Signature on Sensor

The signature on the Cisco Sensor comes with preset severity levels. A general rule of thumb is to begin by using the default severities and see what alarms are detected on your network. Begin by looking at the high-level alarms and determine the cause of the alarm.

The NSDB (Network Security Database) is a good reference for more information about an alarm. The NSDB is installed on the sensors and the IPS MC as part of the signature update process. The NSDB also can be found at the following link:

http://www.cisco.com/cgi-bin/front.x/csec/idsHome.pl

If you see alarms that upon analysis are determined to be normal traffic, then you need to either filter the alarms for the particular address set, or lower the severity of the alarm, or even disable the alarm. Filtering or disabling the alarms will prevent you from having to spend time on these alarms in the future. If an alarm is legitimate, then you will need to determine if your system is vulnerable (refer to the NSDB for information on vulnerable machines). If the machine is not vulnerable, then consider also filtering this alarm. If the machine is vulnerable, you will need to see if the system has been compromised and take appropriate steps. Once the high- severity alarms have been analyzed, determine whether or not you want any automatic actions to occur for these alarms in the future. Available action includes resetting the TCP connection, blocking the source IP address, or logging the packets to and from the source address of the alarm in Promiscuous mode. In Inline mode, the sensor can drop the packet or the connection immediately, along with TCP reset and blocking.

Once you have gone through the high alarms, try to go through the medium-severity alarms following the same procedure. Continue to do the same thing with low-severity and information alarms.

Recommendation on Inline-Mode Deployment

Before deploying your Sensor in Inline mode, it is recommended that you run the Sensor in Promiscuous mode to understand and tune the signature. Once, you have reached an acceptable level of false positive, you can turn on Inline mode on the sensor. Be sure that you have the Bypass mode turned on when the sensor is deployed in Inline mode. Otherwise, if the sensor fails, all traffic going through the sensor will be affected.