IDS & IPS Deployment

Document Sample
IDS & IPS Deployment Powered By Docstoc
					This expert E-Guide takes an in-depth look at some intrusion detection and

Expert Tips for a Successful IDS & IPS Deployment


intrusion prevention system best practices and details recommendations for a pany should implement network IPS and learn how to integrate social engineering into your organizational security assessment.

successful deployment. Check out this E-Guide today and find out if your com-

Sponsored By:

Expert Tips for a Successful IDS & IPS Deployment Table of Contents

Expert Tips for a Successful IDS & IPS Deployment
Table of Contents:
Intrusion detection system deployment recommendations Testing for client-side vulnerabilities


Network intrusion prevention systems: Should enterprises deploy now? Resources from Sourcefire

How to integrate social engineering into an information security assessment

Sponsored by:

Page 2 of 13

Intrusion detection system deployment recommendations

Expert Tips for a Successful IDS & IPS Deployment

Intrusion detection system deployment recommendations
By Edward Yakabovicz rent infrastructure of a company. One product may work well for one company and fail for the next. Selection is Selection, placement and maintenance of intrusion detection systems (IDS) are based on the requirements and cur-

intended network infrastructure and be supportable by current personnel.

typically the most difficult decision, for products MUST meet business requirements, function correctly within the

Industry standards for most intrusion detection systems mandate the use of both a network- and host-based IDS. contain malicious traffic or have mal-intent. The sole function of a network-based IDS is to monitor the traffic of that network. A host-based IDS is deployed on devices that have other primary functions such as Web servers, the network. A network-based IDS provides an umbrella to the network by monitoring all traffic on specific segments that may

database servers and other host devices. A host-based IDS provides information such as user authentication, file modifications/deletions and other host-based information, thus designated as secondary protection to devices on

Initial Industry Standard IDS deployment dictates use of network-based IDS, then host-based IDS. This ensures the then devices within those networks. IDS should be deployed in the same fashion. network, and then host devices are protected. The core foundation of any company is the network infrastructure,

critical Web, mail and other devices located in the DMZ or extranet (Internet facing network segments within or

one deployment includes highly critical host devices located in the external-parameter of the network. These include outside the DMZ). Tier two consists of other non-critical DMZ devices that can include most DMZ devices. Lastly, tier three would consist of all other devices located within the protected-private network inside the DMZ that are

A host-based IDS should be deployed as a secondary task in a three-tier approach, after a network-based IDS. Tier

prise the network and should be protected, but only after the network is first secure.

critical or contain confidential data such as client, financial and databases. As stated above, individual devices com-

Network-based IDS recommendations
A network-based IDS should be deployed on the external demilitarized zone (DMZ) segment, then the DMZ segment. This will allow monitoring of all external and DMZ malicious activity. All external network segments should

be monitored to include inbound and outbound traffic. This will ensure all devices connected to external hostile networks are monitored and checked. These recommendations are industry standards that are used to track malicious resources, not only the well known network connections, but all known external connections. at all entry points should be accomplished first to ensure monitoring of all malicious attempts on company activity at both the extranet, Intranet and DMZ environments. Extra protection with the use of a network-based IDS

Policy and tool recommendations
Additional recommendations beyond IDS deployment should include development of incident response manuals, procedures and tools. An IDS functions as a burglar alarm, thus human intervention is necessary after the alarm

Sponsored by:

Page 3 of 13

Intrusion detection system deployment recommendations

Expert Tips for a Successful IDS & IPS Deployment

sounds. Possessing and using good incident response techniques enhance the value of data gathered from an IDS

to take legal action due to malicious activity, these tools would be necessary along with the established policy and stop a perpetrator. standards, to provide evidence. Without the tools or policy, the company may not be able pursue legal action or

to ensure tools are available to research, evaluate and report findings. If at anytime the company would be forced

by providing the next-steps to forensic examination. Software tools for incident investigation should also be pursued

Product deployment
Deployment of a network-based IDS should be immediate at the external Internet facing network segments, then host device should also have a host-based IDS applied to ensure those systems are protected, as well. DMZ segments. A host-based IDS should then be deployed on all critical DMZ host devices. Finally, any other major

Project tasks for IDS
The project tasks identified below are generic in nature, but typically the industry standard for IDS deployment. • Develop management system: This should entail selection and number of network- and host-based devices to deploy, place of management consoles and the overall infrastructure.

• Develop logging systems: Since an IDS can generate large amounts of data, logging systems should be chosen that allow gathering of large amounts of data, backup and recovery procedures and storage facilities. Hardware and software may need to be ordered during this phase.

• Develop audit policy: This comes after the first two phases, for at this point the number of sensors and logging procedures should be chosen. An IDS without an audit policy of IDS logging is like having no IDS at all. Logs should be checked daily for critical incidents and weekly for all others. Severity levels should systems. to accomplish, people to call and data to gather in case of true malicious activity or break-in of critical be developed to track and handle all incidents. These levels would include detailed descriptions on actions

• Deployment of network-based IDS: This should be done ASAP to start gathering data. Again, a net-

work-based IDS should be deployed first as an industry and recommended standard. The approach should be three tiers, to start at the furthest extension of the security parameter, then DMZ and other devices. industry standard. This could actually be done at the same time as network-based, but the emphasis should be placed on network-based first.

• Deployment of host-based IDS: Host-based IDS deployment should be after network-based, as an

• Refine IDS polices: This step should be done through the entire IDS deployment process and afterwards. Polices change according to the business need or threat, thus this is an ever changing piece of the project. • Refine written standards: As with any system, there must be company standards in place to ensure

compliance with standards. IDS standards should be started at the beginning of the project and continue through completion. These should include configurations, polices to use, logging, auditing and reporting.

Sponsored by:

Page 4 of 13

Intrusion detection system deployment recommendations

Expert Tips for a Successful IDS & IPS Deployment

Project task beyond IDS
As identified, a valid IDS must contain support beyond those of hardware and software. Written procedures for incisystems. The following are recommended steps to go beyond an IDS. dent response must be developed and approved for a time when there is a valid malicious attempt against company • Incident response: An incident response procedure must be developed to ensure a standard is in place incident response behind the system. When the alert is sounded, the company needs to have a fully tested dence in forensics investigation. tion. A good incident response procedure will ensure data integrity is assured for historical chain of evinext-steps, who to call, when to call, how to call and a notification chain. An IDS is only as good as the once a malicious attempt is made on company systems. This should include a written procedure, actual

response procedure in place to ensure there is no loss, or to record if there was a loss, of critical informa-

• Forensic toolkits: Many products exist to accomplish the examination of data once an incident occurs.

Tools should be researched that meet the company requirements and onsite personnel trained on their use.

Gramm-Leach-Bliley Act
Sections 501 and 505(b) outline the guidelines for all banks to establish standards for safeguarding customer inforbelow as standard information security practices. mation. If your company is not a financial institution, you should still consider the general recommendations listed • Scanning and vulnerability testing: Scanning and vulnerability testing should be accomplished by third dards. security policy must be maintained and reviewed to ensure accuracy and compliance with Federal stan-

parties to ensure compliance with an IDS and other security recommendations. • Policy review: Information

• Firewall and router review: Firewall and router reviews should be accomplished quarterly, at a minimum, to ensure that accurate and complete security configurations are used. About the author: Edward P. Yakabovicz has 19 years of experience in computers with a focus in security and

engineering. He holds certifications in CISSP, MCSE, CCNA and CNA.

Sponsored by:

Page 5 of 13

Expert Tips for a Successful IDS & IPS Deployment Testing for client-side vulnerabilities

Testing for client-side vulnerabilities
By Lenny Zeltser, Contributor Believe it or not, organizations are getting better at protecting network perimeters. Companies with mature security hardening Internet-accessible servers to minimize attack surface. As a result, when searching for low-hanging fruit, performing security assessments. attackers are paying closer attention to client-side vulnerabilities on internal workstations. So should you, when programs, such as financial institutions, usually make a point of allowing only certain ports through the firewall and

nature of the vulnerable application, an attacker could exploit it via a specially-crafted email attachment or by convincing the user to visit a malicious Web site. Web browsers are common targets. Other attractive targets include Adobe Acrobat, Macromedia Flash, QuickTime and Java Runtime Environment.

