10 tips for implementing IPS securely

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

An intrusion prevention system (IPS) includes all the features of an intrusion detection system but also has the ability to act upon malicious traffic. Since the IPS usually sits in line with network traffic it can shut down attacks, typically by blocking access from the attacker or blocking access to the target. In some cases, the IPS can talk to the firewall to block an attack.

ANALYSIS: Can IPS appliances remain useful in a virtual-machine world?

Here are 10 issues that every IPS should address in order to ensure your network as safe as it can be:

1) IDS, IPS and hybrid modes. Your IPS should be multifunctional so you can deploy it depending on your exact need. In the IDS mode, the device is passively monitoring network traffic. In the IPS mode, the device is configured in the traffic path. IDS and IPS should both be able to restrict traffic by sending resets or requesting a firewall or inline IPS to isolate the segment from other networks using blacklisting. The IPS mode is also effective in blocking attacks if you can identify a clear threat path -- for example, traffic from the Internet to a DMZ segment. In the hybrid mode, the same device is configured to function in both modes and using the same device in both modes is an efficient and cost-effective solution for smaller implementations.

2) AET protection. Advanced evasion techniques (AETs) are real and are currently used by NSS Labs and other organizations to test security vendor products. In its latest report, Verizon said that in 31% of attacks against large organizations, an attack vector remained unknown. Analyzing AETs requires inspecting and normaling all data streams, but 95% of organizations are not doing that. Most current security devices cannot flag or log AETs separately. At best, they may report anomalies or suspicious traffic.

It's important not to confuse an exploit with the method. Stuxnet becomes visible when it hits the target; it stays there and is easy to investigate once the code is isolated and recognized. AETs can be analyzed if your IPS records all traffic, not just what is logged by the security devices. Ask your IPS vendor what its strategy is for dealing with AETs.

3) Event correlation. Event correlation helps to reduce false positive events and provide accurate protection for network services and intranet users. Event correlation looks at log data from one or more sensor engines, searching for malicious event sequences, preferably in real-time. Event compression cleans repeating log events and minimizes the bandwidth requirements from remote offices back to the data center. A good event correlation engine can alert the IPS to isolate an attacker or network worm on all firewall and IPS engines simultaneously, minimizing the damage to network services and clients.

4) Web filtering. A great enhancement for your IPS is Web filtering, which provides multiple benefits such as increased security by preventing access to known malware and phishing sites, as well as improved work efficiency and bandwidth usage by blocking access to unwanted websites. Advanced Web filtering systems can offer plenty of options, such as blacklists and whitelists where you can set rules for the entire network. You should also be able to produce reports of Web browsing habits and activities.

5) SSL inspection. SSL inspection is vital in ensuring that no attacks, viruses or other unwanted content can enter or exit the organization's network by disguising itself inside the encrypted HTTPS channel. SSL inspection gives administrators the ability to monitor traffic inside the TLS/SSL encryption and detect and react to any unwanted content. Your IPS should have a controlled way to open the encryption in the network and to submit the encrypted traffic for the same inspection as the clear-text HTTP data, eliminating this important blind spot in network protection. In addition, SSL inspection is important for meeting the PCI DSS requirements.

6) Denial-of-service protection. Your IPS should provide protection against illegal input and traffic flood DoS (denial of service) attacks without disturbing legitimate network traffic. Connection flood or Web service starvation attacks are typical examples of distributed DoS (DDoS) attacks. TCP SYN flood attacks are stopped by blocking the incoming connection attempts from spoofed address sources under an attack and preventing them from reaching the target system. Your IPS must quickly identify the spoofed connection sources and block them, while allowing valid user connections to pass through. UDP flood DoS attacks are controlled by rate limiting the incoming UDP datagrams against the protected Web service. [Also see: "How cybercriminals and hactivists use DDoS tools to attack"]

By using correlation techniques in detecting suspicious behavioral patterns in Web service communication when the botnet host has been identified, the IPS blocks the malicious host communication for the Web service.

7) Central management capabilities. Central management is essential for IPS security because it allows you to manipulate your system without having to manually touch every single remote location to make a change. Central management typically lets you monitor and manage appliances and components with options that may include alerts, security content updates, appliance updates, firewall and intrusion prevention settings. As a result, there is less administrative time devoted to network security, incident and log management operations and the integration with other security components to enforce immediate threat mitigation policies or software updates.

8) Performance. Your IPS could affect your network if it is not implemented properly or if the IPS product is poorly architected. Look for the ability to use clustering to share processing connections, thus enhancing performance and reducing downtime. The deployment of the components of your IPS could also minimize the risk of performance degradation. The IPS should capture and analyze traffic, so it is best to separate the analysis component onto a dedicated system. Ask your IPS vendor how to best deploy your IPS with the least impact on your network performance. Also, ask about how signatures and other context information are analyzed to see if performance is an issue.

9) IPv6 ready. Major operating systems and core networking components offer IPv6 support. For example, Windows Vista uses IPv6 addresses by default, which may be a potential security threat without properly implemented access control and deep inspection. In addition, malicious traffic may be hidden inside IPv6 and IP-in-IP tunnels, which many security solutions still fail to protect.

Make sure your IPS provides stateful access control and full deep inspection capabilities for IPv6 network traffic, including IPv6 encapsulation, IP-in-IP and GRE tunneling protocols. [Also see: "The Dual Stack Dilemma"]

10) Integration with your firewall. The essence of a next-generation firewall is the ability to interact with an intrusion prevention system. The integration of these capabilities can either be within a single system or separate, but be aware of issues that can arise around reporting, throughput and management.

Stonesoft provides mid- and large-size organizations software-based network security solutions, which include the industry's first evasion prevention system (EPS), the industry's first transformable Security Engine as well as stand-alone next generation firewalls, intrusion prevention systems and SLL VPN solutions.

Read more about wide area network in Network World's Wide Area Network section.

Tags next-generation firewalloperating systemsipv6softwareweb filteringddosdistributed denial-of-servicedosIPSIDSNGFWcentral managementadvanced evasion techniquesintrusion prevention systemevent compressionTCP SYN flooddenial-of-serviceintrusion detection systemevent correlationUDPSSL inspectionAET protection

Show Comments