Choosing the right intrusion prevention technologies and product is a complex task, but following these six steps...
will make it simpler.
IT professionals are acutely aware they need stronger protection technologies to fill gaps that firewalls alone can't address. Network intrusion prevention systems (IPSes) have been promoted as cost-effective ways to block malicious traffic, and detect and contain worm and virus threats; they can also be used to monitor network activity and assist in compliance requirements.
The IPS market is overflowing with products with a wide spectrum of features that are suitable in a wide array of environments. That means you should be able to find the right one for your enterprise--if you do your homework. In the IPS world, it is especially easy to fall into the trap of buying what a savvy vendor wants to sell you rather than what you need.
To decide what type of IPS is right for you, follow our six-step strategy, from asking why you're buying an IPS to testing the product in your network.
Ask yourself this question before looking at products, before talking to vendors and certainly before deciding whether you even need more security. Start with an IPS needs statement--a single paragraph. Understanding why you're adding intrusion prevention and what you're looking for in an IPS is so critical that its importance is difficult to under emphasize. Only then can you ask yourself about security and coverage, performance, management and form factor.
There are many good reasons to add IPS, including:
- Extra protection at the perimeter or at the core, employing signature-based technology to block malware.
- DoS mitigation to protect a server farm and ensure availability.
- Compliance with regulatory requirements.
- IDS-like alerting and forensics to help you get a better handle on what kinds of threats are hitting your network.
It would be easier if you could simply reduce this list of implementation reasons and goals into a feature checklist--something you could throw into an RFP and pick the vendor that can check all the right boxes. That's impossible, not so much because the features aren't available, but because of the disparate philosophies that go into the products' designs.
The term "network IPS" doesn't inherently imply any one way of preventing intrusions. In fact, different products use radically different technologies because "security" means radically different things to different people.
This is a crowded and disparate market. Products range from high-performance standalone appliances to add-ins to existing firewalls. Although there are common denominators between some products that segment the market into broad, overlapping categories, the underlying design goals and capabilities vary widely.
There are three fundamental IPS detection technologies: signature-based (including protocol anomaly), rate-based and behavioral (such as network anomaly). While it may include some pieces from all three, each product features one of these as its primary technology.
Based on your needs statement, decide which of these three is most important to you overall and most appropriate for your application:
- Signature-based IPS dominates this market and includes standalone appliances, embedded IPS technology in firewalls and remotely managed service-based devices. They don't rely entirely on signatures to detect malicious or improper behavior. For example, they often include protocol anomaly detection, which looks for application or TCP/IP behaviors that are either non-standard or far from the normal behaviors; this helps detect zero-day attacks before a signature is available.
Although it's critical to catching common exploits, signature-based detection is only as good as its signatures, which are difficult to write. Evaluating signatures is tough, in part because most IPS vendors don't leave them open for inspection. Although signature writers' mantra is "block the vulnerability, not the exploit," their Achilles' heel is their inability to identify every possible permutation. As a result, most signature-based IPSes are best at detecting common exploits (for example, by attackers simply trying tools they've downloaded from the Internet).
- Rate-based IPS is primarily designed to mitigate and protect against DoS attacks; it closely watches the rate at which connections come into high-performance application servers, most typically Web servers. Rate-based IPSes take an active part in monitoring, controlling and filtering connections.
The best rate-based IPS will shield servers from bad connections during periods of stress by acting as proxies to ensure that there is someone "alive" on the other end. More sophisticated rate-based IPSes, appropriate for huge application server farms, offer a myriad of fine-tuned controls, but the basic technology can be built into any inline IPS device or firewall. These technologies scale down very well and can easily protect small- and medium-sized businesses with Internet-facing servers from many types of DoS attacks.
- Behavioral IPS tracks network flows and traffic patterns, issuing alerts when it detects changes and, in extreme cases, blocking or throttling traffic. It is more of an intrusion reaction and alerting technology than a prevention tool. Behavioral IPS is poor at detecting or blocking specific incoming attacks, most of which are based on a specific data stream embedded in a normal protocol transaction and are not actually changes in behavior. They are, however, very good at identifying systems that have become infected and are now attacking other systems and users, or which have become bases of operation for hackers.
Behavioral IPS is also valuable for viewing large, complex networks, where the actual flows generally are not fully understood. You may consider purchasing a behavior-based system for that reason alone.
You can't afford to get IPS performance wrong, but testing is problematic. As IPSes move further up the network stack, their performance becomes highly data-dependent. By comparison, it's easy to measure performance for switches, routers and standard firewalls, because metrics such as connection rate, maximum simultaneous connection count and goodput are commonly understood and universally accepted.
The greatest differentiator in performance is not the IPS itself, but how it is configured. The performance of signature-based IPS products varies hugely based on the number of signatures and protocols enabled for detection. For example, an IPS may have hundreds of signatures covering HTTP. If half of those signatures are disabled (perhaps because they are IIS signatures and Apache is being used on your network), performance on HTTP traffic can be affected.
Your traffic may also cause variations. For example, moving files around a network with Windows file sharing might not slow down the IPS very much because there aren't many IPS signatures for Windows file traffic. If you moved the exact same files using HTTP, you would see very different performance characteristics.
IPSes will also behave differently depending on the mix of attack traffic and benign traffic. In our testing, we found that attack traffic has a disproportionate impact on IPS performance compared to "clean" traffic. Even small amounts of attack traffic can impact performance, because an attack is considered an exception, has to be logged, generates an alert, and generally requires much more processing than benign traffic.
If you intend to put an IPS out near the perimeter of your network, you will see more attacks, and thus greater variation in system performance. The worst performance case would be to put an IPS outside the network firewall, fully exposed to the Internet. This provides the curious security staffer with gigabytes of interesting data, but results in slower and generally unpredictable performance because of the variation in type and volume of Internet-sourced attacks.
IPS is not a product; IPS is a function and a technology. You can package that technology in many ways and place that function within many kinds of devices, including standalone IPS appliances, firewalls and switches, and other types of security appliances, such as SSL VPNs. Your choice of form factor (appliance or integrated function) and where you place the IPS function in your network will dramatically affect the products you should consider.
The three most common options are a basic IPS in a firewall, a full IPS co-located in a firewall chassis, or fully freestanding IPS.
Basic IPS in a firewall, focusing on behavior and protocol anomalies, is an excellent choice if you have a good patch and security management policy in place on all internal servers, specifically those accessible from the Internet. In that case, the additional layer that an IPS offers on top of existing firewalls and well-maintained systems is some protection from zero-day attacks as well as DoS attacks.
Some firewalls have an "IPS function" placed into the device simply to satisfy a checklist requirement as part of a unified threat management (UTM) offering. These IPSes should be avoided, both because of their low level of threat protection and because of their awkward and unusable management systems.
Full IPS in a firewall is the best strategy if your main concern is Internet-sourced attacks and, to some extent, identifying internal systems that have become infected or compromised. Putting the IPS within network choke points offers great benefits to network topology and operations costs. It reduces the complexity of the network over the alternative of a standalone IPS sitting next to a firewall, which thereby increases reliability.
Standalone IPS products are most appropriate in two environments. Most obvious is when the goal of the IPS is to protect a set of systems from external and internal threats. By pushing the IPS closer to the systems being protected (rather than the Internet), the IPS protects against all attackers.
The second environment is one where IPS and security auditing are organizationally divorced from firewall configuration. For example, in some organizations faced with regulatory compliance issues, IPS and IDS tools are managed by an audit group that is separate from the security operations team.
Management is a huge issue in product selection. The product you choose must meet your requirements for management, monitoring and forensics capabilities. IPS products vary in their management philosophy, from virtually no continuing management to very high management. Making the wrong choice can lead to catastrophic failure of your IPS deployment. The worst thing you can possibly do is select a "high management" product and put it into a "no management" environment.
IPS management systems are unlike any other application or management system in the network. This difference, and the accompanying complexity, is an important factor, especially if you don't have the luxury of a dedicated IPS/IDS team. Keep in mind who will be responsible for day-to-day management of the IPS, what their level of expertise is, what more they can be expected to learn and how many hours a day you've budgeted for IPS management.
Some of the other factors that will affect your management requirements include:
- Forensics. Many IPS products also have IDS capabilities, offering intensive logging, IDS signatures in addition to IPS signatures, and packet capture facilities. This type of product is a great addition to any network, but only if you have the appropriate staff and expertise.
- Network visibility. Because IPSes see so much traffic, they can give managers insight into what is happening on the network. IPS management systems that present this information graphically offer great benefits and can highlight problems and trends at a glance.
- Event alerting and correlation. Security event management (SEM) tools gather and correlate data from multiple sources. Some IPS management systems have SEM capabilities.
- Performance of the management system. If you plan to keep old data for investigative, trend-matching or regulatory reasons, you should make an effort to estimate the amount of data to help IPS vendors properly size the management system.
Testing 0n your own network and traffic is the best way to determine whether the IPS product will meet your requirements. Make sure you have a good understanding of your network topology and security policy, so the testing will accurately determine if the product meets your requirements.
Run the IPS in alert-only mode for several weeks, so you can build up a collection of events to help determine whether the product can handle the load.
Once you have some confidence that the IPS isn't going to melt down your network, enable blocking or prevention. Make sure you plan sufficient time each day--typically a half day or more if your network is large or has many Internet-accessible servers--to investigate every alert and hunt down the false positives. Even if you don't have a full security policy as part of your evaluation, you should be investigating most alerts. It's critical to get a feel for whether or not the IPS will work in your own network.
Expect some false positives. These are natural--an IPS that does not throw any false positives is probably not actually doing you any good. You should be able to fine-tune the security policy before you start blocking, but still there may be false positives once you begin. Be prepared to react quickly as they pop up. Also, remember that while some problems will show up at your help desk in a few seconds, occasional failures may take a week or more before they begin to percolate up into support channels. Allow time so these "low and slow" problems will surface.
With blocking enabled, it is also useful to try to "stress test" the IPS. If you don't have commercial testing tools to inject additional load, you can use open-source tools that will increase the load of both attack and benign traffic.
Now, Take a Step Back
Finally, even though you may be far along an expensive evaluation cycle, it's important to step back and ask yourself if the increased security justifies the cost of the IPS product and its associated capital and operational expenses.
|Click here for an overview of which three categories IPSes fall into, based on their primary detection technology (PDF).|
The investment in an IPS will range from simply checking a box on a firewall to enable the IPS, to installing devices and management consoles at critical points in your network. While IPS can offer significant value in improving security, measuring that value just before you dive into deployment can help cement the requirements and value for IPS, as well as provide a realistic set of expectations within your organization.
Compare host and network IPSes at searchsecurity.com/ismag.