Tuesday, April 15, 2008

IPS/IDS Buyer - Deployment recommendations

CSO and security professionals goal is to ensure network security of their business networks and resources without any discontinuity in business operations. IPS/IDS devices solve one of network security problems - that is Intrusion detection and protection. Selection of IPS/IDS device is complex. I am trying to address considerations with respect to deployment while selecting IPS/IDS devices for your network.

Network Deployment modes:

Tap mode (IDS mode) : In this mode, IPS device is used mainly to detect intrusions/attacks. It does not block the attack traffic. IPS/IDS device is typically connected to hub or SPAN port in managed switches so that this device gets entire traffic in that network. Since it is not passing the traffic, network performance is not impacted.

Though tap mode is least intrusive as it does not come in the way of normal traffic, it may not detect all attacks, if traffic is not received by it, either due to congestion at the SPAN port or due to the processing ability of device. Many recent IDS/IPS devices are stateful in nature. If packets are lost or not processed, newer packets or out-of-state packets either don't get processed or IDS device may generate false positives. Inline IDS deployment mode takes care of some of these problems.

Inline IDS mode: In this mode, all packets pass through the device. In this mode, IDS/IPS device does not drop packets or terminate sessions upon attack detection. IDS/IPS devices are installed behind Enterprise core routers or perimeter routers. Since it is inline of traffic, it observes entire traffic before sending it out. Unless traffic is analyzed, it is not sent out.

Since it analyzes entire traffic that is passing through the device, the detection rate of attacks is only limited by IPS/IDS device functional capability. If the traffic is faster than it processes, then the excessive traffic gets dropped.

Though detection rate is going to be high, there is some impact on traffic -
  • Traffic may get dropped due to processing capability of IDS/IPS device.
  • Packet latency increases.
  • Packet jitter also may be impacted.
Inline IPS mode: This is similar to Inline IDS mode, except that it can be configured selectively to stop the attack traffic. This mode inherits all advantages and disadvantages of Inline IDS mode.

As long as only attack traffic gets dropped, then it is perfectly fine for security professionals. IPS/IDS technology, though came long way, still continue to have problems such as false positives and false negatives. Significant technology of IPS/IDS devices depend on signatures or rules. Signatures are of two types. Many signatures are developed by IPS vendors to stop known attacks. Another type of signatures detect protocol, data and traffic violations. With sophistication of attacks, yet times, signatures created to detect attacks may result into false positives. One of the difficult problems in IDS/IPS world is to detect client side attacks without any false positives. Look for IPS/IDS functional capabilities that detect attacks with less or zero false positives.

Based on your requirements , you should find out the different deployment modes you require and look for devices supporting the required modes.

