|
COVER STORY From the July 2006 issue of Communications News |
Fine-tune your IDS/IPS by Mitchell Ashley Intrusion detection and prevention systems (IDS and IPS) are quickly becoming a staple of any enterprise security architecture. The use of prevention features in IPS is on the rise because of the inherent benefits of actually blocking attacks and suspicious traffic. Some fundamentals still apply to successfully rolling out and using IDS/IPS. Signature-, anomaly and behavioral-based technologies present a confusing mix of technology choices, benefits and disadvantages. The reality is that the lines have become blurred, where products oftentimes are presented as one type of technology but actually use a blend of signature, anomaly and behavior techniques. IDS/IPS projects can run into their first issues just getting into production. Most often, the issue pertains to accurately configuring and tuning the IDS/IPS so that it presents the right depth of information and security alarms without overwhelming staff with additional workload and false positives. Planning and tuning is essential. Out of the box, IDS/IPS products take the most “cautious” approach and identify any traffic that is a potential threat. Several techniques can help you quickly tune the IDS/IPS to your environment: Accurate network information. IDS/IPS rely on some essential configuration settings to tell the system about the network(s) they are monitoring. This also includes hosts and applications that should be ignored because specific traffic in these situations is allowable or should not be alerted. If this information is not correct, then a lot of time can be spent chasing down inaccurate information.
Baselines and wizards. The IDS/IPS will need a baseline of what is considered normal or expected types or traffic, and accepted applications. The manual portion of this effort is for the security administrator to tune the IDS/IPS to identify when traffic is out of bounds. Take into account time-of-day information, as this can affect what is considered normal behavior. IDS/IPS can also create a baseline, but this will usually require additional tuning and configuration by the security administrator. Tuning wizards can assist by allowing the security administrator to define what is relevant traffic and what is not. If the organization is a Windows-only shop, then Unix or Macintosh types of attacks can be deprioritized. Alerts and notifications. The usual mistake is to set the alert thresholds to low, which overwhelms staff with too many IDS/IPS alarms. During the tuning period, spend time identifying what conditions would prompt a situation where operations or security staff would get involved. A denial-of-service attack typically requires intervention but attacks commonly blocked by the IPS do not. Spending time here will help ensure that everyone does not get desensitized to IDS/IPS alerts. Many IDS/IPS deployments involve placing sensors at multiple locations throughout the network. Perimeter firewalls, core routers, network interconnections and remote sites are all prime locations. This adds an additional set of requirements for managing and operating an IDS/IPS infrastructure. Aggregating all monitoring into one console is an obvious requirement, but the implications of managing a network of several IDS/IPS products requires more. Many of the configuration settings of each sensor are common. Profiling which attacks are relevant, which should be blocked and when alerts should be sent can be common across more than one sensor. Automatic signature or rule updates are also important so staff time needed to keep the sensors up to date is minimized. Understanding what is relevant with all of the data that can be generated by an IDS/IPS is one of the greatest challenges, as well as what should be done about that data. Correlating outside information with IDS/IPS data can add some meaningful information to knowing what is happening and whether those attacks can actually do any harm. Correlation is a process that typically happens outside of the IDS/IPS system. Data from the IDS/IPS is merged with logs from other devices, such as firewalls. It can also be correlated with vulnerability data to better understand what attacks could or may have actually compromised a system or network device. New advancements in IDS/IPS have moved much of this correlation into the IDS/IPS itself. Vulnerability data is combined with network inventory data to identify which attacks are directed at devices and ports actually in use, and further, which attacks actually attempt to exploit any vulnerabilities present on devices. Advanced IDS/IPS can be configured to take action, block traffic and alert when these conditions occur. Reporting is more than just searching, extracting attack data from a database and putting it into a presentable format. Security professionals have come to realize that communicating and demonstrating that the investment in security technologies and resources actually make an impact are necessary. IDS/IPS reports should be the requirement of many targeted uses. Forensics data is needed to analyze events post fact. Drill-down reporting details are required to provide in-depth information needed to analyze attacks, patterns, and points of origin and destination. When multiple IDS/IPS sensors are involved, centralized reporting is required, but retaining the ability to analyze and break out data by sensor network location is important. The most important report of an IPS is showing which attacks have been blocked and which potentially got through. Correlation of attacks with vulnerability data and device inventory data provides more intelligence about what is happening within the network. Whenever examining new IDS/IPS technology, do not get caught up in the lure of big and faster boxes. While multigigabit support might be required on large internal core routers and switches, most network locations require less bandwidth. While the IDS/IPS should be able to support the needed bandwidth requirements, do not overlook the underlying attack-detection, analysis and blocking capabilities. If the IDS/IPS is not accurately identifying and blocking the correct attacks, doing this faster does not accomplish the end goal. Spending the time to accurately baseline and profile the network can lead to a much more successful IDS/IPS implementation. Managing a network of multiple IDS/IPS sensors requires enterprise management capabilities. Internal IDS/IPS correlation can significantly increase the value of IDS/IPS. Understanding what data can best help communicate the value of IDS/IPS security investments makes the job of the security staff easier and appreciated more.
Mitchell Ashley is the CTO and vice president of customer
experience at StillSecure, Superior, Colo.
|