sunhux
asked on
Best way to deploy host-based IPS signatures without causing disruption
I'm not so concerned with network-based IPS as an entire subnet can
sometimes only have a pair & a signature that disrupts service can be
rolled back rapidly.
However, I have host-based IPS signatures, namely Trendmicro in the
thousands to be deployed into each of the Production VMs & the principal
can't guarantee it won't break the apps or disrupt services.
The signatures have different severity ratings from Critical with Exploits,
Critical with Smart, High, Med, Low so we're dividing them up by different
OSes but still it's a lot.
a) do people generally take a snapshot backups first? Must say I don't
have much storage to take snapshots & those snapshots had caused
datastore to fill up in the past, causing painful disruptions
b) is there a quick way of fallback or rollback in the event we are affected?
c) is it more commonly practised that people deploy more signatures on
Web servers (ie those facing external or Untrusted zones) & less on,
say the backend (eg: DB servers) ?
The signatures & the agent sit inside each individual VMs unlike
network-based IPS where network traffic are re-routed to the network
IPS before being passed onto the servers
I'll be checking with Trend as well
sometimes only have a pair & a signature that disrupts service can be
rolled back rapidly.
However, I have host-based IPS signatures, namely Trendmicro in the
thousands to be deployed into each of the Production VMs & the principal
can't guarantee it won't break the apps or disrupt services.
The signatures have different severity ratings from Critical with Exploits,
Critical with Smart, High, Med, Low so we're dividing them up by different
OSes but still it's a lot.
a) do people generally take a snapshot backups first? Must say I don't
have much storage to take snapshots & those snapshots had caused
datastore to fill up in the past, causing painful disruptions
b) is there a quick way of fallback or rollback in the event we are affected?
c) is it more commonly practised that people deploy more signatures on
Web servers (ie those facing external or Untrusted zones) & less on,
say the backend (eg: DB servers) ?
The signatures & the agent sit inside each individual VMs unlike
network-based IPS where network traffic are re-routed to the network
IPS before being passed onto the servers
I'll be checking with Trend as well
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
indeed defense in depth strategy and divide and conquer since we also do not want to fall into the single pt of failure (as mentioned by the limit of VM processing which can be susceptible to adversaries DoS etc). Whole scheme of approach may be ideal to have the "fight" at the exterior/outer perimeter instead of at the "doorstep" at the target server
ASKER
> can stage rule and signature before block action take place
Yes, Trendmicro's DeepSecurity allows the signatures to be
deployed in 'Detect' mode first & later convert to 'Block' mode.
So I'll have a lot to analyse in Detect mode first before we go
into Block mode
Yes, Trendmicro's DeepSecurity allows the signatures to be
deployed in 'Detect' mode first & later convert to 'Block' mode.
So I'll have a lot to analyse in Detect mode first before we go
into Block mode
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
350 signatures per VM (though they have about 3700 signatures) as
it will affect the VM's performance (even for a 4 vCPU 16GB RAM VM).
That simplifies things a lot for me, selecting only the critical exploits
to apply. Odd though is what do we do with the remaining 3450
signatures if one of the vulnerability happen to hit us.
Looks like I have to strengthen it with network-based IPS at the
outer perimeter & can't rely completely on the host (ie VMs)-based
IPS