Step 4: Tuning


One purpose of the tuning phase is to reduce false positives. The default sensor installation generates alerts for its signatures, but it does not perform any actions, such as dropping the traffic or initiating IP blocking. During the tuning phase, you need to monitor the alerts that your NIPS generates and verify that normal user traffic is not causing the alerts.

Tuning your NIPS is an ongoing process. The purpose of the initial tuning involves the following tasks:

  • Identify false positives

  • Configure signature filters

  • Configure signature actions

Besides configuring actions for specific signatures, you can also tune your Cisco IPS appliances using the Risk Rating. Using the Risk Rating and event action override, you can override configured actions for signatures in which the Risk Rating is below a specific value. This helps reduce false positives because the Risk Rating provides a more reliable indicator of event severity. Similarly, you can produce actions in which the Risk Rating is high (even if the signature is not configured for the specific action).

Risk Rating

One of the limiting factors associated with intrusion systems is false positive alarms. False positives generate more work for your security analysts and can reduce their confidence in the alarms that the intrusion system identifies. To reduce the probability of false positives, Cisco IPS version 5.0 calculates a Risk Rating for alerts from 0100. Instead of relying solely on the severity of the attack detected, the Risk Rating is calculated based on the following factors:

  • Event severity

  • Signature fidelity

  • Asset value of target


Note

With CS-MARS, you can also use the CS-MARS appliance to tune all of your correlation rules at on time, regardless of whether the events are from the Cisco IPS appliances, firewalls, open source tools, or other products. This more automated approach is usually more effective and results in a simpler and easier-to-maintain methodology.


Identify False Positives

Many original Intrusion Detection Systems (IDSs) had a significant problem with false positives. As the technology has evolved, the rate of false positives has diminished greatly. Increased accuracy was a vital component to developing an effective Intrusion Prevention solution. The Cisco Risk Rating represents another mechanism to increase the accuracy of the IPS alerts and reduce false positives.

Nevertheless, you still need to test the default signature configuration to verify that none of the signatures trigger regularly on normal user traffic. After your initial test, you need to continually assess alerts and identify false positives (as well as false negatives) as they arise. This tuning continues as new signatures are applied to the sensors via signature updates.

Configure Signature Filters

Signature filters enable you to exclude alerts for signatures when the traffic involves specific systems. For example, you might want to configure a shared message block (SMB) signature to generate an alert only if the traffic involves a system that is external to your network. SMB traffic between systems on your network is common traffic that you want to allow. This same traffic, however, from an external Internet system is usually indicative of malicious activity. So, in this situation, if you set up a filter, the alerts are limited to only SMB traffic that involves an internal and external system.

Configure Signature Actions

One of the most powerful aspects of your NIPS sensors is their ability to generate an action whenever a signature fires. Besides generating an alert, your sensor can perform one or more of the following actions:

  • Drop traffic (in-line mode only)

  • Block traffic

  • Log traffic

  • Reset a TCP connection

Note

Firing too many actions for too many signatures can also be one of the significant weaknesses of an IPS. Each of these actions consumes resources on the IPS devices, thus potentially impacting its performance. Cisco IPS enables you to limit the configured actions by using the event action override to override the default actions. Utilizing this functionality enables you to make sure that actions are not invoked lightly.


Using these actions to stop attacks and block traffic from attacking systems enables your IPS to take an active role in the defense of your network. Setting the actions, however, requires you to examine your security posture and security policy. For example, depending on the accuracy and severity of a signature, you might decide to limit the actions to alerting and logging. For other signatures, you might decide that the signature severity warrants the drop action.




Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net