A client-side vulnerability often takes the form of unpatched software on a desktop or laptop. Depending on the

Modeling real-world attacks
When assessing your organization’s exposure to such threats via client-side penetration testing, you should mimic two common scenarios: • Attackers targeting specific employees with messages carrying malicious payload or by pointing the victim to a malicious Web site. • Large-scale client-side infection campaigns that rely on victims to visit compromised Web sites that deliver A related attack tactic involves relying on social engineering to convince the user to install a backdoor program instant message, enticing the victim to launch an attachment or to download and run some program. without bothering to exploit a software vulnerability. The attacker may initiate contact through an email or an client-side exploits, possibly through malicious banner ads.

The mechanics of client-side testing
Here are three methods for testing your organization’s exposure to client-side attacks during a security penetration test, listed in the increasing degree of intrusiveness: 1. Track the clicks (low impact). Craft an official-looking email to entice the recipient to click on a link.

Set up a Web site to which you will direct the individuals. The Web site won’t try to exploit a vulnerability or attempt to install software on the workstation. It will merely keep track of the number of people who who visited the Web site, provide a unique link to each recipient. clicked on the link. This helps estimate the scope of the incident the organization would face had this been a real attack. A variation on this technique uses instant messaging, instead of email. If you’d like to know

2. Plant a back door without exploitation (medium impact). Employ the social engineering tactics

described in the click-tracking method above. This time, instead of simply counting its visitors, the Web site should present the person with a request to download a program of your choice. An unfortunate number of

Sponsored by:

Page 6 of 13

Expert Tips for a Successful IDS & IPS Deployment Testing for client-side vulnerabilities

loads and program installations to collect metrics.

do nothing, or it could open a back door to the compromised system. You can track the number of down-

your social engineering skills will come in play. Depending on the scope of your testing, your program can

people will install the program from a third-party Web site given the right explanation and that’s where

3. Exploit a client-side vulnerability (high impact). Follow the methodology outlined in the previous

methods to bring the person to your Web site. In this case, exploit a client-side vulnerability to plant the backdoor on the workstation. The biggest benefit of this scenario is that it offers high shock value to the unless you target just the right vulnerability, you may fail to exploit any flaws and have to revert to the

organization that may otherwise disregard the assessment’s findings. The biggest disadvantage is that simplest click-tracking scenario.

as Metasploit, CANVAS, and CORE IMPACT can be beneficial. Each offers a mechanism for targeting client-side above.

If you are looking to install software on the client-system in the last two scenarios, penetration testing tools such vulnerabilities, and may also assist in generating a backdoor program for the medium-impact scenario described

If nothing else, identify client-side vulnerabilities
Assessing an organization’s exposure to client-side threats via penetration testing is not for everyone. If you cannot justify a penetration test that employs the methods described earlier, at least examine the workstations to identify missing patches. Such a vulnerability assessment may lack the pizzazz of attempting to plant a backdoor; however, it will highlight the type of vulnerabilities an attacker may target via client-side techniques. Your examination should As attackers shift their tactics to targeting client-side vulnerabilities, organizations must keep up by assessing to collect metrics for that will help you prioritize your security-improvement efforts.

include both mainstream software from Microsoft, as well as applications from vendors such as Adobe, Apple and Sun. their exposure to such threats. By incorporating client-side testing into your security assessments, you will be able About the author: Lenny Zeltser is the New York security consulting leader at SAVVIS, Inc. He is also a senior

faculty member at SANS Institute, where he teaches a course on reverse-engineering malware.

Sponsored by:

Page 7 of 13

Expert Tips for a Successful IDS & IPS Deployment Network intrusion prevention systems: Should enterprises deploy now?

Network intrusion prevention systems: Should enterprises deploy now?
By Mike Chapple large academic network. The technology in question was a highly touted product from a top-tier vendor (one that’s still around today). The product came complete with tons of sales hype, promising to eliminate all network threats and allow security analysts to sleep soundly for the first time in years. A little more than three years ago, I witnessed a pilot deployment of an intrusion prevention system (IPS) on a

by an attempt to implement the vendor’s “best practice” IPS signatures on an unfiltered Internet connection. After the organization simply wasn’t ready for an IPS (or, better put, IPS technology wasn’t ready!). the failed implementation as well as conversations with colleagues from other organizations, it became clear that

So what happened when it was turned on? As you may have predicted, it crashed within 15 minutes, overwhelmed

