Maximize your security investment in IDS/IPS technologies.
May 31 2011

Intrusion Detection and Prevention Done Right

Adequate attention to intrusion detection and prevention is necessary to keep information safe.

Do you ever wonder if your organization is running its intrusion detection and prevention system to its fullest potential? If so, you're not alone. Many security professionals share the feeling that intrusion detection technology is widely deployed, yet underutilized.

Intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) play a valuable role in any security infrastructure. These systems monitor networks, look for signs of malicious activity and then take appropriate actions. For an IDS, this means alerting security administrators to the suspicious activity. IPSes go a step further and take proactive measures to neutralize the threat by blocking unwanted packets, resetting suspicious connections or even modifying firewall rules.

Fortunately, there are steps that IT departments can take to maximize the investment in an IDS/IPS and use it to bolster enterprise security defenses.

Start with IDS Mode

Behind every IPS is an IDS. In fact, an IPS can be converted to an IDS by simply setting the action for every rule to alert the administrator. While this might sound like a weak way to use a very powerful tool, it's actually a very solid best practice. Why run a powerful proactive tool in a manner that reduces it to passive response?

The bottom line is that an IPS has the ability to cause major problems on a network by unintentionally blocking normal network traffic. It can even cause the types of disruptions that can result in the abrupt end to a security professional's career.

Instead, always set up a new IPS in alert-only mode. Over time, as the IT staff becomes more confident in the accuracy of alerts generated by the system, it can convert rules to block mode, protecting the network against those types of attacks. This piecemeal approach lets the IT staff slowly become comfortable with the types of traffic being blocked, and it builds institutional knowledge of the rule set.

Use IPS Mode Sparingly

When deciding whether to activate the advanced blocking features of an IPS, be extremely careful. It's fine to have a rule set divided so that 80 percent of the rules simply notify an administrator of suspicious activity and only 20 percent take active countermeasures. The exact mix of block/alert rules appropriate for an organization will depend upon the company's specific risk appetite.

It's a fact of life that many IPS rules generate false-positive alerts. The composition of a network and specific protocols in use might conflict with the signatures of known attacks, causing regular false alarms. If the staff can modify the rules to screen out these false positives, that's great. Go ahead and activate the rule in IPS mode. However, if the company is running the risk of blocking legitimate activity, it is much better off keeping that rule in detect mode until the staff is more comfortable.

Always consider the rulebase as a dynamic, evolving organism. Changes in the network environment might require altering the action on long-standing rules.

Fail Open for Increased Availability

One of the greatest fears of any network administrator is the failure of a device that occupies a bottleneck position on a network. While IDSes can sit off to the side of a network and simply monitor traffic that passes by, many IPS deployments call for an in-line deployment in which, similar to a firewall, the IPS appliance intercepts all network traffic, scans it for suspicious activity and then relays it down the wire.

This model creates the possibility that a failed IPS can completely disrupt network traffic. It's a good practice to purchase fail-open IPS hardware that lets the IPS continue passing traffic when the device itself fails. It's the functional equivalent of making a powered-off IPS box look like a piece of wire, and it will help preserve the reliability of the network infrastructure. Fail-open technology is usually an option that can be specified when purchasing IPS appliances.

Update Signatures Regularly

There isn't a security team in the world that doesn't advise users that they need to regularly update the signatures for their antivirus software. Any user who hasn't received this guidance likely has been hiding under a rock. But very often, security professionals don't practice what they preach when it comes to maintaining the security infrastructure. Evolving attacks appear on a constant basis, and it's important to update the signatures driving the company's IDS/IPS on a routine basis – at least daily.

In addition, regularly verify that the device is actually receiving and applying those intrusion signature updates. It's not unheard of for a process or service to fail, causing an intrusion sensor to stop receiving updates. Regular monitoring is essential to ensure that the company is maintaining its security controls.

Create Your Own Update Server

This is important for larger environments that have multiple IDS/IPS sensors monitoring different locations on a large network. Creating an update server for the company offers two key benefits.

First, it reduces the network bandwidth consumed by the intrusion detection infrastructure. Instead of each device connecting to a vendor's update server and retrieving new signatures, the IT staff can reduce the use of the company's Internet bandwidth to a single connection.

Second, it allows the IT staff a greater degree of control over the signatures deployed to the company's sensors. If the security staff wishes to block the deployment of a particular signature or customize a signature for the company's environment, the staff only needs to do it in one place and allow the updates to propagate throughout the enterprise.

Perform Detailed, Centralized Logging

Let's face it: Logging consumes a lot of disk space, it creates boring administrative tasks and it delivers no immediate business value.

Despite these drawbacks, logging is vital when running intrusion detection and prevention systems for two reasons. First, it provides the information about intrusion activity that needs to be reviewed in the event of a security incident. An analysis of IDS/IPS logs can offer important information about attempted and successful attacks.

Second, without logs it's difficult to troubleshoot rule-set configuration issues. Security devices commonly take the blame for otherwise unexplained network issues. Logs can quickly help identify whether the IDS/IPS is truly at fault, or whether the investigation should continue elsewhere.

Intrusion prevention and detection systems play an important role in the layered defenses of many organizations. Whether the staff is installing its first IDS sensor or tuning a rule set that has been in place for several years, applying these best practices can help improve the effectiveness of the company's controls and reduce the time that security administrators spend actively managing the devices.