Skip Links

10 tips for implementing IPS securely

By Phil Lerner, VP technology, Stonesoft Americas, special to Network World
November 26, 2012 01:31 PM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

An intrusion prevention system (IPS) includes all the features of an intrusion detection system but also has the ability to act upon malicious traffic. Since the IPS usually sits in line with network traffic it can shut down attacks, typically by blocking access from the attacker or blocking access to the target. In some cases, the IPS can talk to the firewall to block an attack.

ANALYSIS: Can IPS appliances remain useful in a virtual-machine world?

Here are 10 issues that every IPS should address in order to ensure your network as safe as it can be:

1) IDS, IPS and hybrid modes. Your IPS should be multifunctional so you can deploy it depending on your exact need. In the IDS mode, the device is passively monitoring network traffic. In the IPS mode, the device is configured in the traffic path. IDS and IPS should both be able to restrict traffic by sending resets or requesting a firewall or inline IPS to isolate the segment from other networks using blacklisting. The IPS mode is also effective in blocking attacks if you can identify a clear threat path -- for example, traffic from the Internet to a DMZ segment. In the hybrid mode, the same device is configured to function in both modes and using the same device in both modes is an efficient and cost-effective solution for smaller implementations.

2) AET protection. Advanced evasion techniques (AETs) are real and are currently used by NSS Labs and other organizations to test security vendor products. In its latest report, Verizon said that in 31% of attacks against large organizations, an attack vector remained unknown. Analyzing AETs requires inspecting and normaling all data streams, but 95% of organizations are not doing that. Most current security devices cannot flag or log AETs separately. At best, they may report anomalies or suspicious traffic.

It's important not to confuse an exploit with the method. Stuxnet becomes visible when it hits the target; it stays there and is easy to investigate once the code is isolated and recognized. AETs can be analyzed if your IPS records all traffic, not just what is logged by the security devices. Ask your IPS vendor what its strategy is for dealing with AETs.

3) Event correlation. Event correlation helps to reduce false positive events and provide accurate protection for network services and intranet users. Event correlation looks at log data from one or more sensor engines, searching for malicious event sequences, preferably in real-time. Event compression cleans repeating log events and minimizes the bandwidth requirements from remote offices back to the data center. A good event correlation engine can alert the IPS to isolate an attacker or network worm on all firewall and IPS engines simultaneously, minimizing the damage to network services and clients.

4) Web filtering. A great enhancement for your IPS is Web filtering, which provides multiple benefits such as increased security by preventing access to known malware and phishing sites, as well as improved work efficiency and bandwidth usage by blocking access to unwanted websites. Advanced Web filtering systems can offer plenty of options, such as blacklists and whitelists where you can set rules for the entire network. You should also be able to produce reports of Web browsing habits and activities.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News