Securing the Corporate Network - Selecting and implementing an Intrusion Prevention System
Defining the Problem – be clear about what you’re trying to achieve…
So you have an intrusion prevention system (IPS) project... It stands to reason that unless you really understand what an IPS can do for you, you may struggle to extract maximum value from it. Therefore, the first question that you should ask yourself is “What am I trying to achieve?” Is the IPS being bought for better security of the organisation or better visibility of the network? Or is it being procured in order for the company to satisfy an internal or external audit requirement?
It is important that you can demonstrate to your auditors that you are taking due care of the data under your control. Unless you understand what is on your network i.e. how an intruder could gain access and how you can tell if they have got in, you can’t set about proving this fact.
Large amounts of money can be spent on security, as it can be a field with ever-moving goal posts. It’s important to understand that in today’s dynamic and fast changing threat environment, it is simply not possible – nor necessary – to provide 100% protection, 100% of the time. An integral component of successful business management is about understanding, managing and taking risks.
From the perspective of corporate security, the art is to buy and deploy sufficient security to mitigate the potential risks to the business, i.e. secure the areas at greatest risk first of all before gradually working back to other less critical areas of risk within the business. It is important to understand the consequences of a compromise and to identify what areas of the business are most at risk. Risk management involves analysing your systems for vulnerabilities and characterising their nature and potential impact. Risk analysis attempts to identify, prioritise, and plan appropriate mitigation for the risks facing a piece of software. You may take a view that a risk to a non-critical part of the network is worth taking and that’s fine as long as you understand the consequences and the full impact of the risk.
In order to undertake a risk analysis, you really need to ask yourself the following question:
‘What are the consequences of not having full availability of the service that you are trying to protect?’
It’s important to understand how you may lose availability of these services. How can an attacker disable them? There’s many ways an attacker can do such a thing but we will consider only two types of attack here: a denial of service attack that stops people using the system and a ‘buffer overflow’ attack where attackers gain access and compromise your systems. Or to use more prosaic terms, one can be viewed as vandalism and the other is burglary.
Denial of service (‘vandalism’) is often accompanied by extortion threats. An attacker will send copious amounts of network traffic to your servers in an attempt to overwhelm them. Once they are down, the attacker will make contact with a demand such as ‘Pay me or I’ll do this for a week’. Some organisations simply do the math: they look at the consequences of being without their systems and decide it’s cheaper to pay the extortion.
Buffer overflow (‘burglary’) is where the attacker sends specific requests to your servers that exploit software vulnerabilities in order to gain control of them. Once in, the attackers often install other back doors to make it easier for them to gain access at a later time. A machine compromised in this way is said to be ‘owned’ (sometimes spelt ‘pwned’). Attackers often have subsequent access (with elevated levels of privilege) to internal machines and can go on to compromise them as well. The goals of such attackers may be political or financial and the methods simple or sophisticated. The risk can be huge, as financial loss if assets are stolen may vastly exceed the loss of revenue caused by lack of service availability.
And remember, attacks don’t have to come from outside. It may be a disgruntled employee who is performing the denial of service or a dishonest contractor who is mounting a buffer overflow attack in order to defraud you. It may not be an attack at all that is the real threat – it may be leakage of sensitive information from your network that causes the crisis.
So how do you protect against these things? Enter IPS.
A brief review of intrusion systems
There are four basic types of intrusion systems:
- An Intrusion Detection System (IDS) is a network security device that inspects inbound and outbound network activity, identifying suspicious patterns that may indicate a network or system attack from someone attempting to compromise the system. In essence, IDS identifies activity that is defined as ‘bad’ as defined by the device policy put in place by the organisation.
- An Intrusion Prevention System (IPS) is a network security device that monitors network activity for malicious or unwanted behaviour and can react, in real-time, to prevent those activities. Network-based IPS, for example, may operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.
- Network Behaviour Analysis (NBA) is a method of intrusion detection that can be thought of as effect-driven, not rules-driven. It provides a way to enhance the security of the network by monitoring traffic and noting unusual actions or departures from normal operation. Conventional IPS systems are typically used to defend the network perimeter by using packet inspection, signature detection and real-time blocking. NBA solutions monitor what's happening inside the network, sampling data over time and performing statistical analysis to support an inference of threat. Like IPS, NBA cannot detect zero day threats directly, but instead tells you that something out of the ordinary has happened.
- Host Intrusion Detection System (HIDS) is software that is configured to run on a host to perform the task of intrusion detection. HIDS looks for aberrant behaviour in application and systems processes, e.g. a client application that tries to change system passwords. HIDS has an advantage that it can ‘see’ attacks mounted on the machine by local users. In some ways, HIDS and anti-virus / anti-spyware software are very similar.
- Host-Based Intrusion Prevention System (HIPS) is a HIDS that can block local accesses to a host as well as alert on them.
IPS is in many ways an extension of IDS. However, it is not really the case that IPS is ‘better’ than IDS for the simple reason that an IPS has a much more limited view of the network (it can only detect what is going through it), whereas an IDS, when connected to a mirror port, can see traffic across the whole network. Since there are many places in the network where blocking is not practical or too risky to the business, an IDS may serve the organisation better in these circumstances. Most organisations find they want or need both. Most vendors offer systems that can perform both functions with a simple policy change.
A review of the ‘state of the art’ of intrusion technologies is recommended as part of planning your intrusion security strategy, as are reviews of case studies, collateral and anecdotal evidence from other organisations that you may know.
Implementing an IPS is a vital part of any organisation’s network awareness strategy. Only in seeing what is actually happening on your network can you get a handle on your real level of security.
Without an IPS, your organisation will have limited visibility of the threat landscape. Sources of information such as switches, routers and firewall logs provide fragments of the big picture but have no coherence and no context. Not knowing the full picture, it’s easy to jump to the wrong conclusions, or worse still, not know there’s an issue in the first place. Mistakes cost time and money and misses can be catastrophic.