Security Simplified

Intrusion Prevention System Basics

One of the first security tools, other than your firewall, was the intrusion prevention system (IPS). An IPS allows you to view the network traffic and based on signatures that the IPS manufacturer creates, it will trigger a reaction to the connection. In an IPS, it will actually terminate the connection thus preventing the attack from occuring. If your IPS is in detection mode, otherwise known as an intrusion detection system (IDS), it will throw an alert from which you can take further investigation steps and react accordingly. But it is an entirely manual process to react to that malicious traffic. Now that is the basics of an IPS, but I want to go further into how you should implement and maintain these systems so that you can get the most out of your system.

The first topic is placement. Your network will have multiple paths for reasons ranging from customer requirements, to redundancy. The key to getting the most out of your IPS is making sure that you are capturing traffic in a centralized location. The path's that you want to tap should be where the majority of the traffic will cross. The reason behind this is so that you can save on cost from deploying multiple IPS units to cover multiple paths. If you can cover those same areas with one IPS at a central routing location, it will improve your return on investment as well as keep your maintenance costs lower. You might still need multiple IPS units, but it will be a lower count than if you captured close to the servers where you can have multiple routes to and from those devices.

IPS policy review is my next area of concern. I've seen too many times where companies have checked the box of "IPS Installed" and have left it to sit with default policies and without any caretakers to review the policy and customize it for your environment. You should first know your environment. Do you provide an e-commerce site that runs on Windows, or Linux? Or do you provide an application service for customers to connect to? What does that application use to function? You need to know your corporations footprint before you can apply a policy successfully. You need to know the applications and web servers and what they are built upon so that you can remove and add the appropriate policies to streamline the IPS so it will function properly. Another great piece of information that will help you with this is a vulnerability scan of your environment. Many times, IPS manufacturers will provide signatures for vulnerabilities that application developers have yet to submit a patch for yet, thus allowing you to mitigate the risk you are exposed to. But a vulnerability scan can catch the majority of these problems and help you discover your footprint as well.

After placing the IPS properly, and discovering what your footprint is and the vulnerabilities you need to remediate, this is where you train your people to review the IPS policy elements appropriately and add them to your policy in the right places. You wouldn't want to place a web server's vulnerability on a backend IPS that would never see this type of traffic. The more finely tuned you can make the IPS policy, the smoother it will run, and the fewer issues you should have due to IPS performance. Also, you will have fewer false positives due to the fact you are well informed on your corporate footprint and where you need to implement the appropriate policies.

Following these steps will allow you to run a successful IPS installation. They are wonderful tools that allow you to review network traffic and stop it in it's tracks before it reaches your applications. But if you do not manage it appropriately, it is just another location in your network that will cause latency and problems.

References