| Every IPS deployment is different, and the characteristics of the company doing the deployment account for many of the differences. This chapter examined IPS deployments six different types of company: Each section covered five deployment-related topics: The company background and recent computer security incidents The factors that limit the IPS project The goals for the project that are derived from the problems to solve and the corporate security policy High-level HIPS implementation planning High-level NIPS implementation planning
Large Enterprise Company background Premium airlines had a hard time with the Slammer worm. It initially infected a computer at headquarters, and then spread to the airports. The damage was extensive. Premium decided to implement IPS in an effort to prevent another incident like the Slammer worm. Limiting factors Premium classifies a HIPS as an emerging technology because it has not been running at the airline for more than a year. Premium's policy does not allow emerging technologies to be deployed at airports. Also, the security policy does not allow users to disable host security countermeasures. Security policy goals Premium wanted to increase malware protection on headquarters hosts, isolate airport systems from headquarters hosts, and implement an easier way to identify the source of a host-based attack. HIPS implementation Premium airlines decided to put the HIPS on all of the headquarters hosts, starting with any that connect to airports. The tiered management server is to be located in the Tulsa office. The HIPS agent is to be configured to meet the goals for the project. NIPS implementation Premium decided to take full advantage of its NIP capabilities to perform in-line monitoring for traffic entering the major network segments at the headquarters facility. It also added in-line monitoring (at the headquarters facility) for all of the airport locations. The IPS management is performed at the headquarters facility using the existing out-of-band management network, but required the addition of three new security analysts.
Branch Office Company background The SafetyNet Insurance branch office in Charlotte, North Carolina, decided to invest in IPS for several reasons. First, when it gets infected by a virus, SafetyNet headquarters drops the VPN connection it uses to process paperwork. Also, employees accidentally install spyware and adware on the office computers. Finally, an agent left to work for another company and took the office client list with her. It'd like to make it harder for employees to steal the client list. Limiting factors All of the office computers must run virus protection at all times. The virus protection must be kept up to date. The branch office is not allowed to modify the Internet router or VPN configuration. Security policy goals Make it harder for employees to steal valuable information. Reduce the costs associated with removing spyware and adware. Cut down on the number of times headquarters drops the VPN because of a virus-infected host. HIPS implementation HIPS is installed on all hosts and managed by a managed security service provider. The agents are configured to protect the hosts from malware and protect the customer database. NIPS implementation An in-line sensor is installed between the router that provides the VPN connection to the SafetyNet headquarters. The branch anticipates minimal management of its single sensor so it hires a consultant to initially configure its NIPS and update the configuration quarterly. It plans to use a MSSP to monitor its IPS deployment (instead of performing that function themselves).
Medium Financial Enterprise Company background BLI Bank is a regional bank with 25 branches and an investment group. BLI must comply with several new sets of government computer security regulations. The staff believes that IPS can help fulfill the requirements in the regulations. Limiting factors The bank has limited IT resources. Also, the investment and branch operations are regulated differently. Security policy goals Employ a neutral company to conduct tests to make sure that BLI's security countermeasures are working. All login failures and successes must be logged. All access of the mainframe and SQL databases must be tracked. Transactional network traffic must be kept separated from employee traffic. HIPS implementation All hosts have HIPS installed, and they are managed by a single management server. The agents are configured to log login failures and success. They also keep track of which IP addresses connect to the SQL database. NIPS implementation BLI Bank's main concern is the mixing of traffic between the bank's branch operations and its investment operations. It installs an in-line sensor between the investment group's network and configures it to prevent cross traffic between the branch operation transactions and the investment group. It also installs an in-line sensor to monitor traffic at its Internet perimeter. Initially, a consultant configures its IPS with the normal IT staff maintaining the IPS after that.
Medium Educational Institution Company background Davis State is a liberal arts school in Pittsburgh, Pennsylvania. The school has two problems. The first is that the major donors and alumni are concerned that Davis State is not adequately protecting the students' confidential information. The second is that prolific unauthorized applications are using too much of the school's Internet bandwidth. Limiting factors The school takes a permissive approach to computer security. It believes that computer security should, for the most part, not curtail information exchange. The students and faculty have complete control over their systems. Security policy goals The school doesn't have a policy per se, but does have a list of guidelines. The guidelines were modified to encourage security for student data and the ability to restrict the use of certain types of applications. HIPS implementation The Davis State IT department cannot force students or faculty to install the HIPS, so it is installed only on the hosts IT controls. The agents are managed by a single management server and configured to secure student data. NIPS implementation Davis State University deploys in-line IPS to protect the administration VLAN (which includes the faculty) and the server VLAN. The student network is monitored promiscuously only to watch for attack traffic. Davis State's IT department configures its few IPS sensors individually and monitors them for attacks.
Small Office Company background Jones Hardware of San Antonio, Texas, is a family-owned chain of hardware stores. The company has a few desktops at each store and a headquarters with ten desktops and one Windows server. The store computers are very important because they are used for point of sale, inventory schedules, and payroll. Unfortunately, the store computers are frequently down because of malware. Limiting factors The IPS has to operate without any supervision of any kind, because Jones Hardware cannot afford to hire IT personnel. Security policy goals Jones Hardware does not have a security policy. It did set a goal to reduce the malware infections by 99 percent. HIPS implementation HIPS agents go on all of company machines. The agents are to be unmanaged and configured to implement a balanced security policy. NIPS implementation Because the IPS must operate without supervision, Jones Hardware did not consider deploying a NIPS solution.
Home Office Company background Alice Smith is a freelance marketing consultant who works from home. The Internet is one of the primary ways she communicates with her clients. Lately, she's had some trouble with her connection because her kids accidentally infect the computer with malware. When the system is infected, it sometimes tries to infect her clients and causes her ISP to disconnect her Internet connection. Limiting factors Alice wants to make sure her children can use the computer at night. Security policy goals Alice's goals for the project were to prevent the kids from accidentally deleting client data, harming any of the programs she uses for work, and installing malware. HIPS implementation Alice installed an unmanaged HIPS agent on her computer. The agent is configured to hide the HIPS interface and protect client data when the kids are logged onto the computer. NIPS implementation Alice did not even consider NIPS because the website that the technician pointed her to focused solely on HIPS. Because of the limited size of the network, however, NIPS would not be practical anyway.
|
