An intrusion prevention system (IPS) has become an integral part of the basic information security hygiene at most Indian organizations. For many organizations, this has been a natural progression from their initial dabble with intrusion detection systems (IDSes) some years back. While many still have gruesome experiences to share from the IDS management days, the general consensus is that the present crop of IPS solutions is easier to live with.
Now the question arises as to the reasons behind adoption of an IPS, and in what ways does it differ from IDS? As Dinesh Chandra Gupta, the deputy general manager of information systems for Godrej Sara Lee Ltd., explains, an IPS is now considered an important segment of overall network security. Due to constantly evolving information security threats such as blended threats, an IPS provides an extra layer of proactive defense to an organization's information security infrastructure. "An IPS has become a key component for perimeter, network, segment and host-level security. IPS reacts proactively against anomaly and behavioral attacks," Gupta says. Godrej Sara Lee uses a wireless intrusion prevention system to protect its wireless network.
Yet another factor behind IPS adoption in India is regulatory compliance guidelines. As K K Mookhey, the director of Network Intelligence India Pvt. Ltd., points out, most Indian businesses adopt an IPS from the compliance point of view, since most regulations mandate use of an IDS. "Nowadays, you don't get pure IDS as such, since they are all actually IPS solutions. So while a lot of companies procure or plan to procure an IPS, many of them end up being run in sensor-only mode," Mookhey says.
The increased number of cheaper and simpler-to-manage unified threat management (UTM) devices has also driven IPS adoption in the Indian enterprise. Yet another driver has been the increase in the number of firewalls that offer integrated IPS capabilities. While both options present significant advantages (as well as disadvantages, such as a single point of failure) to small and medium-sized enterprises, this buyer's guide will focus exclusively on the standalone network IPS product to protect against external and internal threats for a more focused scope of evaluation.
The IDS to IPS evolution
While an IPS can be used in a "monitor only" mode, this does not make it similar in any way to an IDS. Hence, it should be kept in mind that an IDS and an IPS have radically different operating methodologies. Consider these differences during evaluation since there are many scrupulous vendors that will try to sell you "spruced up IDS" solutions under the IPS label.
The biggest difference between an IDS and an IPS is the proactive nature of the latter. Whereas the IDS typically operates only as a monitor against threats (which means you need intelligent, skilled personnel monitoring the IDS logs on a 24/7 basis), the IPS takes instant corrective action. This is of more use since most information security attacks are over in the blink of an eye. IDS falls short in such situations.
As John Kindervag, a senior analyst from Forrester Research Inc. points out, IDS devices didn't stop anything in real life. "Shuns and TCP (transmission control protocol) resets don't count. Early on, attackers learned that they could force IDS to create an internal denial-of-service condition on routers and firewalls by using shuns -- the creation of temporary dynamic access control lists (ACLs) or firewall rules. More than one company brought its own network down through the reliance on shuns," Kindervag says.
The placement of an IPS also distinguishes it from the IDS. As of now, there's no such thing as an "out of band" IPS. If a vendor tries to sell you an IPS that is not in-line, we suggest you look at other options (unless you need to plug in a cheap IDS for reasons other than security). By the very nature of its design to prevent possible threats, it's essential that the IPS sensors are in line with the traffic. This in-line nature helps an IPS act as an additional security layer to a strong firewall and antivirus defense strategy.
Flavors of IPS
While IPS variants from different vendors claim to use various methods (each sounding unlike the other's), attack detection used by most of these products is a mix of three methods. These attack methods can be basically classified into signature-based, flow-based and behavior-based attack detection. The exact mix of these detection methods varies according to the IPS model, but most solutions will largely depend on one of these approaches.
Your selection of an IPS product should take into account the specific detection method. For example, if an IPS uses only signature-based threat detection, it's very likely that you are face to face with IDS disguised as an IPS. However, it's critical not to confuse such pretenders with the different set of IPS solutions that primarily use signature-based detection along with anomaly-based detection methods. Such IPS solutions have the debilitating effect of being dependant on signatures. Hence, there are possibilities of false negatives if the exploit's signature is not present in the IPS. So it's better to skip an IPS that primarily depends on signature-based detection (even if it has flow-based and anomaly-based detection as the secondary mechanisms).
