This section examines some of the important issues to improve the performance and avoid a lockout situation. The following is the list of such some good practices:
Always apply upgrades to the latest version of IDS/IPS MC and apply the new patches available on the Cisco Web site.
If you have more than one sensor to manage and get events, we recommend installing IDS/IPS MC and Security Monitor on a separate server. If you have a huge number of sensors, depending on number of events you are getting, you may consider installing the Security Monitor on multiple servers for load sharing purposes.
Be sure to install VMS on a dedicated server, as it has its own web server and database server, which may cause resource conflict issues if other applications are installed. Be sure to fulfill the minimum requirements for running the VMS server. As performance is dependent on the configuration of hardware, not VMS software, it is always recommended to have a fast, powerful server.
It is recommended to secure the VMS server with Cisco's Security Agent (CSA). CSA is Cisco's host-based IDS/IPS software. If you have CSA MC installed with the Common Services, the agent is installed for the server to protect VMS automatically. If you do not have the CSA MC installed, be sure to install at least the headless CSA Agent to protect the VMS Server itself from attacks.
If the VMS is in a different network (VLAN) than the sensor, be sure the network devices between the management server and the sensor allow SSH (TCP/22) SSL (TCP/443) in both directions.
Be sure to schedule for archiving and deleting the alarms to avoid filling the VMS database, as the more alarms stored in the database, the longer it will take your viewer to load the alarms for viewing.
Do not install VMS on Primary/Backup Domain Controller, IIS web Server, Terminal Server, IEV, and CSPM.
Be sure not to use domain or local admin user name and password when installing the VMS. Rather, create another user who has local administrator privilege.