I have an example for you around using the new IPS software blade to detect and prevent attacks. The IPS Software blade is not just SmartDefense renamed, it is a new engine that can take advantage of significant performance gains, as well as IPS specific features like packet capture. This new enforcement for attacks also includes new management features to allow the administrator to search through attacks, link them back to original protections and make adjustments for their environment. This is an example of the workflow used to monitor an attack, enable packet capture as needed, and eventually tune the detection. This is only a small example of the capabilities in the IPS Software blade available in R70.2 (and later).
If you are hesitant to test these features in production, for fear of impacting legitimate business traffic, we have some big differences in the new IPS engine that might help ease your mind. First off, if performance is a concern, you can turn on a feature to have the IPS turn off inspection in the event your memory or CPU becomes overloaded. You may need to look at a hardware upgrade if this happens regularly to you, but at least you can find out without taking your network down in the process.
The next fear is being able to use or test the IPS in detect only mode. Since SmartDefense was so tightly tied to the firewall protocol inspection, it was not always clear when or if it was SmartDefense or just the firewall engine that was stopping traffic. And turning off SmartDefense was not always possible. With the IPS softwareblade, you can quickly and easily turn your IPS into an IDS if you need to confirm the IPS engine is not blocking any malicious traffic. Instead, it simply alerts you to what is detected. Here is an example, with real attacks flowing through the firewall. With a policy push we can switch between detect and enforcement on the fly.
I hope to create more movies around the IPS, I have already found it to be effective and informative about the traffic in my network and have attached it to the Internet for further testing. If there is something specific you would like to see, please let me know, and stay tuned for another exciting episode in the continuing saga of my homenet IPS.
0 comments:
Post a Comment