Step 2: Predeployment Planning | Intrusion Prevention Fundamentals

Good planning is a critical factor in the success of any deployment. Planning should start well before the implementation begins, and the plan should be continually reviewed and updated during the entire project. ACME invites the relevant stakeholders to a series of HIPS project planning meetings. During the meetings, it intends to address the following:

Review the security policy
Define project goals
Select and classify target hosts
Plan for ongoing management
Choose the appropriate management architecture

Review the Security Policy

Chapter 4, "Security in Depth," goes into some depth about corporate security policies. Your security policy guides all of your major decisions during a CSA deployment. If you don't have a security policy, you should strongly consider creating one. Without it, your deployment is likely to take much longer and be far more difficult.

Luckily, ACME has a well-documented and up-to-date security policy. It started its planning session with a review of the security policy in light of CSA's components and capabilities. The intent of this review session was to begin thinking about the following:

The items in the security policy CSA might be able to address
How the guidelines relevant to product implementations might impact the CSA deployment
If the security policy needs to be updated to reflect CSA capabilities
The policy changes that will govern the operation of CSA at ACME

Define Project Goals

It is important to have a concrete set of measurable goals before the implementation begins. Goals give the stakeholders something to actively work toward and a way to measure the progress of the project. You also use them to restrict the scope of the project. Any decision or product functionality that does not contribute to the achievement of one the goals should not be a part of the implementation.

Most of the goals you define for the project such as deadlines, budgets, and so forth are the same for any project. However, two goals are related specifically to CSA deployments:

Balance
Problems to solve

Balance

The first goal you should define is, in a general sense, where you want to fall in the security versus manageability spectrum. This spectrum refers to the idea that for the most part as security increases, the resources needed to manage the security increase as well. Also, increased security can have an undesirable impact on the user experience. Try to characterize your organization's overall philosophical approach to security. To make this characterization, think about the following:

What people, time, and dollar resources your organization can expend for security efforts
The expectations users have of their computing experience
The organization's overall vulnerability level
The value of the information the security tools protect
The likelihood of attack

Classify your organization as restrictive, balanced, or permissive. Here are some firewall implementation examples to further illustrate this process:

A restrictive organization implements tight ingress and egress controls. Users are able to establish outbound connections through the firewall only on specific ports using specific protocols. Inbound connections from the Internet are limited by port, protocol, and destination IP address. Restrictive organizations have the resources to make frequent changes to the firewall configuration in response to new needs. Users are accustomed to having their change requests declined and having to wait for approved changes to occur. The information protected by the firewall is so critical and at such high risk that the restrictive approach is necessary.
Example organizations include banks, government intelligence agencies, and utility companies.
Balanced organizations allow any outbound connection through the firewall except for connections that are known to be dangerous or against acceptable use policy. Inbound connections are also filtered, but only to the extent that inbound connections are permitted into the demilitarized zone (DMZ) on specific ports and using specific protocols. All other inbound connections are denied. A balanced organization has a limited set of resources to expend managing the firewall, so the configuration is designed to require few changes over time. Users are not accustomed to making change requests, and the few they do make are approved and implemented rapidly. The information protected by the firewall is important and at risk, but not enough to require a restrictive approach.
Example organizations include manufacturing, consulting companies, and retail.
Finally, permissive organizations allow all outbound connections through the firewall. Virtually all inbound connections are also permitted, except for those that are known to be dangerous. Permissive organizations have extremely limited resources to expend managing the firewall, so the configuration is designed to require almost no changes over time. Users never need to make change requests because almost everything is permitted. The information protected by the firewall is not particularly important, and the risk of attack is low.
Example organizations include portions of educational institutions and volunteer groups.

When ACME started to characterize their organization, it quickly realized that it fits the classic profile of a balanced organization. At ACME, all the following were true:

It allows almost any outbound connection through the firewall, except for certain types such as common peer-to-peer file sharing connections.
All inbound connections through the firewall are blocked, except for a small number of DMZ applications.
Each member of the information security staff is trained to manage multiple technologies and projects because there aren't enough of them to dedicate resources to any one technology.
A procedure to request changes to the firewall configuration is in place, but it is fairly simple. Most of the time, the requestor just sends an e-mail to the security staff requesting the change.
Most of the information behind the firewall is not confidential. ACME does have trade secrets, financial information, and employee personal information that should be protected, but that's all the highly confidential material.

Furthermore, ACME's review of the corporate security policy supported this characterization.

Problems to Solve

The second goal you should define clearly is the purpose of the implementation. Start by identifying the problems CSA should solve. Maybe the only problem you want CSA to address is the threat of new and unknown malicious code. Perhaps your corporate security policy includes some restrictions that CSA could enforce. Try to make as thorough and detailed a list as possible. As you make the list, identify which problems are immediate and urgent and which problems can be solved over the long term.

