On Thu, May 21, 2009 at 10:07 AM, Dan Baxter <[email protected]>wrote:
> The company I work for is in the process of spinning up an IPS solution. > It's been a long time in coming and overdue, but we finally got the budget > approval. > > Anyway, I'm developing the rules management process and have a few > questions. We're a large, international company with many different > applications running on our WAN. With many different application owners > that may or may not know which address & ports the apps require for > operation. As a result, our management, while recognizing the need for the > project, are nervous that it will cause problems by blocking legitimate > traffic. > > I'd like to know some of the items that should go into a good change > management process for adding/modifying rules to an IPS. Our plan is to > place the devices into IDS mode for a time to get to know our network > better, but eventually we will turn blocking on. From the time a ruleset > gets released by the vendor, to the rules getting implemented on the actual > devices, what are the steps you guys may be taking. > > I appreciate any input. Thanks! > I suggest just what you are doing (IDS, then move to IPS -- or if you have a device like ours (Sourcefire) you can go to an IPS "Tap" mode), I've seen many organizations try and implement change management around IDS and IPS, most of which, just breaks process and hinders things. I try to encourage organizations to treat IDS rules like Antivirus. Update them, quickly, and often. Then have a change management talking about which of the rules on your *IPS*'s you are going to move to a blocking mode. Determine what you need to drop, and drop them. Then determine what you * want* to drop, and drop that. There is a big difference. J -- joel esler | Sourcefire | gtalk: [email protected] | 302-223-5974
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
