cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How do you optimize IPS effectively?

I've had a couple of gigs lately where I help clients migrate from R77.30 to R80.10 and I've taken interest in how to help them optimize the IPS while we're at it. Most installations I've encountered have the Recommended profile with a couple of exceptions for 2-3 services. Those already running R80+ have the Optimized profile with the same. Other than that it's all left the way it was out of the box. The optimized profile really does help improve performance! But, that's not why you have the IPS blade enabled.

I don't have much experience tuning the IPS since before, but now I really want to do something about all these out-of-the-box configurations left running.

When I look at an organizations IPS config I ask them what OS/Applications etc. they are running. I ask them how frequently they patch every individual OS/Application, and if there are any applications they cannot upgrade (read java) somewhere. Then I uncheck all the services that aren't present and all definitions/CVE that are older than 3 years for the present services.

This is something I just thought up myself. This approach could be crap for all I know, I just did something that felt feasible. If you patch your stuff, 3 year old bugs should not be a problem as long as you don't use software that is no longer supported. Right? Maybe 3 years is too short or too long, you tell me. Maybe that's only applicable to some software. Once again, what do you think?

That is the time-saving quick shave approach. But what should I do if I want to go more granular? Where do you guys look to stay updated? I mean, if you have 10 applications and OS's, no problem. But with large organizations it's a pain. Hence the quick shave.

Couldn't find a post like this so here I am. Hopefully others have this question as well.

/ Ilmo

Tags (1)
9 Replies

Re: How do you optimize IPS effectively?

I would refer you to the following document: R80.10 IPS Best Practices Guide!

In R77.30, it was the best not to change much, but use the recommended or optimized profile rather as-it-is, as changes there could have a very bit influence on performance. Also, one should rather use Prevent than Detect in Protections after the first IPS testing/deployment phase, as both will use the same ressources but only prevent will be helpfull in protecting.

0 Kudos

Re: How do you optimize IPS effectively?

Hi Günther and thanks for the input. I've read the IPS Best practices document before creating the OP. It does not answer my question in any greater detail. The guide basically says - Set anything that is not a false positive to prevent, regardless of if it did or didn't generate log during the test phase. Maybe that is good enough for most. I rather have protections on by active decision.

I'm also curious about if the IPS updates disable inactual protections? If not, that's another thing that needs manual handling. Unless you have a powerful enough system to not care if you have unnecessary protections.

0 Kudos
Highlighted

Re: How do you optimize IPS effectively?

Then you also did study sk95193 ATRG: IPS already (besides the Threat Prevention Administration Guide R80.10) ? To have protections configured as on only manually is the most tedious workload i can imagine at all 😞 But if this decision comes out of decades of your practical IPS experience and troubleshooting, i am surely not the person to suggest anything other...

Re: How do you optimize IPS effectively?

Oh! I did forget to read the ATRG, thanks for reminding me. I'm sure there will be a bunch of good lessons to be learned. I don't have decades of practical IPS experience, like I said in the OP. I simply described what I see as an issue, how I go about it and asked you guys to let me know how you do and what your personal experiences are. I believe there is not one config to rule all scenarios and these best practice guides usually just point you in the general direction. There is certainly not much inspiration to be found. Advice from experienced people is worth so much more.

0 Kudos
Vladimir
Pearl

Re: How do you optimize IPS effectively?

If we are talking about IPS in R80++, than I would like to point out that the most interesting feature in its current implementation is the ability to define "Protected Scopes" and apply customized protection Profiles to those.

I.e.:

1. Clone the "Optimized" profile a few times and name those for the scopes they are protecting (IIS, Apache, SQL, etc..)

2. Delete or disable or irrelevant protections in each cloned profile

3. Add more rules in the Threat Prevention policy with scopes aligned with corresponding profiles

Regards,

Vladimir 

0 Kudos

Re: How do you optimize IPS effectively?

Thank you, that looks like a neat way to keep track and trim down the policies. Does it affect performance to run several policies vs. just using a single one?

0 Kudos
Vladimir
Pearl

Re: How do you optimize IPS effectively?

It really shouldn't. If anything, application of targeted subset of protections based on target should minimize the utilization.

Re: How do you optimize IPS effectively?

I would suggest integrating the IPS Tags within your profile, to disable all protections that are tagged with unneeded OS's/protocols/products. The best practices guide discusses that at the "extending the IPS configuration" section (pages 14-15).

At page 15, the guide also discusses creating separated IPS profiles for different needs at the organization so that could be a recommendation as well.

0 Kudos

Re: How do you optimize IPS effectively?

Thank you Tomer,

I see that I missed the part about separated IPS profiles. Vlad also gave a useful example of this in the post above. I like this approach. I've been using the tags to do the initial trims of the profile.

0 Kudos