Rate-based detection methods rely on monitoring the number of connections to determine whether a system is under attack. This approach effectively counters attacks at the network perimeter that exploit application vulnerabilities or denial-of-service attempts. Rate-based IPS is typically used along with the firewall.
A behavioral-based IPS monitors network traffic to detect and block abnormal behavior that resembles attacks or malware infections. This technology is yet to mature, as opposed to rate-based detection methods.
Desired IPS traits
According to Gupta, throughput and the intended deployment mode (IPS or just detection mode) are the most critical factors to be kept in mind during evaluation. "Also consider the planned location of deployment. Will you deploy it at the perimeter, network or at the host? Last, but not the least, is the number of network segments (or number of ports) that you have to monitor or protect," Gupta says.
Due to the in-line nature of IPS placement, it's essential to opt for a stable and high-performance IPS during evaluation. This is why it's essential that you go in for a hardware-based IPS solution. Through the use of methods like application-specific integrated circuits in hardware-based IPS, these solutions provide much more performance and stability than comparable software-based IPS solutions.
It's essential to factor in insider threats. "By placing IPS devices on the internal LAN, enterprise security teams can anticipate, see and stop insider attacks. Look at the reporting capability of the tool and ensure that it has the ability to provide custom reports for C-level executives, auditors and security analysts. Also, internal IPS deployments require greater port density," Kindervag says.
When it comes to an IPS' performance testing, nothing matches up to an actual live network placement. It's better to be skeptical of vendor claims on the performance front, since those are usually figures taken under ideal network conditions with minimal detection. Performance testing of an IPS is largely specific to your requirements, so be ready for a fair bit of IPS tweaking during this process. All applications and protocols will have to be accounted for and the IPS modified accordingly before you take the final call on this front. Also ascertain the IPS performance when it comes to high-bandwidth traffic such as voice and video.
It's also essential to factor in IPS performance after enabling features such as forensics and reporting, since these take a toll on resources. "As networks become faster and more distributed, solid proactive controls such as IPS make your network a less attractive target to cybercriminals. This requires an IPS that can scale to at least 10 Gbps," Kindervag explains.
Once the IPS has stabilized, it's essential that it deliver a minimal number of false positives. It might also be a good idea to conduct intrusion simulation through means such as penetration tests to determine the presence of false negatives. "Besides the cost, you should check your security team's skill sets, the amount of research being put in by the IPS vendor, as well as the support you are likely to get after sales," Mookhey says.
Kindervag advises IPS evaluators to look closely at the IPS' management interface. The management of a security product is a long-term cost that is often overlooked in the evaluation process. "IPS management interfaces should provide centralized management of multiple devices throughout a geographically dispersed network. The interface should be intuitive and understandable; leverage new GUI technologies such as personalized dashboards. Stay away from older, antiquated devices that require command-line interfaces since they will be less agile and prone to misconfiguration," Kindervag explains.
The general consensus is that IPS sensor placement is largely a matter of the internal team's skill set. If your organization has a full-fledged team to monitor and respond to alerts 24/7, it's best to place an IPS sensor in front of the firewall as well. Since this placement is completely exposed to the Internet, it will generate voluminous logs that need in-depth analysis.
On the other hand, for a smaller team with limited resources, it's best if IPS sensors are placed behind the firewall. This makes life easier for the team since the IPS detects only the attempts that breach the firewall. "Ideally, all incoming connections (whether it is the Internet or wide area network links) should be monitored. It's even better if you can also monitor outgoing traffic," Mookhey says.
Best practices post the IPS rollout
The initial days of an IPS deployment will throw up enough false positives even with the best of solutions. Hence, it's important to ensure that your IPS does not collapse your entire network during its "teething" phase. It is recommended that you run the IPS in "monitor" mode so you can thoroughly acquaint it with your network's dynamics.
It's also a good idea to run the IPS with fewer "block" mode rules till the number of false positives is reduced. Once this is through, Mookhey recommends that you build in the right filters and exceptions, as well as test the IPS with internal and external penetration tests (both announced and unannounced).
It's essential to devote the right processes, personnel and training for an effective IPS implementation. Since monitoring the IPS can become a slightly dull job, this may lead to ignored security alarms. Avoid such scenarios by informing the IPS team that penetration tests are possible without information at any time. Educate other members in your network operations center or network administration team to become security analysts, so that it's possible to rotate the personnel who monitor your IPS.
This was first published in September 2009