Table of Contents
Advertisement
•
Hold Time: 120
•
Log Threshold: 2
•
Click OK
IDP Rules:
1.
Go to: Policies > Intrusion Prevention > IDP Rules > Add > IDP Rule
2.
Select the rule examplerule
3.
Enable the Enable logging option
4.
Click OK
6.6.9. Best Practice Deployment
IDP Deployment Recommendations
The following are the recommendations for IDP employment:
•
Enable only the IDP signatures for the traffic that is being allowed. For example, if the IP rule
set is only allowing HTTP traffic then there is no point enabling FTP signatures.
•
Once the relevant signatures are selected for IDP processing, the IDP system should always
be initially run in Audit mode.
•
After running IDP in Audit mode for a sample period with live traffic, examines the log
messages generated. Check for the following:
i.
When IDP triggers, what kind of traffic is it triggering on?
ii.
Is the correct traffic being identified?
iii.
Are there any false positives with the signatures that have been chosen?
•
Adjust the signature selection and examine the logs again. There may be several adjustments
before the logs demonstrate that the desired effect is being achieved.
If certain signatures are repeatedly triggering it may be reason to look more closely to check
if a server is under attack.
•
After a few days running in Audit mode with satisfactory results showing in the logs, switch
over IDP to Protect mode so that triggering connection are dropped by NetDefendOS.
However, IDS signatures are best kept in Audit mode as they can interrupt normal traffic flows
because of false positives.
•
If required, enable the blacklisting feature of IDP so that the source IP for triggering traffic is
blocked. This is a powerful feature of IDP and useful when dealing with an application like
BitTorrent.
IDP Database Updating
564
Chapter 6: Security Mechanisms
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
