Best way to deploy host-based IPS signatures without causing disruption
Posted on 2014-09-16
I'm not so concerned with network-based IPS as an entire subnet can
sometimes only have a pair & a signature that disrupts service can be
rolled back rapidly.
However, I have host-based IPS signatures, namely Trendmicro in the
thousands to be deployed into each of the Production VMs & the principal
can't guarantee it won't break the apps or disrupt services.
The signatures have different severity ratings from Critical with Exploits,
Critical with Smart, High, Med, Low so we're dividing them up by different
OSes but still it's a lot.
a) do people generally take a snapshot backups first? Must say I don't
have much storage to take snapshots & those snapshots had caused
datastore to fill up in the past, causing painful disruptions
b) is there a quick way of fallback or rollback in the event we are affected?
c) is it more commonly practised that people deploy more signatures on
Web servers (ie those facing external or Untrusted zones) & less on,
say the backend (eg: DB servers) ?
The signatures & the agent sit inside each individual VMs unlike
network-based IPS where network traffic are re-routed to the network
IPS before being passed onto the servers
I'll be checking with Trend as well