1 Reply Latest reply on Aug 13, 2014 4:59 PM by jolson

    01. Network IPS

    allegiance
      1. Where is the "block" option in NSM?. I can only see is Quarantine and drop connection.
      2. there are lots of "Attack" but some are Skype and Yahoo Attack that the destination is 8.8.8.8. How can I distuinguished which attack is a false positive and what is a real attack from the Analysis tab?
      3. What IP should I quarantine the source or the destination? The source is from my internal IP and the destination is the external.
      4. If I quarantine an IP address will it stop all TCP and UDP protocols?
      5. A have a DMZ which has Windows Server family OS that host Websites, what IPS policy should I apply for best practice?
      6. I applied a Windows IPS policy but the result of every attack is "Inconclusive", how can I know the real result?
      7. What IPS policy should be applied on Internal network consist of Windows Desktop OS?
      8. I have a M2950 IPS. What does 2 Percent mean on the Dashboard - Utilization - Device throughput? Is it 2% of the total throughput of m2950?
        • 1. Re: 01. Network IPS

          1. Right click any attack in the Real Time Threat Analyzer, and press 'Edit Attack Settings'. From there, you can select appropriate responses, including 'block'. I recommend reading this KB for some related Insight.

           

          2. Unfortunately I don't know enough about your environment to answer this question - however I do know that Google's DNS Servers are at 8.8.8.8 and 8.8.4.4. I would recommend checking out the workstations from which those alerts were generated.

           

          3. That depends. If you're sure you want to Quarantine an IP, all traffic from the quarantined IP will only be allowed access to quarantine network objects depending on the 'Zones' you have setup.

          For instance, if I quarantine the IP '192.168.1.55' - a user workstation - and set the 'Zone' to 'Allow Public Networks' for 15 minutes - that computer will not be able to access internal network resources for 15 minutes.

          So to answer your question - it depends on the type of violation occurring, and what you intend to accomplish with the quarantine.

           

          4. Quarantine will stop traffic depending on your definitions of the Zones in Policy > Intrusion Prevention > Objects > Quarantine Zones.

           

          5. In that circumstance, I'll tell you what I would do.

          I would first define a ruleset under Policy > Intrusion Prevention > Advanced > Rule Sets.

          I'd name the ruleset 'Windows Family Web Servers'.

          I'd go to rules > insert > configure > switch to 'OS' tab.

          Uncheck 'select all OS' and select only the Windows machines that you have in your 'Windows Server Family' group. For my example, I'll select Windows7 and Windows2008 because I run web applications from both Windows 7 and Windows 2008 Servers.

          Set Severity to something reasonable (I select 2 here), and set Benign Trigger Probability to something reasonable (I select 4 here).

          Navigate to the 'Protocol' tab, uncheck 'Select All Protocols'. Select only the protocols your webservers use (in my case - http, dns, and ftp).

          I would save that ruleset.

          Now, under Policy > Intrusion Prevention > IPS Policies I would create a new policy, using settings appropriate to my environment. Under 'Rule Set' select the ruleset we just created.

          Apply this policy to the interface your DMZ is attached to. Voila!

           

          6. In this case 'Inconclusive' is the correct result. Inconclusive simply means that the IPS could not determine whether or not the attack was initiated successfully. In many cases, it is not possible to be conclusive about how successful attacks are, which would explain what you are seeing.

           

          7. I would suggest the 'Windows Family' policy.

           

          8. Correct. Each Sensor is rated at a certain 'Throughput' threshold - this can be observed via this document. In your case, this means that 2% of your throughput is in use - not nearly enough for worry!

           

          Best,

           

           

          Jesse Olson

          Technical Support Engineer

          McAfee. Part of Intel Security.