Building an IDPS without big iron

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Companies seeking to deploy intrusion detection and prevention systems (IDPS) for network security have traditionally had to rely on proprietary appliances that cost from $15,000 to $50,000. That puts IDPS out of reach for many small to midsize companies, but SaaS-based alternatives might fit the bill.

In fact, SaaS solutions address some of the key limitations of hardware-based network security products, including:

* Excessive amounts of false positives and the lack of support for analyzing the large volumes of security events they generate. Because networks and networked applications continuously change and evolve, it is practically impossible to devise an expert system that can effectively distinguish legitimate vs. malicious intent. To exemplify how difficult this is (relating it to a more familiar context), imagine a medical diagnosis expert system that would need to continuously learn new diseases every week, each of which mutates and develops new symptoms every few days. This is why event correlation is hard and why IDPS today are mostly relegated to logging data for forensic analysis.

STUDY: IT pros believe data breach harm assessment is more valuable than victim notification

* Difficult to configure, provision, and tune. Network security devices need to be adapted to a wide range of accepted network usage policies and network reconfigurations. For example, music file-sharing applications might be acceptable within a university network but not acceptable in a law office. Many network security devices require continuous updates to heuristic and topological information to be effective, thus making their management a huge burden.

* Inability to detect and prevent attacks which originate from within the organization. It is reported that the most damaging intellectual property loss and fraud results from internal employees' malicious activity. Unfortunately, current network security systems are limited in their scope and only look at traffic coming in and out of the gateways to the Internet while they leave internal security completely open. [Also see: "Security quiz: How well do you know the insider threat?"]

* High cost. A typical network security device costs $15,000-$50,000 per Gigabit per second in capital expenditure. The hardware quickly becomes obsolete as the bandwidth to analyze increases exponentially, thus requiring costly equipment refresh cycles. In addition, many businesses are priced out of this market because of the high cost of hardware and software maintenance updates.

New, SaaS-based models for delivering IDPS functionality provide the ability to run IDPS software on off-the-shelf hardware or cloud instances. Under this model, the software is purchased by monthly or annual subscription, thus eliminating the high capital cost of a dedicated appliance.

A SaaS-based system consists of a downloadable sensor that tracks internal security traffic on the network, a cloud-based correlation engine that analyzes and correlates security events, and a secure Web browser where the security information is viewed and analyzed by the security administrator.

The sensor software is downloaded from the SaaS vendor's cloud. It can be installed anywhere from a single cloud instance or low-end server to multi-processor, off-the-shelf hardware. At the low end, installing the sensor on a cloud instance allows IT professionals to monitor cloud-based corporate traffic as if it was part of the real network -- something not possible with appliance-based IDPS. At the high-end the sensor allows users to load balance IDPS applications on commodity multi-core processors like the Intel Xeon series, delivering multi-gigabit performance while slashing the cost of network security hardware by at least an order of magnitude.


For example, Figure 1 shows the sustained Snort performance of 4 different configurations using a varying number of Emerging Threats Pro rules on an Intel Xeon 5670-based server. As expected, the number of rules has a dramatic effect on performance for all configurations (the more rules, the lower the performance).

Look for sensor software that is based on proven and robust open source components such as:

• Snort with Emerging Threats or Sourcefire VRT signatures (Detects generic misuses)

BotHunter (Detects malware)

• Intrusion prevention (Filter bad packets and disrupt flows to remediate)

• Passive OS fingerprinting and Layer-7 service discovery (Detects network services)

• Flow monitoring (Analyzes communication patterns)

Log management (Store/browse/correlate all logs and OSSEC alerts for compliance)

• Packet logging (Complete accountability and aids in forensic analysis)

• Customizable Honeypots (Uncovers internal threats)

The sensor software should be centrally managed and configured through a browser.

Ideally, the cloud-based IDPS will perform three levels of correlation: session-level, intra-session and intra-domain.

Session-level -- Basic IDPS events are generated by reconstructing a single session between two endpoints and finding known patterns that indicate a security violation. Most IDPS systems stop here and ask the user to analyze and correlate different session-level events using their own expertise. In many cases, multiple session-level events need to be reconciled in a larger context to become actionable, thus overwhelming operators who must employ their expertise with thousands of events per day.

Intra-session -- Look for IDPS systems that offer a second level of analysis (also called dialog-based correlation) that generates better network security intelligence. During this phase alerts from multiple sessions belonging to a single home machine are combined and scored to identify typical infection behavior. By using two or more events corresponding to the typical phases of a bot infection, this automatic reconciliation process brings actionable security events to the forefront of session-level events, thus improving security.

Intra-domain -- The final type of correlation to look for in a SaaS-based system is intra-domain correlation. In this phase, event scores are autonomously obtained from a global network of virtual machines that masquerade as victims. The security event information that triggers false positives are ranked negatively, thus providing insight into events that should be routinely ignored or turned off. Security event information that triggers true positives is ranked positively, thus improving its visibility. This information is then propagated in real time to each individual sensor in the system to augment the session-level and intra-session-level analysis described above.

This intelligence information is automatically fed back to the correlation engine, which uses a mathematical model to fuse this information with customers' networked assets data.

In addition to highlighting imminent threats, the correlation engine should also provide negative feedback to de-prioritize and eventually mask/remove false positives. The recommendations should be generated for each security device individually by (1) anonymously establishing a similarity score of a given device to all other known devices in the system (based on what events they generate) and (2) propagating positive or negative event scores according to that similarity score.

In conclusion, a SaaS-based model for IDPS overcomes the drawbacks of appliance-based systems while offering several unique advantages. The SaaS-based system detects and prevents attacks that originate from within the organization thanks to the use of internal decoys to root out bad internal actors, improves security event analysis by anonymously correlating network intelligence across administrative domains, and prioritizes security events with a threat-ranking algorithm to help reduce false positives. What's more, SaaS IDPS tools can secure cloud instances when IDPS software is installed in the cloud and enable multiple analysts to log in and review the same information for collaborative action. And finally, SaaS IDPS can reduce the costs through a pay-as-you-go model.

Livio Ricciulli is president and chief scientist at MetaFlows Inc. He has over 15 years of experience in network/computer security, including posts as chief security scientist at Force10 Networks, CTO of Reactive Network Solutions, and principal investigator at SRI International, where he led a number of research contracts for U.S. government agencies including DARPA, NSA, NSF and ONR.,

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

More about Cisco SecurityCisco SecurityetworkInc.IntelIntrusionIPSLANNSASECSRI International

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Livio Ricciulli, president and chief scientist at MetaFlows Inc.

Latest Videos

More videos

Blog Posts

Market Place