212 Network Intrusion Prevention Design Guide: Using IBM Security Network IPS
7.1 Policy tuning objectives
The IBM Security Network IPS can act as two separate security controls. It can
provide accountability controls through its intrusion detection system (IDS)
functions in passive monitor mode. It can also provide authorization controls
through its Network IPS functions in inline protection mode.
After initial implementation at the cardio healthcare company, the IBM Security
Network IPS appliances are in simulation mode, as explained in Chapter 6,
“Phase 1: Design and implementation of IBM Security Network IPS” on
page 161. To provide full efficiency of an IPS appliance, the appliance must block
malicious network traffic when identified, which requires moving from simulation
mode to prevention mode.
The simulation mode allows tuning of a security policy in production. The
concern about prevention mode is that you might accidentally block data that is
valid for the network. Tuning a policy allows the transition to prevention mode.
7.2 Overview of the IBM Security Network IPS policy
To help you better understand how to tune the IBM Security Network IPS policy,
you must understand how policy is implemented by the IBM Security Network
IPS appliance. The following policies are available for enforcement:
The firewall policy is similar to any standard firewall policy. A packet match is
made that is typically based on network and transport packet headers (ports
and IP addresses). An action is then taken on the packet such as
The IPS policy is an amalgam of several individual policies:
Security Events The primary IPS policy for the Network IPS.
Response Filters Helps to create exceptions to the security events
Protection Domains By defining a protection domain, you can create bulk
exceptions to the security events policy.
Connection Events Help you to define IPS signatures based on
firewall-type rules. This policy is deprecated by the
Network IPS Firewall policy.