Cisco IDS - Active vs. Passive

redwarrior

We do most of our higher-level network work here through a consulting firm. Recently, the company decided to upgrade one of our ASA's with IDS capabilities. Now that the license has been purchased, the consultants are telling us that we should never put the IDS into active mode, but instead should have someone monitor it regularly and then block any addresses that look like they are attempting something malicious through our firewall. My boss's boss is rather perplexed by this, having spent a great deal of money on this. He made a great analogy..."If I bought a 4-wheel drive truck and spent extra for the 4-wheel drive and then, as I was getting ready to drive away, the dealer told me never to engage the 4-wheel drive, I'd be pretty angry." I was wondering what everyone here thought. Is this accurate information or should we be looking to someone who is more experienced at configuring IDS to help us get this thing running in 4-wheel drive?

Thanks!

Ahriakin

Configure the AIP-SSM module (thats what I'm presuming was installed and not just enabling the existing IDS software) to work in promiscuous mode to begin with, download the Cisco IPS Event Viewer if you don't have any other monitoring software and watch it very closely for at least a week while still in Promiscuous mode. Use this time to tune the IPS to your environment by reducing false-positives and configuring any action-overrides you need for certain services. When you are confident you have ruled out any false-positives that would cause a blocking/deny action change the mode to Inline (where it no longer just monitors but can take action, essentially from IDS to IPS mode). Be prepared to keep tuning it for weeks to come afterwards, but the amount you have to change will lessen over time.

And yes having a flat rule that you leave it in Promiscuous/IDS mode forever and manually block hosts is ridiculous. The whole idea of using the IPS is to provide pro-active protection, not add to your workload long term.