This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
Management is a huge issue in product selection. The product you choose must meet your requirements for management, monitoring and forensics capabilities. IPS products vary in their management philosophy, from virtually no continuing management to very high management. Making the wrong choice can lead to catastrophic failure of your IPS deployment. The worst thing you can possibly do is select a "high management" product and put it into a "no management" environment.
IPS management systems are unlike any other application or management system in the network. This difference, and the accompanying complexity, is an important factor, especially if you don't have the luxury of a dedicated IPS/IDS team. Keep in mind who will be responsible for day-to-day management of the IPS, what their level of expertise is, what more they can be expected to learn and how many hours a day you've budgeted for IPS management.
Some of the other factors that will affect your management requirements include:
- Forensics. Many IPS products also have IDS capabilities, offering intensive logging, IDS signatures in addition to IPS signatures, and packet capture facilities. This type of product is a great addition to any network, but only if you have the appropriate staff and expertise.
- Network visibility. Because IPSes see so much traffic, they can give managers insight into what is happening on the network. IPS management
- systems that present this information graphically offer great benefits and can highlight problems and trends at a glance.
- Event alerting and correlation. Security event management (SEM) tools gather and correlate data from multiple sources. Some IPS management systems have SEM capabilities.
- Performance of the management system. If you plan to keep old data for investigative, trend-matching or regulatory reasons, you should make an effort to estimate the amount of data to help IPS vendors properly size the management system.
This was first published in February 2007