We installed a Cisco 4260 IPS appliance in a production network with approximately 700 Web sites generating approximately 25 Mbps traffic to the Internet. Our goal in this testing was to focus on the reputation services aspect of the 7.0 software, so we did not do specific performance or IPS coverage testing.
Initially, we installed a beta version of 7.0 software that Cisco made available. We then placed the IPS both in front of (on the Internet side of) and behind different firewalls protecting the network. However, with beta 7.0 software, the IPS caused significant service interruption when placed outside of the firewall. We pulled the IPS from the network and waiting for Cisco to release the final 7.0 software.
When 7.0 release software was available on Cisco’s Web site, we re-installed the IPS. Following Cisco’s advice, we only placed the IPS behind firewalls, rather than on the Internet side of the firewalls. We used two different gigabit Ethernet circuits, carrying a total of 14 different VLANs. The IPS ran in production on those network segments, inspecting and protecting 12 of the different VLANs, for over two weeks.
We also installed Cisco IPS Manager Express 7.0 software on a Windows 2000 server with a 3GHz Pentium 4 CPU, 3GB of RAM and internal SATA hard drives. We found that even with 1.2 million events in the database, the performance of IPS Manager Express was very satisfactory.
Cisco engineers assisted, remotely, with the initial configuration of the IPS and provided some technical support via e-mail during the testing. Once we felt the IPS was stable on our production networks, we studied the alerts that the IPS created based on the traffic on those networks. In combination with normal Cisco technical support resources, we tuned the IPS for a period of about one week. The tuning generally included identifying signatures with a high false positive count and either disabling or, in a few cases, adjusting them to ignore particular systems.
During the tuning period, we enabled all reputation service features of IPS 7.0, but ran them in “audit” mode to get comfortable with what the reputation service was going to do to the events and to the IPS itself.
After tuning was completed, we set the reputation service features be active and monitored the results.
