The factors that most influence the performance of any IPS system, apart from the technical characteristics of the devices, are the bandwidth that must be inspected and the number of rules configured in the network to combat attacks. These external factors could overload an IPS. As a result, packets could be lost (dropped).
To avoid this problem, the security administrator must be proactive, especially in the initial setup phases of the system.
Generally, before configuring an IPS in SMBs or enterprises, it is recommendable to ensure that the rules conform to the security policies. To do this, security administrators must work together with the systems administrator, network and applications administrator and database administrator.
Considerations prior to optimizing performance
- External factors that determine the rules to use: All existing rules, only the rules that correspond to the system or an intermediate configuration can be used.
It is not logical to enable rules for attacks that target services that are not available in the servers.
For example, if Oracle databases are not installed in the environment, enabling IPS rules that block intruders in Oracle will only increase the workload of the IPS engine. What’s more, it will be an additional load on the memory and CPU resources assigned to process the packets, without offering any benefits.
For these reasons, a general strategy when starting to configure the IPS is to reduce the number of rules enabled, so that only attacks that can affect your environment are monitored. Including all the rules will result in unnecessary and inefficient use of resources.
- The global configuration variables are used to improve the performance of the IPS system, thereby reducing false positives. A false positive is when the IPS engine detects an attack that is not really an attack. For each type of network, server or service, it is possible to include the IP addresses considered necessary and which will not be included in the list of intrusions, reducing the number of false positives.
- High availability combines various devices in a cluster, ensuring availability of services, even in the event of hardware or software failure. High availability is completely transparent to the user and does not require any modifications to the client routing table, as in practice, the user will see it as a single device. For more information about high availability, click here.
Click here for more information about the cluster.