Here are some sample problems:

Prevent mobile users from attaching infected machines to the corporate network
Control the flow of confidential data out of the organization
Control the internal propagation of new and unknown viruses, worms, and Trojans
Conserve network bandwidth by preventing the use of peer-to-peer (P2P) file-sharing applications
Protect employee personal data
Maintain host performance characteristics by controlling spyware and adware
Enforce relevant corporate acceptable use policies

At ACME, the list of security-related problems to solve never seems to shrink. Every time one problem is solved, another is added to the list. At a stakeholders' meeting, ACME puts its list of 30 or so potential security initiatives on the whiteboard and eliminated the ones that CSA could not help with. They ended up with seven problems that CSA could solve.

After some discussion, the stakeholders decide that as a balanced organization with limited resources, they should not try to tackle all seven problems at once. Instead, they put the seven in order of importance and eliminated the bottom four. That left three goals for the implementation:

ACME got hit badly with the last major worm. It had to restore many of its systems from backup, which cost the company a lot of moneynot to mention the downtime during the incident! Most of all, ACME wants to protect its hosts against infection by new malicious code.
P2P file-sharing applications are becoming a real nuisance because they are using a significant percentage of ACME's available Internet bandwidth. Also, some of the downloaded files are copyrighted, which is a liability for the company. ACME tried to block the connections using its firewall, but it wasn't successful because the P2P programs can use any port. ACME would like to prevent users from downloading music from the Internet using P2P file-sharing applications.
Over the last few years, ACME has had to take its e-commerce servers down to be patched much more frequently. The final goal is to reduce the frequency with which it has to update the e-commerce servers with security-related patches.

Select and Classify Target Hosts

Now that you have established your goals for the project, move on to the next predeployment tasks, which are as follows:

Select target hosts
Classify selected hosts

Select Target Hosts

Before you can start installing the agent, you must decide which hosts should be protected by it. If you purchased enough agent licenses to cover all of your hosts, the decision is easy. Your decision is more difficult if you bought a smaller number of licenses, but it's likely you had a group of target hosts in mind when you made the purchase. In either case, you should start your deployment with hosts where you think the deployment has a high likelihood of success and that provides benefit to your organization.

Ultimately, ACME plans to install CSA on all 10,000 desktops and 300 servers. However, ACME decided to buy an initial 1500 desktop and 20 server licenses to prove the concept before buying the rest. It was tough to decide which hosts to protect first with CSA.

ACME consulted its goals to select the hosts that, if protected, would contribute the most to the achievement of the goals. It started with the server licenses, and decided to put the agent on 20 of their Microsoft IIS web servers. Its B2B e-commerce site is hosted by those servers. Having CSA on them would reduce the number of times they need to be patched.

Selecting only 1500 desktops out of 10,000 was more of a challenge. ACME earmarked 1000 licenses for the mobile laptops because they are so vulnerable when they are remote and not protected by the corporate security countermeasures. Infected laptops were the source of 8 of the last 10 virus incidents at ACME. If those laptops could be protected while they are remote, it would dramatically increase ACME's protection against malicious code.

The remaining 500 licenses were reserved for the desktops in the manufacturing areas. Each desktop is used by several employees that work in manufacturing. They are supposed to be used only for e-mail and a few other programs, but almost every one has P2P software installed. They generate lots of file-sharing traffic and should be locked down so that they can be used only for legitimate purposes.

Classify Selected Hosts

After you've selected your target hosts, you should loosely classify them by placing them in restrictive, balanced, or permissive groups. These groups are used later to help you decide which CSA security policies should be applied. They also help you know how much effort is required to deploy and subsequently manage the policies you choose.

To classify a host or set of hosts, answer three questions:

Does the company lose money when this host is unavailable?
How much control does the user have over the system configuration?
Are new software packages installed on the system frequently?

Note

Don't confuse host classification with the balance goal you set in when you defined project goals. The goal you set there should influence only the way you classify hosts. If you have a situation where you think a group of hosts falls somewhere between restrictive and balanced, apply your organizational classification to help you decide. Think of the organizational classification as a "rounding rule." If the organization as a whole is permissive, round downward. If it's restrictive, round upward.

Here are some samples:

When restrictive systems are unavailable, the company loses a great deal of money. The user has virtually no control over the system configuration. New software packages are rarely installed. When they are, the installation happens only during scheduled maintenance windows and only after thorough testing.
Examples include call center desktops, kiosks, point of sale, and manufacturing automation systems.
Protection and Ongoing ManagementRestrictive hosts are rigorously protected, but require a fair amount of ongoing management especially when new software is deployed on them.
When balanced systems are unavailable, the loss of productivity indirectly costs the company money. Users have some control over their system configuration, but they are not allowed to install their own applications. Software is installed using a software distribution system such as SMS, Altiris, Radia, or ZENworks. New software is deployed on a fairly regular basis.
Examples include standard corporate desktops and servers.
Potection and Ongoing ManagementGood protection against new and unknown attacks with some amount of ongoing management as new applications are deployed or updated.
When permissive systems are unavailable, the company might lose some money because of some loss in productivity. Users have complete control over their system configuration, and they are allowed to install whatever applications they want.
Examples include field laptops and IT desktops.
Protection and Ongoing ManagementReasonable expectation of protection with very little ongoing management as new applications are deployed or updated.

ACME had an easy time classifying its hosts. When the e-commerce servers are down, it costs the company lots of money. New software is rarely installed on them, and they should be meticulously protected. They are externally accessible. Therefore, ACME classified its e-commerce servers as restrictive systems.

The manufacturing desktops don't cost the company much money when they are down, users are permitted to install software whenever they want, and they are protected by other ACME security countermeasures such as firewalls and Network Intrusion Detecction Systems (NIDS). ACME classified the desktops as permissive, with the caveat that they should not be allowed to download music from the Internet.

Finally, the field laptops were put in the balanced group. The laptops need good protection against attacks because they are often unprotected by corporate security. At the same time, the users need to have some control over their system configuration when they are in the field.

Plan for Ongoing Management

It is a good idea to think about the ongoing management of CSA after it has been implemented. You should try to decide who takes over CSA administration when the project is finished. Also decide where the administrators are to be physically located, and who has responsibility for what types of administration. You should plan for ongoing management at this stage in the project so that you can involve the future administrators in the deployment early on. That way, they are prepared when it is finished.

ACME decided that two members of the corporate security team are to be responsible for CSA policy administration, event handling, and incident response. The servers, the operating system, the server agent software, and the software that make up the CSA Management Center (MC) is to be under the control of the server team. The desktop team is expected to install and troubleshoot the agent software on the desktops and laptops after the project is finished. All of the personnel who manage CSA post-deployment are located at ACME headquarters.

Choose the Appropriate Management Architecture

The final predeployment planning task is to architect the solution that manages the HIPS agents. You should be careful and take your time finishing this task. If you don't plan well and realize later that your management should be different, it is usually difficult to change after agents are deployed and actively managed. At least five factors affect your choice of management architecture:

Number of agents The number of agents the management solution should support. Make sure to plan for future needs when you select the number. For example, if you want this solution to be in place for at least 3 years, the number of agents it should support is the number of agents you expect to have deployed in 3 years. You might want to deploy only 10,000 agents right now, but in 3 years you might have 40,000.
Remember that the CSA MC can be implemented in a single-server or tiered manner. A single server supports up to 20,000 agents. You have two ways to support more than that. One is to deploy several single-sever CSA MCs. The other is to tier the management. The choice you make depends on the following factors.
Geographical distribution Your company might have only one location, it might have several offices within one country, or it could have hundreds of branches across the globe. Also consider how many employees are at each branch, how much network bandwidth each location has, and how many mobile employees you have.

If your company is widely distributed and the branches have limited network connections, single-server management centers at each location might be your only option. It is a costly option from a budgeting and administrative perspective. You have to buy hardware for each location, make sure that security policies are synchronized between sites, and CSA administrators have to treat each location as a separate entity which increases the management burden.

If the company is not distributed or is but has respectable network connections between the branches and headquarters, a single-tiered CSA MC makes more sense. Large organizations can have a number of network operation centers (NOCs) that would be suitable for single or tiered MCs as needed for the number of agents each NOC is expected to support.

Administrative model In the prior section of this chapter, "Plan for Ongoing Management," you identified the people managing the HIPS after the implementation is finished. The location of the people who manage the solution and what agents they are responsible for can impact your management architectural choices.
For example, if you choose to have headquarters personnel manage CSA, it is logical to locate the management solution at headquarters. If you have multiple branches and choose to have personnel at each branch administer their own location, a CSA MC at each branch is more appropriate. Time zones and international locations might also influence your decision.
Budget The amount of money you have earmarked for the management solution.
Uptime requirements Your organization might have a policy that requires all management solutions to meet certain availability requirements. To achieve the requirements, you might need to consider management architectures that are more suited to high availability and fail more gracefully than others. Tiered management with a database cluster is the best choice for high availability.

Although ACME has licenses for only 1520 hosts, it would eventually like to put CSA on all 10,300. It decided to start with a server big enough to handle that many agents, even though it wouldn't be managing that many at first. The documentation indicates that a single-server CSA MC supports up to 20,000, so the single-server architecture seemed like the best choice.

Before ACME made a final decision, it consulted with the server team. Together, they decided that a single-server will work. The budget is limited, the administrative model fits, and the bandwidth between most ACME sites is respectable.