- New attack fells Internet Explorer
- Steve Jobs is a man of a few words
- Oddball gifts for uber geeks
- Global warming research exposed after hack
- Google adding IPv6 to YouTube
We installed a Cisco 4260 IPS appliance in a production network with approximately 700 Web sites generating approximately 25Mbps traffic to the Internet. Our goal in this testing was to focus on the reputation services aspect of the 7.0 software, so we did not do specific performance or IPS coverage testing.
Initially, we installed a beta version of 7.0 software that Cisco made available. We then placed the IPS both in front of (on the Internet side of) and behind different firewalls protecting the network. However, with beta 7.0 software, the IPS caused significant service interruption when placed outside of the firewall. We pulled the IPS from the network and waiting for Cisco to release the final 7.0 software.
When 7.0 release software was available on Cisco's Web site, we re-installed the IPS. Following Cisco's advice, we only placed the IPS behind firewalls, rather than on the Internet side of the firewalls. We used two different gigabit Ethernet circuits, carrying a total of 14 different VLANs. The IPS ran in production on those network segments, inspecting and "protecting" 12 of the different VLANs, for over two weeks.
We also installed Cisco IPS Manager Express 7.0 software on a Windows 2000 server with a 3GHz Pentium 4 CPU, 3GB of RAM and internal SATA hard drives. We found that even with 1.2 million events in the database, the performance of IPS Manager Express was very satisfactory.
Cisco engineers assisted, remotely, with the initial configuration of the IPS and provided some technical support via e-mail during the testing.
Once we felt the IPS was stable on our production networks, we studied the alerts that the IPS created based on the traffic on those networks. In combination with normal Cisco technical support resources, we tuned the IPS for a period of about one week. The tuning generally included identifying signatures with a high false positive count and either disabling or, in a few cases, adjusting them to ignore particular systems.
During the tuning period, we enabled all reputation service features of IPS 7.0, but ran them in "audit" mode to get comfortable with what the reputation service was going to do to the events and to the IPS itself.
After tuning was completed, we set the reputation service features be active and monitored the results.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (3)
'Return to test' link is brokenBy Anonymous on August 10, 2009, 12:02 pmIs the 'Return to test' link broken, or are you teasing us?
Reply | Read entire comment
Ya broken for me too!By Anonymous on August 17, 2009, 6:51 pmYa broken for me too!
Reply | Read entire comment
BrokenBy Anonymous on October 2, 2009, 2:10 pmIts still broken
Reply | Read entire comment
View all comments