After many years of managing and maintaining network security for our own internal network and our customer networks, it still surprises me that even the largest organizations have not implemented intrusion Detection/Prevention. It reminds me of the 1990’s when we would have to convince potential customers that they needed a Firewall. Now, everyone has a firewall (at least I hope) and you would be considered a fool if you didn’t.
It shouldn’t surprise me though, and I think I know the cause of the slow adoption rate. Security, although important is not a business enabler, in fact it makes doing business more cumbersome and costly. But what are the alternatives? It is certainly easier for me to get into my house if the door is unlocked, or to get into may car if the door is unlocked and the key is in the ignition, but that also makes it easier for the people that you don’t want in your house or driving your car. So, as budgets get eaten up on business enabling technologies security gets pushed out to the next fiscal budget.
Many organizations have trouble getting their minds around IDS/IPS/IDP (Intrusion Detection System/Intrusion Prevention System/Intrusion Detection and Prevention), what they do, how they do it and how to manage such a beast.
In very simple terms:
IDS being the oldest of the beasts, simply detected intrusions and alarmed an administrator of that intrusion attempt. IPS and IDP are essentially the same with prevention capabilities – blocking the attacker, resetting the connection, blocking the subnet etc.
How it does this is quite simple. By having a preloaded set of signatures that match criteria known to be suspect. It goes a lot deeper than that, but this is the general idea.
How to manage such a beast is the toughest question to answer and the success in managing is really determined on how it is deployed in the first place. First you must decide where the IPS unit will be placed in your network and what segments/hosts it will be protecting. Once you have a list of hosts you must determine what those hosts do. Are they Web, FTP, Mail, DNS etc? What Operating System are they running? What version of each application they are running? Are they using the latest patches of the Operating system and the Application.
Then you must choose the signatures that are applicable to those applications. Some signatures are applicable always, as they may detect reconnaissance or DoS (Denial of Service) activity. And Finally choose what you would like to happen when a signature fires. Alarm, Reset, Block or all of the above.
As these systems have matured, they have become much more friendly in determining what the risks associated with the signature are by providing risk ratings and a plethora of information about the signature, why it might fire and what you could or should do about it.
Even after you have followed all of these steps, you’ll find that you will be overwhelmed with alarms and logs about potential malicious activity. It is only after a couple of weeks of what we call “burn in” that you should be in a position to calm the system down enough to make it manageable.
But what to do when you get an alarm…. Well to start, don’t Panic – 99% of the time it will turn out to be a false positive, or a attempted attack that you are not sussepatble to based on other security measures deployed throughout your infrastructure. Investigate the source of the signature. If you are in North America and the source is China (unless you do business in China) then it could be an attack. Investigate the target. Is it your Web Server? Is the signature a Web based signature? Does the attack profile match your target – i.e. Is the signature only applicable to an IIS 5 Web Server, running on Windows 2000, is that what you have?
For each signature that comes in, this type of investigation is necessarry and not all organizations have the resources to keep up with the demand. That is why we see a lot of IPS deployments being shelved, or ignored after only a few months.
Here at End to End we use MARS (Monitoring Analysis and Response Server), to manage all of the alarms we recieve from both our own IPS and our Customer IPS appliances. This system allows us to create detailed rules on the MARS server without having to configure each IPS server that we manage. This allows us to scale our service and provide cost effective Managed Services for all IPS deployments. If you are considering an IPS deployment look into a system like MARS, or give us a call and we can help you manage the ugly beast….