Amer Networks E5Web GUI User Manual

The following are the recommendations for IDP employment:

•

Enable only the IDP signatures for the traffic that is being allowed. For example, if the IP rule
set is only allowing HTTP traffic then there is no point enabling FTP signatures.

•

Once the relevant signatures are selected for IDP processing, the IDP system should always
be initially run in Audit mode.

•

After running IDP in Audit mode for a sample period with live traffic, examines the log
messages generated. Check for the following:

i.

When IDP triggers, what kind of traffic is it triggering on?

ii.

Is the correct traffic being identified?

iii.

Are there any false positives with the signatures that have been chosen?

•

Adjust the signature selection and examine the logs again. There may be several adjustments
before the logs demonstrate that the desired effect is being achieved.

If certain signatures are repeatedly triggering it may be reason to look more closely to check
if a server is under attack.

•

After a few days running in Audit mode with satisfactory results showing in the logs, switch
over IDP to Protect mode so that triggering connection are dropped by cOS Core. However,
IDS signatures are best kept in Audit mode as they can interrupt normal traffic flows because
of false positives.

•

If required, enable the blacklisting feature of IDP so that the source IP for triggering traffic is
blocked. This is a powerful feature of IDP and useful when dealing with an application like
BitTorrent.

IDP Database Updating

The IDP signature database can be updated automatically and certain signatures can be dropped
or updated and new signatures introduced. In some cases, it can be preferable to force the
database update manually so that the effect of any changes can be observed following the
update.

Automatic updates might take place without the necessary checking in place to make sure there
are no disruptions to live traffic.

Chapter 6: Security Mechanisms

480