This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
Testing 0n your own network and traffic is the best way to determine whether the IPS product will meet your requirements. Make sure you have a good understanding of your network topology and security policy, so the testing will accurately determine if the product meets your requirements.
Run the IPS in alert-only mode for several weeks, so you can build up a collection of events to help determine whether the product can handle the load.
Once you have some confidence that the IPS isn't going to melt down your network, enable blocking or prevention. Make sure you plan sufficient time each day--typically a half day or more if your network is large or has many Internet-accessible servers--to investigate every alert and hunt down the false positives. Even if you don't have a full security policy as part of your evaluation, you should be investigating most alerts. It's critical to get a feel for whether or not the IPS will work in your own network.
Expect some false positives. These are natural--an IPS that does not throw any false positives is probably not actually doing you any good. You should be able to fine-tune the security policy before you start blocking, but still there may be false positives once you begin. Be prepared to react quickly as they pop up. Also, remember that while some problems will show up at your help desk in a few seconds, occasional failures may take a week or more before they begin to percolate up into support
With blocking enabled, it is also useful to try to "stress test" the IPS. If you don't have commercial testing tools to inject additional load, you can use open-source tools that will increase the load of both attack and benign traffic.
This was first published in February 2007