In Warning: IPS is not a quick-fix solution , we looked at some of the things you need to take into account when you choose an IPS for your network. But once you’ve figured out what you need it to do, how do you go about installing and running it to make it actually useful?
Inline or not?
Depending on the model, IPSs can be installed either directly inline, so that they intercept all the traffic going through a particular part of your network, or connected such that they sniff traffic off the network, but don’t form part of the forwarding path. There are a couple of obvious implications to the different approaches:
• If all traffic has to pass through an IPS, then it can, in theory at any rate, look at and discard any potentially dangerous packets before they get anywhere. An IPS that copies packets to look at as they go past can issue TCP resets and reconfigure firewalls to close sessions and block subsequent traffic, but that initial packet will have already got to its destination, and may have already caused damage (hence host-based IPSs).
• However, if an IPS doesn’t have the performance to cope with your network traffic levels, an inline one can cause real havoc if it starts dropping packets randomly, while the failure of a ‘sniffing’ IPS won’t cause the same disruption. If it can’t process all your traffic, it won’t provide as much security, but at least it won’t trash legitimate connections.
Where to install your IPS depends on what you’re trying to protect, and, to some extent, if you’re more concerned about external or internal threats. On your server farm LAN segments or just inside your firewall seem obvious places to install IPSs, but there are other places that might give you useful information too.
If you’re worried about your users running dodgy peer-to-peer networking software, an IPS on user segments will let you keep track, while putting an IPS on the outside of your firewall tells you if you’re being targeted by any serious attacks. In this instance, it’s not worth getting the IPS to actually block anything, since, presumably, your firewall will catch it, but it can be useful to find out just what the outside world is trying to do to your network.
Of course in a switched environment, monitoring and capturing data is always a challenge, compared to the good old days of shared media. Most switches let you mirror data to a monitoring port that you can connect an IPS to, but it’s obviously important to ensure that you’re not trying to mirror multiple GigE ports out of another Gig port, or you’ll drop traffic within the switch and your IPS won’t get all the information it needs.
Watch also for asymmetric routing topologies, where the two flows making up a session take different paths through your network; if your IPS can’t see both sides of a flow, it will have problems figuring out what’s going on. Your firewalls won’t like this sort of thing, either.
Once installed, your best option is to run for at least a couple of weeks in a more or less default configuration mode, and just monitor the alerts generated, without having your IPS actually do any prevention. This lets you see the sort of normal traffic that you’ll need to tell the IPS to ignore. For example, it’ll probably set all sorts of alarm bells ringing if it sees a ping sweep, as that’s typically regarded as a reconnaissance in preparation for some sort of attack. However, it’s also the sort of thing your network management station will do as part of its discovery process, so you’ll need to tell the IPS not to worry about that particular instance.
IPSs that use anomalous traffic patterns to identify threats need to ‘learn’ about your network - suspiciously high traffic levels in the night may signal an intruder - or it may be the month-end batch jobs doing what they always do. Set yourself enough time to configure your system before letting it go live.
You also need to decide what you want the IPS to do in response to different threat types. The more drastic action you want it to take, the more you’d better be sure that it’s configured accurately, so it doesn’t start to block legitimate traffic. An IPS with mistaken delusions of power could ruin your e-commerce business pretty quickly, for instance.
Oh, and remember - if you encrypt your user traffic over the LAN as well as over remote access links, as more companies are starting to do these days, don’t expect your IPS to be much use. It can only protect you from what it can see.