IPS is short for Intrusion Prevention, when the specific traffic matches a signature, the device “drops” the traffic immediately and creates an event with details on the traffic. Designed to be deployed inline. IPS takes a proactive approach to traffic monitoring.
capacity planning – buy the right device – Do your homework: Look at the traffic load of the segments you want to monitor. Every model has a threshold level. If the vlan you want to monitor registers bandwidth in excess of 100MB, and you may want to monitor additional vlan’s, a 400MB limit box will not work for you. Don’t expect to buy just one box. If you have remote sites or several internal vlan’s, you will need additional units. Buy a large enough unit that can be deployed at the perimeter in between the firewall and DMZ/Internal networks. Buy smaller units for remote sites and smaller segments.There are several out there on the market today. ISS, TippingPoint, Cisco, Sourcefire Choose the vendor that has the best reputation for good, sound security intelligence.
You will probably need more than one device, at least one at the perimeter, and possibly a few smaller throughput devices. All IPS devices have two modes, block aka “IPS” mode, and non-block aka “IDS” mode. When you first deploy your device, it is in non-block mode, you then spend a period of time tuning out any false positives. After that period is complete, then put your device into blocking mode. “IPS” mode should always be your primary end goal!
Now that my device is in place in non-block mode, what do I do?take a period of at least 30 days and look at the events being generated by the device on a daily basis. This time period is known as the “tuning phase”, this time is when you make adjustments to the signatures on the device. You are filtering out the false positives, so you can look at the events that are showing valid attacks.