We have multiple IPS deployements managed by different people. And the major issue we come across is to enable blocking on attack definitions when a new signature update comes.
Can anyone tell me if there is a way of keep track of new updates? For instance if you talk about Checkpoint IPS they would flag the newly added signatures so that the administrators can review them and enable them based on the requirements.
Thanx in advance,
The closest answer I have come across is to check the below link to keep track of new signatures. And once a new signature set comes we will have to go through the newly added signatures and decided whether to block them or not.
So it looks like a teadious process. Does anyone have a better answer?
And I was just about to include this information with my reply. Ha. Check out the IPS admin guides and ctrl+f for "rule sets". When creating a policy you set a rule set to the interface(s). IPS Settings -> IPS & Recon -> Rules Sets. From here, either modify a current rule set or create your own. When you're creating a new one/editing, a window will pop up. Set your name and desc for the set and then see the 'Rules' tab. Decide whether or not you want to Include or Exclude something and click 'Insert'. From here you should be able to see that you can include signatures in a rule set based on the signatures category, Protocol, OS, Application, Severity, BTP, and SmartBlocking attributes. Let me know how this works for you.
Thank you for the reply. I think this can be achieved only by manually attending to it. If you go to the following link you will find the details about the newly added signatures
Once you have that information you will have to manually find each signature (most probably the High severity ones) and then enable blocking depending on the requirement.
The solution you gave only allows to create a rule set that includes different severity levels but still we will have to manually find each and every newly added signature and then enable blocking for them unless they are in the RFSB list.
You can create the rule sets based on multiple attributes of a signature and not just 'severity'. I didn't know you were asking how to automate review of every new signature created/released and turn on blocking. RFSB would be a good start, but from the sounds of it, what you and your team want to do, requires manual review of each signature. Unless you have certain criteria for signatures to meet your teams "turn on blocking" decision that matches a rule set offers for criteria, you'll have to deal with the manual process and/or submit a PER (Product Enhancement Request) to get this ability into the product.
Well we are system integrators so we usually set something up, tune it and then hand it over to the customers and hope they manage the rest unless some issue comes where we have to troubleshoot.
but unlike firewalls IPSs needs more care. The signature database updates regularly so need to keep adding and removing stuff on a regular basis. And since customers tend to like solutions that has minimal interaction I have found out that they prefer just to leave it hence only the initially blocked stuff are enforecd and all the new signatures are just in alert mode. hope you see the issue .
So what I was looking for is some type of mechanism where McAfee would highlight the newly added signatures so that it would be very easy for the administrators just to go and block them. For instance checkpoint has a facility like that. where they would flag the newly added signature or I think they even give you the option of enabling blocking for high severity high confidence level attacks automatically as they are added.