IPS/IDS Best Practices

Here are some of the recommended IPS/IDS best practices:

Implement an IPS so that you can analyze traffic going to your critical servers and other mission-critical devices, or the “crown jewels” for your organization.

If you cannot afford dedicated appliances, use modules or IOS software-based IPS/IDS. Appliances have better performance than modules, and modules have better performance than adding on the feature to existing IOS routers in software only.

Take advantage of global correlation to improve your resistance against attacks that may be targeting your organization. Use correlation internally across all your sensors to get the best visibility of the network attacks that are being attempted.

Use a risk-based approach, where countermeasures occur based on the calculated risk rating as opposed to manually assigning countermeasures to individual signatures.

Use automated signature updates when possible instead of manually installing updates; this will assist in keeping the signatures current.

Continue to tune the IPS/IDS infrastructure as traffic flows and network devices and topologies change. IPS tuning is mostly done on a brand new implementation but is never truly 100 percent complete.