How we tested Cisco IPS 7.0

We installed a Cisco 4260 IPS appliance in a production network with approximately 700 Web sites generating approximately 25 Mbps traffic to the Internet. Our goal in this testing was to focus on the reputation services aspect of the 7.0 software, so we did not do specific performance or IPS coverage testing.

Initially, we installed a beta version of 7.0 software that Cisco made available. We then placed the IPS both in front of (on the Internet side of) and behind different firewalls protecting the network. However, with beta 7.0 software, the IPS caused significant service interruption when placed outside of the firewall. We pulled the IPS from the network and waiting for Cisco to release the final 7.0 software.

When 7.0 release software was available on Cisco’s Web site, we re-installed the IPS. Following Cisco’s advice, we only placed the IPS behind firewalls, rather than on the Internet side of the firewalls. We used two different gigabit Ethernet circuits, carrying a total of 14 different VLANs. The IPS ran in production on those network segments, inspecting and protecting 12 of the different VLANs, for over two weeks.

We also installed Cisco IPS Manager Express 7.0 software on a Windows 2000 server with a 3GHz Pentium 4 CPU, 3GB of RAM and internal SATA hard drives. We found that even with 1.2 million events in the database, the performance of IPS Manager Express was very satisfactory.

Cisco engineers assisted, remotely, with the initial configuration of the IPS and provided some technical support via e-mail during the testing. Once we felt the IPS was stable on our production networks, we studied the alerts that the IPS created based on the traffic on those networks. In combination with normal Cisco technical support resources, we tuned the IPS for a period of about one week. The tuning generally included identifying signatures with a high false positive count and either disabling or, in a few cases, adjusting them to ignore particular systems.

During the tuning period, we enabled all reputation service features of IPS 7.0, but ran them in “audit” mode to get comfortable with what the reputation service was going to do to the events and to the IPS itself.

After tuning was completed, we set the reputation service features be active and monitored the results.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now