Monitoring IPS Activities

Monitoring the security related events happening on your network is also a crucial aspect of protecting your network from attack. Although your IPS can prevent numerous attacks against your network, understanding which attacks are being launched against your network enables you to assess how strong your current protections are and how you might need to enhance them as your network grows. Only by monitoring the security events on your network can you accurately identify the attacks and security policy violations that are occurring on your network.

When planning your monitoring strategy, you need to consider the following factors:

• Management method

• Event correlation

• Security staff

• Incident response plan

Management Method

You usually can choose from one of the following two management methods:

• Individual

• Centralized

Configuring each of your IPS devices individually is the easiest process if you have only a couple of sensors. As the number of sensors grows, managing the sensors individually becomes unmanageable. If you deploy a large number of sensors on your network, you need to also deploy a centralized management system that enables you to configure and manage all of your IPS devices from a single central system. Using the centralized management approach for large sensor deployments reduces the manpower required and enables greater visibility to all the events occurring on your network.

Note

Although you can use an individual or centralized approach to configure your IPS device(s), you probably want to always use centralized reporting to enable more accurate event correlation.

Event Correlation

Event correlation refers to the process of correlating attacks and other events that are happening at different points across your network as well as multiple attacks happening at the same time. Using Network Time Protocol (NTP) and having your devices derive their time from an NTP server enables all the alerts generated by your IPS to be accurately time stamped. A correlation tool can then correlate the alerts based on their time stamps.

Besides ensuring that all events are marked with a consistent time stamp, another factor that facilitates event correlation is deploying a centralized monitoring facility on your network. By monitoring all of your IPS events at a single location, you greatly improve the accuracy of your event correlation.

Note

Another factor to consider when performing event correlation is deploying a product that enables you to correlate not only IPS events but also other events on your network (such as syslog messages and NetFlow input). One product that provides this level of correlation is the Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) product (see http://www.cisco.com/en/US/products/ps6241/products_data_sheet0900aecd80272e64.html).

Security Staff

Your IPS generates numerous alerts and other events during the processing of your network traffic. Someone needs to analyze this activity and determine how well your IPS is protecting your network. Examining these alerts also enables your security operators to tune your IPS and optimize its operation for your unique network requirements.

Incident Response Plan

If a system is compromised on your network, you need to have a plan as to how you can respond. The compromised system needs to be restored to the clean state that it was in before it was attacked. Furthermore, you need to determine if the compromised system led to a loss of intellectual property or the compromise of other systems on your network. You might decide that after any compromise, you replace the hard drive on the effected system and rebuild it to its pre-attack state. Then you might analyze the compromised hard drive to perform a thorough forensic analysis on it.