Attackers are continually trying to find ways to bypass the protection barriers in security mechanisms. Understanding the following common IDS evasion techniques helps you ensure that these avenues do not create weaknesses in your overall security posture:
The following list shows some of the major obfuscation techniques:
To optimize the effectiveness of your IPS sensors, you need to understand how you can tune the operation of your sensors. When tuning your sensor, you need to consider the following factors:
Tasks involved in tuning your sensors fall into the following three phases based on the length of time that your IPS has been in operation.
Some of the changes you will likely perform during the deployment phase include the following:
Tasks involved in tuning your sensor's global settings fall into the following categories:
You can configure the following IP log settings for your sensor:
Cisco IPS 5.0 provides the capability to perform application policy enforcement for both HTTP and FTP. This functionality is provided by the following two signature engines:
To use this functionality, however, you must enable it on your sensor (by default it is disabled). Reassembly options fall into the following two categories:
When configuring stream reassembly, you define the following parameters:
Whenever a signature triggers, your sensor generates an alert and, potentially, an event. Besides configuring your signature parameters, you can also configure event parameters on your sensor. These event parameters fall into the following categories:
The Target Value Rating enables you to assign an asset value rating to specific IP addresses on your network. The target values that you can assign to an IP address or range of IP addresses are as follows:
In addition to configuring signature actions, you can configure an event action override for each Cisco IPS response action. This override causes actions to be added to signatures if the Risk Rating of the event matches the override definition. Event action filters enable you to configure your sensor to remove actions from events based on one or more of the following criteria:
|