Using a layered approach to network security that won’t overwhelm you with false alerts takes strategic planning. Here are some steps to follow for the best results.
1. Know your network. Gather as much information as possible on your host applications, operating systems, and network traffic trends and protocols.
2. Put a comprehensive security policy in place that clearly defines what does and doesn’t belong on your network.
3. Use your traffic and policy information to choose and place your IDS and IPS solutions where they provide the most effective protection.
4. Consider using IPS for perimeter protection and possibly one or two critical network segments. Monitor other important segments with IDS.
5. Consider whether you should be protecting critical applications with host-based intrusion prevention products and/or Web application firewalls.
6. Make sure your IDS or IPS can provide the views of alert and forensic information you require and can assign different levels of importance to alerts.
7. Make sure it’s easy to switch quickly between your IPS’s monitoring and blocking modes.
8. Don’t turn on all your IPS filters. Start slowly, activating filters that block the most obvious and contextually relevant attacks. Expand slowly, evaluating the impact of every filter.
9. Use the network and policy information you’ve gathered to eliminate unnecessary IPS filters and IDS signatures.
10. Consider investing in an auditing and alert correlation system to suppress alerts that are not relevant.