Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1470 Views 3 Replies Latest reply: Mar 21, 2012 9:23 AM by pcoates RSS
pcoates Newcomer 12 posts since
Jul 20, 2011
Currently Being Moderated

Feb 16, 2012 11:28 AM

Baseline inline IPS

Hey Everyone,

 

I am currently just trying to determine the best way to baseline the NSP while using it as an inline IPS. The desired outcome is to be able to baseline an inline IPS policy, but have blocking disabled globally, so that the actions are recorded but no blocking actually occurs until set to "Blocking" mode after a soak and configuration period.

 

Other products I have experience with have the option to utilize an IPS policy(with blocking enabled on signatures) but put it in a learning mode globally so that the blocks do not apply(however in the logs it  will show that it would have been blocked if enabled)

 

I have only found a learning mode for the DOS portion of the NSP.

 

So far with the McAfee device I have only found the following way to semi-accomplish this behaviour:

 

 

1 - Create two duplicate policies, disable the blocking actions on one. Use this policy for your baseline period to ensure the IPS does not negatively impact the environment. Mirror any changes to this policy with the other duplicate that has blocking enabled. Once the baseline has been completed then switch over to the policy with blocking enabled.      This would not be my ideal solution.

 

 

Is there a better way to accomplish this outcome?

 

Thanks,

 

Pete

  • daloy McAfee Employee 56 posts since
    Sep 17, 2010
    Currently Being Moderated
    1. Mar 21, 2012 2:20 AM (in response to pcoates)
    Re: Baseline inline IPS

    HI Pete,

     

    you can do as you say or else apply default inline IDS policy which won't block anything and then move to default inline IPS.

     

    Another solution would be either to use the sensors in TAP mode with a default inline IPS policy, where the attacks would be blocked but the traffic won't be affected as you are using taps, or you could use the sensors in SPAN mode with a default inline IPS policy, and once you are happy with the configuration of the policies move the sensors in inline mode.

     

    HTH.

     

    David

  • daloy McAfee Employee 56 posts since
    Sep 17, 2010
    Currently Being Moderated
    2. Mar 21, 2012 2:24 AM (in response to daloy)
    Re: Baseline inline IPS

    Also on version 7 you have the command 'set ipssimulation (enableZdisable) which allows you to put the sensor in simulation mode so you could use a default inline IPS policy in simulation mode where nothing would be blocked either.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points