I am pretty in the IPS world! With that being said, two weeks ago, I installed a M1250 IPS sensor in our Network with the default Policcy. Since then users keeps calling about download issues. Whenever, they are downloading something off the Internet, it is very slow. Sometimes the speed reach 4K on a 10M link! to bypass this issue, I have to put the sensor in layer2 mode. My question is there any thing I can do to increase the download?
There are a couple of details you did not mention like if you have checked sensor load status, I asume it is OK. I also asume you placed the sensor in in-line mode and you already checked sensor has no interface errors. Then I suggest you to check if you have enabled "HTTP Response Scanning" in Inbound or Outbound direction. If it is enabled, disable it and try a file download again.
In general when you deploy an IPS for the first time in a network use a non blocking policy try "All inclusive without Audit" it will help you to see how IPS works with your network protocols and applications and later apply a fine tuning procedure.
Let us know how you did it.
Good luck!El mensaje fue editado por: gooru4speed on 24/05/10 15:49:31 GMT-03:00
Before all thanks for taking time to give me some guide lines, I really appreciate it. With that being said,let me answer your questions. Effectively, there were some errors in the sensor port, but these errors were corrected before the post.By the way, How can I clear the errors in the interfaces? Is there a specific command or will the error be cleared after rebooting? I do not have HTTP scaning enable, I double check this. And yes, the sensor is in in-line mode and average load is about 2% daily.
First lets see the command to clear statistics at sensor interfaces: you can issue a "clrstat" by access on the CLI console.
Then please could you clarify what policy are you applying? The performance issue applies to every kind of file download? With HTTP or FTP downloads is the same problem?
Fisrt I found out that the interface connected to my ISP is still having errors,all other interfaces are clean. I have changed the cable on the interface, the one connected to my ISP. That didn't change anything.This interface is the only one which not hard corded, it is still in auto negociation. My next step will be to hard coded this interface,but this imply to contact my ISP.
Second, The IPS is still using the default IPS policy which I will be replace by my customs policies by the end of this week. And last, the bandwidth issue is affected all the download: HTTP.TORENT,FTP... Lately, I been managed to have the download stays over 100KB/sec.
I did have FLOWCONTROL ON in all of the port which I disabled. Is that the samething as http scanning?
If you are still having interface errors against your ISP Router don't squeeze your head searching for something else, firts fix that. Regarding this matter I'm attaching a document where you can find useful guidelines about hardcoding sensor interfaces.
On second hand flowcontrol interface has nothing to do with HTTP Scanning.
Finally please attend a humble suggestion, don't apply a custom policy before to assess how your IPS behaves with your network and applications, you better use a "neutral" default non blocking policy like "All inclusive without Audit" at least for 2 weeks. Nevertheless "default IPS" is OK also. McAfee NSP solution achieved the best blocking rate by default in the last test (Q4 2009) between seven vendors, issued by NSS.
Onse last question gooru4speed, I am getting ready for PCI evaluation. As you told me do not apply customs policies with knowing the traffic flow throught my ISP, what are my changes to pass the PCI evaluation with the default IPS settings?