If you decide on inline mode, you should look for following capabilities when deploying IDS/IPS device.
  • Granularity of blocking action: Look for this selection on protocol category basis and also on per rule (signature) basis.
  • Ensure that Inline IPS/IDS mode work transparently without any changes to the network addressing of existing network.
  • Traffic continuity when session resources get exhausted: Many IPS/IDS devices are stateful devices. They maintain sessions entries for connections. These session entries are removed only upon inactivity or due to TCP RSTs/FINs. When there is session exhaust DDOS attack targeting IPS/IDS device it could stop legitimate traffic, there by disrupting business operations.
    • Look for traffic throttling functionality so that IPS/IDS devices don't exhaust its resources.
    • Look for session timeout configuration functionality so that you can configure different session timeouts for different applications.
    • Look for session timeout configuration during session establishment (Pre-Connection timeout)
    • Also look for control on behavior of new traffic when sessions indeed get exhausted. Fail Open and fail close upon resource exhaust are two options you should check for. Fail open option lets the new traffic pass through without inspection. Fail close selection drops the packets.
  • Mode Change capability: Look for provision to change mode from Inline IDS to Inline IPS. Each network is different. They have different types of traffic, servers, desktops and mobiles. Security professionals first need to get confidence of effectiveness of IPS/IDS device in their network. Though their ultimate use of IPS device is to stop the attacks immediately, to get confidence and understand its usage, as a security professional, you may like to deploy it in inline IDS mode first and then change the mode in Inline IPS.
  • Control on CPU utilization: In Inline modes, traffic gets dropped due to non-availability of CPU. Look for controls that limit the CPU utilization. In particular, check for following capabilities.
    • Signature selection capability: More CPU power is used to when the rules are higher in number. Look for facilities to disable specific signatures by deselecting the family of signatures and individual signatures.
    • Control on quantum of data to inspect: Some detections are very expensive - such as malware detection. Since these are not protocol related vulnerabilities, this detection requires data inspection. Typically, these signatures have very complex patterns and hence it takes significant number of CPU cycles. It appears that many attacks can be detected within 16K bytes of connections. This observation can be used to limit the traffic inspection, thereby saving CPU cycles. Look for capability in IPS/IDS devices where administrator can control the amount of data to be inspected on per protocol basis and also across protocols. One word of advice is to start with inspection of all data, analyze and tune/configure this configuration item based on type of applications and traffic in your network.
  • Latency, Jitter and throughput: Figure out the type of applications for your business in your network and note down your requirements of throughput, latency and jitter tolerance and ensure that IPS/IDS deployment does not disturb these parameters beyond the limits you set.
  • Behavior of IDS/IPS device on unrecognized traffic: IDS/IPS devices may not have capability to inspect all kinds of traffic. Many IDS/IPS device limit themselves to inspect IP traffic. If your network has traffic such as multicast, IPv6, IPX, Apple Talk or proprietary protocol traffic, then check the behavior of IPS/IDS device. At the minimum, you should expect these devices to pass this traffic, even though they don't inspect the traffic.
  • Network monitoring: Many Enterprises use common SNMP based monitoring tools. IDS/IPS device becomes one of the network elements. If this is important for you, then ensure that IDS/IPS device you select support SNMPv3 agent supporting MIB-II.
High Availability:
Availability of IPS/IDS device functionality is very important in inline modes. Your IDS/IPS device can become a failure point in your network. Hence ensure that IDS/IPS device can support high availability functionality.

LAN bypass functionality: This functionality short circuits all Ethernet ports, basically making it as Ethernet hub' when there is any failure in the software/hardware of IPS/IDS device. This functionality is typically implemented in hardware. In recent times, this also can be implemented using virtualization. Please see this link: http://network-virtualization.blogspot.com/2008/03/lan-bypass-using-xenvmware-kind-of.html. Look for this function if this is good enough for your network.

Redundant devices: LAN bypass function ensures that connectivity is not lost, but it bypasses security inspection. That may not be a choice for some business environments. In those cases, look for IDS/IPS devices supporting redundancy. Two or more devices (typically two are good enough) can be installed in parallel. When one device goes down, another device starts processing packets. Optionally, some IDS/IPS devices even support takeover of existing sessions. With that capability, existing connections will continue to work even after other devices takes over. In addition, Some of the items, administrator should look for are:
  • Amount of time it takes a new device to become active. It should be in terms of seconds in single digit.
  • Amount of it takes for Central Management System to understand the switch.
  • Ensure that Central Management System populates all backup devices with signatures even before it becomes active.

Disaster Recovery:

High availability will not help upon major disaster. It may require procuring new devices. Security professionals would have spent significant effort over time to tune the IPS/IDS devices. If this work is lost, then it takes significant time to re-tune the devices. That is where disaster recovery functionality provided by IPS/IDS devices is very important.

Security professionals should look for facility in IDS/IPS devices to store the configuration and restore it whenever it is required.

Central Administration:

Large Enterprises require more than one IDS/IPS sensor devices. They are placed at different places in the network. Central Management reduces the configuration burden. It also provides corelation of events and logs. If your network requires many sensors, look for Central Management system. Typical features one should look for:
  • Multiple administrator accounts.
  • Role based management.
  • Multiple UI consoles.
  • Corelation of logs and events.
  • Traffic Reports
  • Attack Reports.
  • Alerts.
  • Audit Reports.
There are many choices of IDS/IPS devices in the market. Selection of device depends not only on its functionality, accuracy of detection but also how easy for you to deploy and monitor. I try to address some common items to be considered in your buying decision.

No comments: