Solutions for an Intrusion Prevention System

Document Sample
Solutions for an Intrusion Prevention System Powered By Docstoc
					Evaluating RFP Submissions for
an Intrusion Prevention System

  Infrastructure/Networks “Hot Topics”
              Doug Carson
              Mike Peterson

             CANHEIT 2006 – Halifax, NS
University of Toronto Network
• Approximately 30,000 computers in 300
• Gateway consists of
  – 1 Gbps link from gateway routers to core network
  – 1 Gbps connection to R & E networks (GTAnet /
    ORION / CA*net)
  – 300 Mbps connection to general Internet (Cogent),
    likely increasing in the Fall to 400 Mbps

                CANHEIT 2006 – Halifax, NS
IPS Implementation Objectives
• Inspect and manage network traffic at multi-
  gigabit speeds.
• Eliminate malformed packets and protocol
• Detect and manage hostile traffic at OSI
  Layers 3, 4 and 7.
• Filter and remove hostile activities directed
  against internal or external hosts.
• Detect and manage compromised internal

               CANHEIT 2006 – Halifax, NS
RFP Evaluation Criteria
• Technical Strengths (45%)
  – General Functionality (ability to detect and
    manage traffic, ease of deployment/upgrade/etc.,
    overall ease of use, availability)
  – Flexibility (ability to modify/tune detection and
    mitigation actions)
  – Management interface (ease of use,
    performance, etc., policy management)
  – Reporting and Analysis (flexibility, ease of use,
    event aggregation and correlation capabilities, alert
    handling, etc.)

                CANHEIT 2006 – Halifax, NS
RFP Evaluation Criteria (cont.)
• Product Support (25%). Elements relating to
  signature updates, warranty, software maintenance
  practices, defect reporting and tracking, parts sparing,
  locality of support are evaluated.
• Pricing (20%). This includes purchase price, ongoing
  support pricing, optional feature pricing, and
  educational discounts.
• Company Profile (10%). Aspects here include history
  of IPS product delivery, financial health, reputation as
  expressed by references, distribution channels.

                  CANHEIT 2006 – Halifax, NS
Project History
• Summer 2004
   – IPS technology first proposed to protect the University’s
     Internet gateway.
• November 2004
   – IPS Project approved for funding.
• February 2005
   – Project funding available.
• May 18, 2005
   – RFP Issued to seven vendors.
• June 8, 2005
   – Submissions received from six of the seven vendors invited.

                    CANHEIT 2006 – Halifax, NS
Project History (cont.)
• August 2005
   – RFP technical review completed.
   – Two vendors selected for in-house evaluation notified and
   – Each unit was to be tested sequentially in-house for 30 days.
• September 2005 to June 2006
   – Ended up testing three IPS platforms.
   – Various issues resulted in this timeframe being significantly
• Also evaluated SNORT-based IPS technologies.
   – Could not meet performance requirements.
   – Reactive solution, not proactive.

                    CANHEIT 2006 – Halifax, NS
Evaluation Issues
• Getting past general software bugs: rule
  compiler errors, database corruption, poor
  management station performance, etc.
• Unable to differentiate internal and external
  traffic sources and destinations.
• Reconfiguring overly restrictive default rules
  and threshold limits.
• Handling of DDoS, host sweeps, port sweeps.
• Reporting.

               CANHEIT 2006 – Halifax, NS
• Each IPS manufacturer had a slightly different
  focus – rate/signature-based detection,
  combination firewall/anti-virus/VPN, etc.
  – testing helped determine what problems we really
    wanted/needed to address.
• No single platform we tested addressed all
  our requirements.
• IPS is just another tool, not a complete
  security solution.
                CANHEIT 2006 – Halifax, NS