10 tips for implementing IPS securely

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

An intrusion prevention system (IPS) includes all the features of an intrusion detection system but also has the ability to act upon malicious traffic. Since the IPS usually sits in line with network traffic it can shut down attacks, typically by blocking access from the attacker or blocking access to the target. In some cases, the IPS can talk to the firewall to block an attack.

ANALYSIS: Can IPS appliances remain useful in a virtual-machine world?

Here are 10 issues that every IPS should address in order to ensure your network as safe as it can be:

1) IDS, IPS and hybrid modes. Your IPS should be multifunctional so you can deploy it depending on your exact need. In the IDS mode, the device is passively monitoring network traffic. In the IPS mode, the device is configured in the traffic path. IDS and IPS should both be able to restrict traffic by sending resets or requesting a firewall or inline IPS to isolate the segment from other networks using blacklisting. The IPS mode is also effective in blocking attacks if you can identify a clear threat path -- for example, traffic from the Internet to a DMZ segment. In the hybrid mode, the same device is configured to function in both modes and using the same device in both modes is an efficient and cost-effective solution for smaller implementations.

2) AET protection. Advanced evasion techniques (AETs) are real and are currently used by NSS Labs and other organizations to test security vendor products. In its latest report, Verizon said that in 31% of attacks against large organizations, an attack vector remained unknown. Analyzing AETs requires inspecting and normaling all data streams, but 95% of organizations are not doing that. Most current security devices cannot flag or log AETs separately. At best, they may report anomalies or suspicious traffic.

It's important not to confuse an exploit with the method. Stuxnet becomes visible when it hits the target; it stays there and is easy to investigate once the code is isolated and recognized. AETs can be analyzed if your IPS records all traffic, not just what is logged by the security devices. Ask your IPS vendor what its strategy is for dealing with AETs.

3) Event correlation. Event correlation helps to reduce false positive events and provide accurate protection for network services and intranet users. Event correlation looks at log data from one or more sensor engines, searching for malicious event sequences, preferably in real-time. Event compression cleans repeating log events and minimizes the bandwidth requirements from remote offices back to the data center. A good event correlation engine can alert the IPS to isolate an attacker or network worm on all firewall and IPS engines simultaneously, minimizing the damage to network services and clients.

4) Web filtering. A great enhancement for your IPS is Web filtering, which provides multiple benefits such as increased security by preventing access to known malware and phishing sites, as well as improved work efficiency and bandwidth usage by blocking access to unwanted websites. Advanced Web filtering systems can offer plenty of options, such as blacklists and whitelists where you can set rules for the entire network. You should also be able to produce reports of Web browsing habits and activities.

5) SSL inspection. SSL inspection is vital in ensuring that no attacks, viruses or other unwanted content can enter or exit the organization's network by disguising itself inside the encrypted HTTPS channel. SSL inspection gives administrators the ability to monitor traffic inside the TLS/SSL encryption and detect and react to any unwanted content. Your IPS should have a controlled way to open the encryption in the network and to submit the encrypted traffic for the same inspection as the clear-text HTTP data, eliminating this important blind spot in network protection. In addition, SSL inspection is important for meeting the PCI DSS requirements.

6) Denial-of-service protection. Your IPS should provide protection against illegal input and traffic flood DoS (denial of service) attacks without disturbing legitimate network traffic. Connection flood or Web service starvation attacks are typical examples of distributed DoS (DDoS) attacks. TCP SYN flood attacks are stopped by blocking the incoming connection attempts from spoofed address sources under an attack and preventing them from reaching the target system. Your IPS must quickly identify the spoofed connection sources and block them, while allowing valid user connections to pass through. UDP flood DoS attacks are controlled by rate limiting the incoming UDP datagrams against the protected Web service. [Also see: "How cybercriminals and hactivists use DDoS tools to attack"]

By using correlation techniques in detecting suspicious behavioral patterns in Web service communication when the botnet host has been identified, the IPS blocks the malicious host communication for the Web service.

7) Central management capabilities. Central management is essential for IPS security because it allows you to manipulate your system without having to manually touch every single remote location to make a change. Central management typically lets you monitor and manage appliances and components with options that may include alerts, security content updates, appliance updates, firewall and intrusion prevention settings. As a result, there is less administrative time devoted to network security, incident and log management operations and the integration with other security components to enforce immediate threat mitigation policies or software updates.

8) Performance. Your IPS could affect your network if it is not implemented properly or if the IPS product is poorly architected. Look for the ability to use clustering to share processing connections, thus enhancing performance and reducing downtime. The deployment of the components of your IPS could also minimize the risk of performance degradation. The IPS should capture and analyze traffic, so it is best to separate the analysis component onto a dedicated system. Ask your IPS vendor how to best deploy your IPS with the least impact on your network performance. Also, ask about how signatures and other context information are analyzed to see if performance is an issue.

9) IPv6 ready. Major operating systems and core networking components offer IPv6 support. For example, Windows Vista uses IPv6 addresses by default, which may be a potential security threat without properly implemented access control and deep inspection. In addition, malicious traffic may be hidden inside IPv6 and IP-in-IP tunnels, which many security solutions still fail to protect.

Make sure your IPS provides stateful access control and full deep inspection capabilities for IPv6 network traffic, including IPv6 encapsulation, IP-in-IP and GRE tunneling protocols. [Also see: "The Dual Stack Dilemma"]

10) Integration with your firewall. The essence of a next-generation firewall is the ability to interact with an intrusion prevention system. The integration of these capabilities can either be within a single system or separate, but be aware of issues that can arise around reporting, throughput and management.

Stonesoft provides mid- and large-size organizations software-based network security solutions, which include the industry's first evasion prevention system (EPS), the industry's first transformable Security Engine as well as stand-alone next generation firewalls, intrusion prevention systems and SLL VPN solutions.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusion detection systemdoscentral managementTCP SYN floodevent correlationUDPipv6SSL inspectionIDSevent compressionintrusion prevention systemsecurityddossoftwareweb filteringadvanced evasion techniquesdenial-of-serviceNGFWnext-generation firewallAET protectiondistributed denial-of-serviceIPSoperating systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Phil Lerner, VP technology, Stonesoft Americas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts