I was recently working on a system that used a lot of interprocess communication using the loopback adapter address and server IPs on the server. Normally the suggestion for high rates of network traffic is to remove entirely the IPS module, but I was able to significantly boost performance simply by adding exclusions into the IPS configuration that matched the local loop back (127.0.0.1) and the IP addresses on the NICs (the server had multiple NICs) such that entire removal was no longer required. Although this won't allow detection and inspection of malware that jumps on the loopbacks, it still allows IPS inspection of pretty much everything else and is a more secure option than complete removal. However, as I look out at other servers that could benefit from this, it becomes a problem of scale; I would have to create unique exclusion groups, one per server, to enable this same configuration for each server. It would be really beneficial if there were an option to dynamically scan the host at start time of the SEP client and read in the defined IP addresses of the NIC cards, then have the option through a new checkbox that if enabled to exclude local system traffic matching the loopback and dynamically identified IP addresses.
↧