Harden Your Network Against False Positives | Network Security Guide

Harden Your Network Against False Positives

Prev Question Next Question

Question

An engineer receives an incident ticket with hundreds of intrusion alerts that require investigation.

An analysis of the incident log shows that the alerts are from trusted IP addresses and internal devices.

The final incident report stated that these alerts were false positives and that no intrusions were detected.

What action should be taken to harden the network?

Answers

A. Move the IPS to after the firewall facing the internal network

B. Move the IPS to before the firewall facing the outside network

C. Configure the proxy service on the IPS

D. Configure reverse port forwarding on the IPS.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Based on the incident ticket, it appears that the network has an Intrusion Prevention System (IPS) that is generating hundreds of alerts. However, after analysis of the incident log, it is determined that these alerts were false positives and that no intrusions were detected. To harden the network and prevent future false positive alerts, one of the following actions can be taken:

A. Move the IPS to after the firewall facing the internal network This option suggests that the IPS should be placed between the internal network and the firewall. This can help to reduce the number of false positives by allowing the firewall to filter out traffic that does not meet specific criteria before it reaches the IPS. This approach can help to ensure that the IPS is only inspecting traffic that is more likely to be malicious, reducing the number of false positives.

B. Move the IPS to before the firewall facing the outside network This option suggests that the IPS should be placed between the outside network and the firewall. This approach can be helpful in identifying threats that have not yet been identified by the firewall. However, this can result in a higher number of false positives because the IPS is inspecting all traffic, including legitimate traffic that may be flagged as suspicious.

C. Configure the proxy service on the IPS This option suggests that the IPS should be configured to act as a proxy server. This can help to reduce false positives by allowing the IPS to inspect traffic more closely and determine whether it is malicious or not. However, this approach can also increase the latency of network traffic, which may be undesirable in certain environments.

D. Configure reverse port forwarding on the IPS This option suggests that the IPS should be configured to perform reverse port forwarding. This approach can help to reduce false positives by allowing the IPS to inspect traffic more closely and identify malicious traffic that may be using non-standard ports. However, this approach can also increase the workload on the IPS, which may require additional resources to support.

In conclusion, the best approach to harden the network depends on the specific requirements of the organization. However, based on the information provided in the incident ticket, option A - moving the IPS to after the firewall facing the internal network - seems to be the most appropriate solution to reduce false positives while still providing an adequate level of protection for the network.

Prev Question Next Question