This section looks into some of the important methods for improving the performance and seamless operations of Security Monitor in particular and VMS in general. Following is the list of good practices:
Always apply upgrades to the latest version of Security Monitor and apply the new patch available on the Cisco Web site.
If you have more than one sensor to receive events, it is recommended that you install IDS/IPS MC and Security Monitor on a separate computer. If you have several sensors, depending on the amount of events you are getting, you might consider installing the Security Monitor on multiple servers for load-sharing purposes.
Make sure to install VMS on a dedicated computer as it has its own web server and database server, which may cause resource conflict issues if other applications are installed. Be sure to fulfill minimum requirements for running VMS server. As performance depends on the configuration of hardware and not on the configuration of VMS software, it is always recommended to have a faster and more powerful server.
It is recommended to secure the VMS server with Cisco's Security Agent (CSA). CSA is Cisco's host-based IPS software. If you have CSA MC installed with the Common Services, then the agent is installed for the server to protect VMS automatically. If you do not have the CSA MC installed, then be sure to install at least the headless CSA Agent to protect the VMS Server itself from any types of attack.
If the VMS is in a different network (VLAN) than the sensor, then be sure the network devices between the management server and the sensor allows SSH (TCP/22), and SSL (TCP/443) for both IDS/IPS MC and Security Monitor) in both directions.
Be sure to schedule for archiving and/or deleting the alarms to keep from filling the VMS database, as the more alarms stored in the database, the longer it takes your viewer to load the alarms for viewing.
Do not install VMS on Primary/Backup Domain Controller, IIS Server, Terminal Server, IEV, and CSPM.