In 1974, Premium Airways transported its first passengers in two propeller-driven airplanes. Since then, Premium has grown to become a national carrier with hundreds of jets in service. Most of the company's 40,000 computers are located on the headquarters campus in Tulsa, Oklahoma. The other 10,000 hosts are scattered at airports all over the United States. Some of the systems are kiosk-type machines that passengers use to check in. Others are used by the airline operations staff at each airport. Also, each gate has a computer that is used to scan boarding passes before the passenger gets on the plane. All of Premium's airport computers, whatever their function, connect back to the data center in Tulsa. They use a site-to-site virtual private network (VPN) to communicate with a large Microsoft SQL database cluster. Each airport has its own VLAN. Aside from that, the administrative and airport computers are not separated. This lack of separation proved to be a problem six months ago during a very severe virus incident. Somehow, a system at headquarters was infected by the Slammer worm. The worm propagated rapidly to almost all of the SQL database servers, including the cluster that supports the airport systems.
As a result, Premium had to delay and even cancel some flights because the database that supports boarding pass scanners, check-in kiosks, and gate personnel was down. Not only that, but the worm generated so much traffic that the overall network performance was significantly reduced. Remediation was difficult because many of the network links were saturated. Premium lost a great deal of money that day. Refunds had to be paid to passengers, the whole schedule had to be changed because planes weren't where they were supposed to be, and airplanes cost money to operate even if they aren't flying. Premium's reputation also suffered a blow when the reason for the delayed and cancelled flights made front-page news. To make sure this wouldn't happen again, Premium re-evaluated its entire security strategy. One of the projects that came out of the re-evaluation was to implement IPS. Premium started off its IPS deployment with a meeting where the stakeholders:
Limiting FactorsThe stakeholders at the meeting recognized two company practices that would limit the way IPS could be deployed:
Security Policy GoalsDuring the security re-evaluation in the wake of the Slammer worm, Premium's security policy was revised. The revision included three provisions that were in direct response to what it learned during the Slammer incident:
HIPS ImplementationPremium used the limiting factors and goals it had established to start HIPS implementation planning. It was too early to get into the details, but it wanted to define:
Target HostsThe team immediately excluded airport hosts from the HIPS implementation for three reasons:
All of the 30,000 hosts at headquarters are perfect candidates for a HIPS product. The first hosts to get protection will be any system that connects to the airports so that they are less likely to be infected by malware. After that, the agent will be deployed to desktops because that is where the Slammer infection originated. Finally, the rest of the hosts are covered.
Management ArchitecturePremium Airlines has a good-sized team of computer security experts. A portion of the security team has only one dutyto "clean up" after virus incidents. When the IPS project is finished, Premium Airlines should have fewer virus incidents, so some of the cleanup team can take over HIPS management. The team also decided that the management architecture should have the following characteristics:
Agent ConfigurationThe IPS project has three goals: prevent headquarters virus infections, isolate airport systems, and provide a way to identify a virus' origin. The team talked about each goal and identified agent configuration settings for each. To stop headquarters viruses, the agent configuration has to be fairly restrictive. Also, one of the problems the team had during the Slammer incident was that the network was so saturated that they couldn't push antivirus updates out to their hosts. They had an update that would stop Slammer, but couldn't deploy it. Thus, the agent should be configured so that it can stop viruses without needing updates. One concern with the restrictive configuration approach is that false positives could be an issue. The group decided that if they had to err, they would prefer false positives over another major virus incident. One team member suggested that one way to handle false positives would be to allow users to turn the agent off. It was a good idea, but the corporate security policy prohibited that. To isolate airport systems, the agent is to be configured to prohibit network access to the airport systems for any hosts that do not absolutely require it. The hosts that do require access are to have their access restricted to required services. For example, databases that the airport hosts use accept connections only on database ports. Finally, the HIPS is to be configured to log permitted but unusual network connections between hosts. Ordinarily, network connections that are permitted are not logged. The team decided that if unusual connections were logged, they could use the logs to help them identify the origin of a virus. NIPS ImplementationPremium deployed NIPS at the headquarter location approximately more than a year ago. This deployment consisted mainly of several sensors to monitor traffic between various operational VLANs on the Premium network (see Figure 11-1). It also deployed sensors to monitor its inbound Internet connections. Figure 11-1. Initial Premium Airways Network ConfigurationThat initial deployment worked well, but Premium did not fully utilize the NIPS functionality because it used its sensors mainly to monitor attacks to the internal server VLAN. Only the sensors protecting the Internet connections were configured for in-line functionality. During this upgrade to the IPS solution, it plans to enhance the NIPS deployment through the following measures:
Sensor DeploymentPremium decides to take advantage of its existing NIPS deployment at the headquarters facility. Initially, it monitored only Internet connections and traffic destined to the server VLAN. With this upgrade, it plans to deploy in-line sensors monitoring all airport VLANs. This new NIPS functionality adds 40 sensors to the Premium NIPS deployment. To increase the separation between the airport systems and other hosts on the Premium network, the in-line sensors are to have custom signatures developed that restrict the connections allowed to access the airport computers. Furthermore, all connections between the headquarters site and any airport site are logged by the NIPS using informational custom signatures (see Figure 11-2). Figure 11-2. Final Premium Airways Network ConfigurationNIPS ManagementPremium already has NIPS deployed at its headquarters location. Presently, it is managing these five sensors using a centralized management application via an out-of-band management network. The upgrade adds 40 sensors that need to be managed. The current management infrastructure, however, can support approximately 150 sensors, so it can easily handle the extra sensors. To improve configuration and monitoring of the NIPS deployment, Premium also decides to add three more people to the current NIPS security staff of one person. |