We installed two IPS sensors within our production network, one based on Sourcefire hardware and based on Nokia hardware. Because each sensor had multiple interface pairs, we ran two separate IPS engines, two IDS engines, as well as Realtime Network Awareness (RNA) on multiple interfaces and Realtime User Awareness (RUA). We also sent Netflow information from Cisco routers to the 3D System from some WAN network segments that could not be monitored any other way.
These two sensors fed into a Sourcefire Defense Center 1000, the central management console. We used the Defense Center for at least 10 hours a week over a one-month period, tweaking policies, analyzing events and verifying the correct operation of RNA and RUA.
We also used the compliance tools within the Defense Center to generate events and alarms based on IPS, RUA and RNA event data.
To test IPS coverage, we used the Mu-4000 Security Analyzer appliance, an attack generation and reporting tool, from Mu Security. For the Mu-4000 testing, we focused on published vulnerability attacks. We wanted to compare performance between this IPS and other IPSs we had tested with the Mu-4000 in a recent UTM firewall test, so we used the same methodology as in the UTM firewall test.
We broke up our testing into two directions: client to server, and server to client, as an IPS is generally either protecting end users or servers, but seldom both at the same time. In the end user case, the IPS is programmed to protect users who are browsing the Internet or downloading files, and thus, are susceptible to certain types of attacks focused on client applications, such as Web browsers and PDF readers. In the server case, the IPS is programmed differently, protecting Web, e-mail and other types of servers against attacks initiated by malicious users.
Sourcefire offers three levels of IPS profile, a conservative one, a balanced one and an aggressive one. After three weeks of testing in our production network, we determined that the false positive rate on the aggressive policy was low enough that most network managers will want to start with this policy. We used the recommended aggressive policy, then tested using the Mu-4000 to see the percentage of attacks blocked by the IPS. The client profile had approximately 400 attacks, while the server profile had approximately 500.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment