Sunday, May 3, 2015

SourceFire IPS - Understanding Inline Deployments

Understanding how your SourceFire Sensors (or any other IPS for that matter) are deployed is very important to the results you can expect from the device(s).

In this post, I will focus on providing clarity on some of the things you should be aware of when configuring your SourceFire IPS to be inline.

First off let's  understand what is meant by inline deployment. In an inline deployment, the IPS device sits between two network devices. Typically, this would be a perimeter firewall which connects the internal network to the Internet and an internal device such as a switch which connects the devices in the local LAN to the perimeter firewall as shown below.

In the diagram above, the eth0 and eth1 on the sensor forms an inline pair through which the traffic will flow between the switch and the firewall. This is the first step in a successful inline deployment.

Now that our device is inline, we need to configure our IPS Intrusion Policy to "Drop When Inline"


Final step is to select the relevant rule and ensure "Drop and Generate Events" is specified for the rule
 

Below shows the options available for configuring rule state.



Below shows an example of a rue which has been configured to "Drop and Generate Events". Note the red "X" at the end.



As this post has shown, to truly achieve IPS functionality, you need to not only have your device inline but also to cinfigure both the policy and the rules.

Hope you enjoyed reading this post. 

3 comments:

  1. I have accidently enabled 15000 signatures in generate events and it caused flooding on arcsight main channel.
    Can you please help me how to suppress these alerts.

    ReplyDelete
    Replies
    1. Have you considered selecting those rules and disabling them? Then reapplying your IPS policy and that should help fix your issue.

      Delete
    2. Thank you for writing :)

      My colleague helped me in suppressing these alerts, but I am in confused state :(

      How did this happened?

      How does Generate Events can cause so much flooding?
      Does Sensor was actually seeing so much signatures?

      Request you to help me understand the scenario :)

      Thank you so much.

      Delete