Three years and a few sales reps later, those same vendors are pounding on doors and making phone calls, promisdevices can keep up with high-speed network connections and process rulebases more efficiently, I’m not sure that the technology itself has matured; in fact, it hasn’t really changed much at all. Intrusion prevention systems are a basic extension of intrusion detection systems; they watch the network for an bells and whistles, like the ability of the IPS to interact with network devices (firewalls, switches, etc.) to implement which allows it to pass by and then alerts administrators to its presence. Sure, different vendors have added some ing that the IPS market has “matured” and that it’s time to give the technology a second chance. While today’s IPS

attack and, when one is detected, actually prevent it from reaching its destination. This is in contrast to an IDS,

detect emerging technology attacks, such as those against VoIP systems or IPv6 networks.

access control decisions at different points in the network. Over the years vendors have also added the ability to

A successful IPS product, however, boils down to a quality detection engine and smooth user interface. The core system that renowned Sourcefire Inc. founder Martin Roesch introduced to the world 10 years ago. technology bears a striking resemblance to the first version of Snort, a popular open-source intrusion detection

by vendors and security professionals for the deployment and maintenance of IPSes.

the past three years. The dramatic changes, however, lie not in the added features, but the best practices adopted

That said, I do believe that the use and adoption of intrusion prevention systems has changed significantly during

Here’s a quick run-down of some of those best practices that you should follow to achieve IPS implementation success: by simply turning it loose on an enterprise network with the vendor’s default policy enabled is a huge mistake. (If you don’t remember why, reread the first two paragraphs of this article!) It is far safer to deploy until you’re comfortable that it’s properly enforcing your organization’s security policy.

• Run the IPS in “monitor” mode until it’s clear that the system is properly tuned. Deploying an IPS the device in monitoring mode, where it functions in a manner identical to an IDS. Keep a careful eye on it

Sponsored by:

Page 9 of 13

Expert Tips for a Successful IDS & IPS Deployment Network intrusion prevention systems: Should enterprises deploy now?

Watch any alerts carefully for signs of false positive detections, and remember that those connections will indeed be blocked once you enable active responses on any of those rules. The key step here is to invest a significant amount of time during the tuning period in analyzing IPS alerts. It’s not sufficient to simply from your e-commerce application to the sales database? Save yourself from a career-ending mistake. count false positives. Dig into them: what if two of those false positives would have blocked the connection • Keep the number of “block” mode rules to a small, finely tuned set. The most successful IPS deployments use a hybrid IDS/IPS approach. Only rules associated with extremely high confidence rates should systematically sweeping your address space with SSH probes, you’d definitely want to block that traffic. be set to prevent traffic from traversing the network. For example, if the IPS detects an off-network system group of “block” rules and leave the remainder in typical IDS alert mode. This is a prudent approach that dramatically increases the likelihood of success for your IPS deployment. • Consider using a fail-open device. Another downside to IPSes is that the devices must be physically one else with the opportunity to point at the security team when undiagnosed problems arise. Over the past few years, vendors have picked up on this advice as well. Most now recommend a small core

in-line devices as possible. Adding single points of failure to a network is problematic and provides everyOne way to prevent such issues is to use fail-open technology on an IPS. That way, if the device fails, it acts like a

in-line in order to function in “block” mode. As any network engineer will tell you, it’s best to have as few

IPS devices configured in high-availability mode.

straight copper wire and doesn’t cause a complete network outage. If the budget allows, also consider redundant

In summary, yes, the IPS market has matured during the past three years. Those changes aren’t so much in the role in the enterprise security architecture.

technology itself, but in the way it is deployed and operated. Properly managed, IPS devices now have a significant About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame.

Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and Illuminated. He also answers your questions on network security. the author of several information security titles, including the CISSP Prep Guide and Information Security

He previously served as an information security researcher with the National Security Agency and the U.S. Air

Sponsored by:

Page 10 of 13

Expert Tips for a Successful IDS & IPS Deployment an information security assessment

How to integrate social engineering into

How to integrate social engineering into an information security assessment
By Lenny Zeltser, Contributor Rare is the case when a determined penetration tester or attacker fails to trick his targets into releasing sensitive a threat vector that may dramatically affect your company’s risk exposure. security controls. If you are not incorporating social engineering into your assessment arsenal, you are ignoring information. The usefulness of the information and the difficulty of obtaining it depend on the organization’s

Plan carefully—too much is at stake
a phone conversation, asking an overly personal question in a phishing campaign, walking into an area that is It is easy to overstep your bounds during a social engineering test: pushing the targeted employee too far during off-limits during a physical security examination. That is why careful planning is critical to the project’s success.

