Intrusion Prevention Best Practices
Gain practical guidance from leading users, analysts and experts on how to successfully scope and implement Intrusion Prevention initiatives and projects. Includes implementation examples, guidance, checklists, mistakes and tips.
| Intrusion Detection |
| Intrusion response best practices: "Once intrusion is detected, what to do? 1) Prevention: Stop the attack if detected fast enough 2) Containment: Prevent further damage 3) Eradication: Restore system to known good state 4) Follow-Up: Track down attackers Note: Most work is on eradication." |
| University of Illinois at Urbana-Champaign |
| Network Intrusion Prevention Systems: Should Enterprises Deploy Now? |
| Best practices to achieve IPS implementation success: 1) Run the IPS in "monitor" mode until it's clear that the system is properly tuned. It is far safer to deploy the device in monitoring mode, where it functions in a manner identical to an IDS. Keep a careful eye on it until you're comfortable that it's properly enforcing your organization's security policy. 2) Keep the number of "block" mode rules to a small, finely tuned set. The most successful IPS deployments use a hybrid IDS/IPS approach. Only rules associated with extremely high confidence rates should be set to prevent traffic from traversing the network. 3) Consider using a fail-open device. ...use fail-open technology on an IPS. That way, if the device fails, it acts like a straight copper wire and doesn't cause a complete network outage. If the budget allows, also consider redundant IPS devices configured in high-availability mode. |
| Mike Chapple, SearchSecurity.com |