Tactical Advice

Intrusion Detection and Prevention Done Right

Adequate attention to intrusion detection and prevention is necessary to keep information safe.
This story appears in the June 2011 issue of BizTech Magazine.
Intrusion Detection and Prevention Done Right
Maximize your security investment in IDS/IPS technologies.

Do you ever wonder if your organization is running its intrusion detection and prevention system to its fullest potential? If so, you’re not alone. Many security professionals share the feeling that intrusion detection technology is widely deployed, yet underutilized.

Intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) play a valuable role in any security infrastructure. These systems monitor networks, look for signs of malicious activity and then take appropriate actions. For an IDS, this means alerting security administrators to the suspicious activity. IPSes go a step further and take proactive measures to neutralize the threat by blocking unwanted packets, resetting suspicious connections or even modifying firewall rules.

Fortunately, there are steps that IT departments can take to maximize the investment in an IDS/IPS and use it to bolster enterprise security defenses.

Start with IDS Mode

Behind every IPS is an IDS. In fact, an IPS can be converted to an IDS by simply setting the action for every rule to alert the administrator. While this might sound like a weak way to use a very powerful tool, it’s actually a very solid best practice. Why run a powerful proactive tool in a manner that reduces it to passive response?

The bottom line is that an IPS has the ability to cause major problems on a network by unintentionally blocking normal network traffic. It can even cause the types of disruptions that can result in the abrupt end to a security professional’s career.

Instead, always set up a new IPS in alert-only mode. Over time, as the IT staff becomes more confident in the accuracy of alerts generated by the system, it can convert rules to block mode, protecting the network against those types of attacks. This piecemeal approach lets the IT staff slowly become comfortable with the types of traffic being blocked, and it builds institutional knowledge of the rule set.

Use IPS Mode Sparingly

When deciding whether to activate the advanced blocking features of an IPS, be extremely careful. It’s fine to have a rule set divided so that 80 percent of the rules simply notify an administrator of suspicious activity and only 20 percent take active countermeasures. The exact mix of block/alert rules appropriate for an organization will depend upon the company’s specific risk appetite.

It’s a fact of life that many IPS rules generate false-positive alerts. The composition of a network and specific protocols in use might conflict with the signatures of known attacks, causing regular false alarms. If the staff can modify the rules to screen out these false positives, that’s great. Go ahead and activate the rule in IPS mode. However, if the company is running the risk of blocking legitimate activity, it is much better off keeping that rule in detect mode until the staff is more comfortable.

Always consider the rulebase as a dynamic, evolving organism. Changes in the network environment might require altering the action on long-standing rules.

Fail Open for Increased Availability

One of the greatest fears of any network administrator is the failure of a device that occupies a bottleneck position on a network. While IDSes can sit off to the side of a network and simply monitor traffic that passes by, many IPS deployments call for an in-line deployment in which, similar to a firewall, the IPS appliance intercepts all network traffic, scans it for suspicious activity and then relays it down the wire.

This model creates the possibility that a failed IPS can completely disrupt network traffic. It’s a good practice to purchase fail-open IPS hardware that lets the IPS continue passing traffic when the device itself fails. It’s the functional equivalent of making a powered-off IPS box look like a piece of wire, and it will help preserve the reliability of the network infrastructure. Fail-open technology is usually an option that can be specified when purchasing IPS appliances.

Update Signatures Regularly

There isn’t a security team in the world that doesn’t advise users that they need to regularly update the signatures for their antivirus software. Any user who hasn’t received this guidance likely has been hiding under a rock. But very often, security professionals don’t practice what they preach when it comes to maintaining the security infrastructure. Evolving attacks appear on a constant basis, and it’s important to update the signatures driving the company’s IDS/IPS on a routine basis — at least daily.

In addition, regularly verify that the device is actually receiving and applying those intrusion signature updates. It’s not unheard of for a process or service to fail, causing an intrusion sensor to stop receiving updates. Regular monitoring is essential to ensure that the company is maintaining its security controls.

Create Your Own Update Server

This is important for larger environments that have multiple IDS/IPS sensors monitoring different locations on a large network. Creating an update server for the company offers two key benefits.

First, it reduces the network bandwidth consumed by the intrusion detection infrastructure. Instead of each device connecting to a vendor’s update server and retrieving new signatures, the IT staff can reduce the use of the company’s Internet bandwidth to a single connection.

Second, it allows the IT staff a greater degree of control over the signatures deployed to the company’s sensors. If the security staff wishes to block the deployment of a particular signature or customize a signature for the company’s environment, the staff only needs to do it in one place and allow the updates to propagate throughout the enterprise.

Perform Detailed, Centralized Logging

Let’s face it: Logging consumes a lot of disk space, it creates boring administrative tasks and it delivers no immediate business value.

Despite these drawbacks, logging is vital when running intrusion detection and prevention systems for two reasons. First, it provides the information about intrusion activity that needs to be reviewed in the event of a security incident. An analysis of IDS/IPS logs can offer important information about attempted and successful attacks.

Second, without logs it’s difficult to troubleshoot rule-set configuration issues. Security devices commonly take the blame for otherwise unexplained network issues. Logs can quickly help identify whether the IDS/IPS is truly at fault, or whether the investigation should continue elsewhere.

Intrusion prevention and detection systems play an important role in the layered defenses of many organizations. Whether the staff is installing its first IDS sensor or tuning a rule set that has been in place for several years, applying these best practices can help improve the effectiveness of the company’s controls and reduce the time that security administrators spend actively managing the devices.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...