It used to be that in the dim and distant past (okay, last year) everyone said you needed an Intrusion Detection System (IDS) to monitor attempted attacks on your network. This year, though, the IPS (Intrusion Protection System) is all the rage. In many cases, it’s the same piece of kit, that’s just been re-categorised by the vendors - protection seems an awful lot more marketable than just detection (especially if a detection system just writes an alert to a log file that you only get a chance to look at once a week).

To be fair, products have developed so that most of them do take constructive action to try to identify and block dangerous traffic, and also tell you what they’ve done. The days of installing something that only acts as an IDS are gone forever.

IPS types
There are two types of IPS - network-based and host-based. Host-based IPSs reside on your servers themselves, while the network ones sit on your network looking at packets as they whiz past and try to spot the ones that can cause trouble. It’s these that we’ll talk about here. We’ll look at how to actually deploy your IPSs in a later article (how many you need, where to install them etc), but first, what do you need to take into account when considering which one is best for your environment?

Some IPSs are software (e.g. those from Computer Associates, McAfee, Snort) that you run on your own servers (which may be Windows and/or Linux-based), while others are dedicated appliances (including SonicWALL, McAfee, Juniper and Cisco). Your company may have a policy that limits you to one type or the other.

What do you need?
When assessing which system to buy, there are the obvious things like performance and scalability: there’s little point installing a system that can’t keep up with the traffic rate on your network, and if your utilisation’s likely to grow, you need a smooth upgrade path. At the same time, you don’t want to pay for performance you don’t yet need, so make sure there’s a range of systems suitable for your small remote offices as well as your central site, if you need dedicated protection there too.

You need to understand how the system identifies threats; does it look at signatures, detect anomalous behaviour, or a mixture of both? How quickly do new signatures come out, and how easy is it to update the IPS with them? Can you create your own, and to what depth can the IPS study a packet and still maintain reasonable performance? How much work will be required to ‘teach’ your IPS about acceptable and unacceptable behaviour patterns and tune it for your particular environment and level of paranoia? IPSs are not plug and play systems, regardless of what the vendor tells you, and if they’re not set up properly, they’ll either block legitimate traffic, potentially losing you business, or allow dangerous traffic to spread undetected through your network.

Ease of use and configuration options are therefore important factors, since it’s unlikely that once installed and initially configured, you’ll be able to leave them in the corner and forget about them. Management has to be straightforward and clear, and you’ll probably want different user access levels for configuration, administration and report generation tasks.

You’ll get a wealth of information from logs and alerts produced; are you planning to investigate these and run reports on the IPS itself, or do you have a centralised management platform that this information needs to integrate with? In a large network, you may have a correlation engine ( see feature ) that takes logs from IPSs, firewalls and routers and if so, your new IPS needs to provide data in an understandable format. You might also have centralised reporting, or need to archive logs for future use. Again make sure that everything can be exported in a standard format if this is the case.

In terms of the actual prevention, find out what options you have when the IPS detects a problem. When you first install it, you’ll probably want to set it to do nothing except send alerts, as you’ll need to create baselines to see what sort of behaviour is normal for your network. Decide if you need a system that does TCP resets, for instance, or if you want real-time filtering and on-the-fly firewall reconfiguration. If this is the case, you’ll need to check for interoperability between your firewall and the IPSs you’re investigating.

Intrusion Prevention Systems offer a level of security over and above what your firewalls can do, particularly when it comes to looking at the traffic generated by your internal users. But you need to be clear what they can and can’t detect and prevent. The amount of configuration work required isn’t trivial, and you should always plan a fairly detailed pilot phase to get the system tuned to suit your environment. And even though they should be stopping attacks automatically in most cases, remember to look at the logs to find out who’s trying to do what on your network.

See Intrusion prevention without the pain for the second part in this series on IPS.