What are you testing?
too vague, and presents opportunities for blame, hurt feelings and lawsuits. Consider tying your goals to the controls the organizations defined in its security program. For example: Clearly defined objectives are a must for a useful social engineering test. “Obtain sensitive information” is usually

• The security awareness presentation explains how to identify phishing scams. Test what percentage of targeted employees will click on a link in a phishing-like email you send out. • Help desk training materials outline procedures for resetting a caller’s forgotten password. Test whether help desk personnel follow protocol when you call impersonating a colleague who cannot log in. • The security policy warns employees against strangers walking into the building behind an employee who door they opened.

swiped his badge at the entrance. Test how employees will react when you try to follow them through the

Without specific goals, the social engineering test might conjure some war stories, but it will not produce actionable recommendations for improving the organization’s security posture.

Research and design a scenario
You can get creative with scenarios that help achieve your goals, whether performing the test via email, phone, stand its business, jargon, corporate hierarchy and social structure. postal mail, instant messenger or in person. You will need to research the organization if you do not already under-

Sponsored by:

Page 11 of 13

Expert Tips for a Successful IDS & IPS Deployment an information security assessment

How to integrate social engineering into

Next, you will need to think like an attacker, exploiting people’s psychological inclinations such as:

• People want something for nothing: “You won the office raffle! Click here to claim your gift.” • People empathize with those in trouble: “Please reset my password. My boss will kill me if I don’t submit the time sheet in time!”

• People reciprocate a favor: You picked up the papers the person dropped; he holds the door to let you in. • Your scenario should specify the individuals or groups designated for social engineering, timing of the company’s culture. Also consider the possibility of something going wrong, and define back-out and escalation procedures. test, location, and persuasion tactics. Account for laws, contractual commitments, policies, and the

A word of caution
Consider how targeted individuals will react to being deceived. If you have to work with them afterward, the good impersonal email-based scenarios in place of confrontations by phone or in person. will you may lose could cost you. For this reason, companies tend to err on the side of caution, often selecting

ably from their manager as well. If you are a consultant, you will be wise to seek a lawyer’s perspective before accepting the project.

You can easily get in trouble without a written approval for the scenario from your manager or client, and prefer-

Conduct the test and analyze the results
Take notes during tests. You might get lost when communicating with multiple people. In particular, pay attention to the indicators that affect the controls you are testing. This may involve monitoring the data collected by a phish-

With the right metrics at hand, you can gage the effectiveness of people-centric controls that are difficult to test via traditional assessment approaches. About the author: Lenny Zeltser is the New York security consulting leader at SAVVIS, Inc. He is also a senior

ing-style form, maintaining a journal of your phone conversations, or photographing the physical space around you.

faculty member at SANS Institute, where he teaches a course on reverse-engineering malware.

Sponsored by:

Page 12 of 13

Expert Tips for a Successful IDS & IPS Deployment Resources from Sourcefire

Resources from Sourcefire

Gartner Magic Quadrant—IPS Appliances Sourcefire 3D System Sourcefire RNA Sourecefire Press Releases

About Sourcefire
Management (ETM) solutions. Sourcefire is transforming the way Global 2000 organizations and government agenSourcefire, Inc. (Nasdaq: FIRE), SNORT® creator and open source innovator, is a world leader in Enterprise Threat

cies manage and minimize network security risks with its 3D Approach—Discover, Determine, Defend—to securing ered security defense—providing protection before, during and after an attack. Through the years, Sourcefire has For more information about Sourcefire, please visit our website.

real networks. The Sourcefire 3D System is the first to unify IPS, NBA, NAC and Vulnerability Assessment technologies under the same management console. This ETM approach equips customers with an efficient and effective laybeen consistently recognized for its innovation and industry leadership—with more than 30 awards and accolades.

Sponsored by:

Page 13 of 13

Shared By: