I have never been a fan of fishing with plastic worms. Not because it's a real worm Vs fake worm purest argument, heck I've fished with TNT before as a kid. Now that's a real hoot! It's because I have never ever caught a single thing with them. To me, they are ineffective and a waste of time/money.
That is how I feel about Intrusion Detection/Prevention. IDS is the plastic worm of network security devices in today's more advanced botnet orientated world. The marketing for both plastic worms and IDS is close to the same:
- Looks Lifelike::Real World Based Signatures
- 400x Scent dispersion::Lower False Positives
- Recommended by Top Anglers::*** Certified and Tested
- Money Back if not satisfied::......
I use an IDS node cluster for research and it works great for that. But what use is that data for a campus LAN? I use it to increase my knowledge and help the fight against bots world wide. I do not see Enis the accountant or Hank the server admin pumping out C code for a fix. Although, I admit it is great to use this data to pump out shellcode from Nebula for Snort sigs. But that is IDS. Now, if a device is a TRUE IPS and it will take action in either shunting an attack or reconfig'ing a firewall then we have a tool that is useful in the campus LAN. The difference here is active vs. passive.
The single biggest mistake I see in IPS deployment is traffic flow engineering. Many folks get these shiny new IPS devices in and they either:
- Config them like servers
or
- Config them like switches/routers
An IPS device is config'ed different then any other piece of gear on the network. It is not just another 1U appliance to make mid level managers happy. A IPS needs to be placed inline to traffic flow. Now any engineer worth their salt is going to design a network to withstand a failure from inline gear. Most inline appliances have hard drives that are prone to failure. Heck I have replaced three in my laptop already. A inline failure stops traffic flow and increases resume flow. Not cool at all.
So normally, we install two of these devices with channelized links to withstand multiple failures.
That is the problem.
Traffic flow thru an IPS MUST flow symmetrically thru an IPS and NOT asymmetrically. An IPS has to see both sides of a conversation to be effective. Truthfully, many folks install an IPS and never touch it again because of the high false positive rate. They hate it and think it sucks and classify it as the plastic worm in the network. Recently, I have visited many customer sites that classified conficker as a false positive because of their asymmetric traffic flow missed the command and control connection to the bot.
IPS must be looked at from the traffic's port of view to be an effective piece of equipment. If not, you are just wasting your time and money putzing around with it.
When I install a IPS cluster I normally do the following steps:
- Break the network up into to VRF insistences per IPS. (assuming this is a switchblock designed L3 network) Half on one side and half on the other per IPS. This allows me to group my VLANs into a single manageable group for traffic flow engineering.
- I use a separate switch to connect my multiple IPS links into. In a channelized link, traffic flow is determined by source-destination information. That info is hashed into an XOR type of algorithm to determine which link traffic should flow down. This is determined at each switch end. The switch in the middle helps keep this algorithm the same so traffic flow is consistent and BOTH sides of the conversation flow to the correct IPS.
- Before deployment, I double check the switch algorithm with the IOS command:
TWTVSwitch#test etherchannel load-balance interface port-channel 4 ip 172.16.2.2 172.24.3.3
Computed RBH: 0x1
Would select Gi2/22 of Po4
This lets me dry run what my traffic flow will be before it ever hits the IPS to ensure I am seeing both sides of a conversation between hosts. I have been doing this little design trick for quite sometime now and it has decreased the false positive rate and increased IPS accuracy big time. Also, I need to give a huge shout out to the Cisco SAFE team that has published this and other great ideas in the brand new and minty fresh Safev2 documentation at http://www.cisco.com/go/safe This will certainly turn any IPS from a plastic worm to a Rapala X-Rap in no time flat!
Jimmy Ray Purser
Trivia File Transfer Protocol
Dr. Suess' editor Bennett Cerf challenged him to write a book that could use no more then 50 words or less. Suess took that challenge and wrote the book; "Green Eggs and Ham" Which uses exactly 50 words: a, am, and, anywhere, are, be, boat, box, car, could, dark, do, eat, eggs, fox, goat, good, green, ham, here, house, I, if, in, let, like, may, me, mouse, not, on, or, rain, Sam, say, see, so, thank, that, the, them, there, they, train, tree, try, will, with, would, you.
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.
The Leader in Network Knowledge
How many firms even use IPS
How many firms even use IPS these days?
Awesome Benett Cerf reference
Bennett Cerf, awesomest humorist of all time, FTW!
Plastic Worms
You are really missing out if you don't take advantage of plastics. They don't guarantee success, but I recently started using them rigged "wacky style" and was very successful. Though I'm not a 150-days a year guy, I get out fairly regularly and had never experienced much luck with Texas or other rigs. Last season I tried a wacky rig and it really made a difference (read: I caught a lot of bass). Try a senko-type worm (salted works great) in a watermelon color.
Oh yeah, this was about IDS. Much less interesting.
Plastic worms and IPS
Anytime you are in the DC area I'd be glad to take you out on the Potomac and show you the power of the plastic worm.
Now about IPS, I still just don't feel them. I fear they can be taken advantage of to block legit traffic.
Just my $0.02
IPS at the workstation
Hi Jimmy Ray,
Although you are referencing choke point, inline, as the solution, this could have limited vision depending on the deployment architecture.
What do you think of endpoint solutions that deploy IPS at the workstation?
Sincerely,
Brad Reese
BradReese.Com Cisco Refurbished
Reply to Brad Reese
Here's the thing Brad, I have noticed that client based IPS seems to be more of a Help Desk Call Generator then a Intrusion Prevention System. Plus the centralized management of these types of solutions coupled with patch Tuesday problems they cause are just not worth it to me. Clients tend to do a lot of odd things on their desktops and as a IT Dude, I want to give folks the freedom to experiment and innovate with their machines. Kinda the same ideology of folks purchasing a 450HP car when the speed limit is 65MPH. Ever now and again having the freedom to kick it up to 130MPH just because you can makes a person feel more alive and love the car even more.
Of course like everything there are limits. While 130MPH is cool on a back country road, driving that same car drunk at 30MPH is not cool and can not be tolerated. That is why I like a behavioral based solution that maps acceptable client side launch processes and can be centrally managed so I can deploy a custom wrote policy fast. For example, what if some HR goober sent out an email that had info that could used for insider trader by accident? Client side IPS can not help me there. The Outlook recall feature is a useless as lightsaber at a Star Trek convention. Heck, that's a sure fire way to get me to read an email is to send a recall message after it. But a behavioral based solution could easily grab the message ID of the email, push out a policy that would prevent folks from opening the message. Now that is helpful and much more practical in today's compute space.
I hate to sound like a knob marketing chumbly, Truthfully, that is why my hands down network administrator must have tool is Cisco CSA. I recommended CSA even when I worked at HP because it solved so many client side issue in today's more client side processing environment and left network admins more time to drive fast down back country roads...
Jimmy Ray
Unified Compliance Framework (UCF)
Hi Jimmy Ray,
According to the Unified Compliance Framework (UCF), it appears an organization would truly need to be at level 4 to take full advantage of IPS:
4. Managed (quantified)
Process management and measurement takes place. Through the monitoring and measurement of compliance with organizational policies, standards, and procedures the organization is able to intervene and take actions where processes are not effective.
Awareness and communication - Management is able to maturely use techniques and tools to communicate their understanding of their full requirements.
Policies, standards, and procedures - All aspects of the process are documented and repeatable. Policies are approved by management and documented. Standards for developing policies and procedures are adopted and followed.
Tools and automation - Tools are implemented according to a standardized plan and some have been integrated with other related tools. Tools are being used in main areas to automate management of processes, as well as monitor critical activities and controls.
Skills and expertise - Skill requirements are routinely updated for all areas with proficiency being ensured for all critical areas. Mature training techniques are applied according to a training plan with knowledge sharing being encouraged. Internal domain experts are involved in training. Effectiveness of the training plan is routinely assessed.
Responsibility and accountability - Process owners have full authority to exercise their initiatives with accountability and responsibility fully accepted by management. A reward culture has been put into place.
Measurement - Metrics are now statistically valid with an increase in their breadth and interconnectedness.
Goal setting - Effectiveness and efficiency are linked to business goals and the overall IT strategy. Root cause analysis is being standardized through institutionalizing a quantitatively managed process by:
Stabilizing sub-process performance.
Establishing quantitative objectives for procedures and processes.
--------------------------------------------
Sincerely,
Brad Reese
BradReese.Com Cisco Refurbished
Post new comment