Deploying IPS Devices and Applications

Each IPS deployment is fairly unique depending on your network configuration. Regardless of your network configuration, topology, and traffic patterns, you need to analyze your deployment from the following two perspectives:

• Deploying Host IPS

• Deploying Network IPS

Besides the initial deployment, you also need to continually evaluate your IPS and modify your deployment based on network threats and your ever-changing network.

Deploying Host IPS

The most optimum Host IPS deployment involves deploying Host IPS on every host on your network. In many situations, however, you are not able to deploy Host IPS on every system. Sometimes, you cannot cover all of your systems because your Host IPS product does not support certain operating systems that you use on your network. Most of the time, however, the limiting factor is cost. If your budget does not allow you to protect all of your systems with Host IPS, then you need to decide which systems to protect and which systems are left unprotected.

Deciding which systems to protect can be a tricky task. For example, you must decide whether it is better to protect end user laptops (a more accessible target when on unprotected networks) or focus on servers, which are more critical to the operation of your network. Some of the factors to consider when conducting a partial Host IPS deployment include the following:

• Threat posed by known exploits

• Criticality of the systems

• Accessibility of the systems

• Security policy requirements

After your initial deployment, you also need to identify unprotected systems. If your Host IPS deployment does not include every system, then identifying unprotected systems becomes even more difficult. Chapter 9, "Cisco Security Agent Deployment," provides a detailed analysis of the issues that you must consider when deploying Host IPS using the Cisco products as an example.

Threat Posed by Known Exploits

One of the factors to consider when deciding on whether or not to deploy Host IPS on a system is the number of known exploits for the operating system and applications used on the system. For example, if the operating system or applications used have a large number of known exploits, protecting the system with a Host IPS becomes more critical because a large number of exploits increases the ways in which an attacker can compromise the system. Furthermore, a large number of exploits might indicate a higher likelihood that new exploits for the system will be discovered in the future.

Criticality of the Systems

If a system is vital to the operation of your network, then protecting it with a Host IPS is paramount. By protecting the system, you decrease the chances that the system can become compromised. More importantly, the vital components of your network remain operational, reliably providing service to the various client systems on your network.

Accessibility of the Systems

Another factor that increases the chances that a system will be attacked is the accessibility of the system. A server that is in a fixed location protected by a firewall and Network IPS has limited accessibility. A laptop that moves from the company network to the user's home broadband network (as well as various broadband networks utilized for remote access when traveling, like public wireless networks) is very accessible to many different attackers. If this laptop is compromised while off the company network, it can wreak havoc when the system is again connected to the internal company network.

Security Policy Requirements

The underlining framework for all of your security decisions is your security policy. It defines requirements that must be met by systems on your network. Before considering other factors that impact your IPS deployment, you need to carefully analyze your security policy to identify requirements that must be met or add requirements to accommodate IPS. These requirements can then be used as a foundation upon which you can consider the other deployment factors.

Identifying Unprotected Systems

An ongoing task in any Host IPS deployment is the verification that all the targeted systems have your Host IPS software installed and operating on them. You need a mechanism to identify systems that you want to protect, but are not protected. You can then compare this list of unprotected systems to your policy on which systems should be protected to verify if you have systems that need to have the Host IPS software installed on them.

Deploying Network IPS

As is the case with Host IPS, the most optimum protection is provided by deploying Network IPS across your network to inspect all of your network traffic. Complete protection with Network IPS, however, is difficult to ensure. One of the main factors impacting Network IPS deployment is the traffic volume on your network. Figure 3-1 illustrates a sample Network IPS deployment for a small network. In this example, the maximum traffic volume is 100 Mbps so a single IPS sensor can monitor all the traffic entering the network at a single location. Because the IPS sensor bridges all traffic into and out of the protected network, it can examine that traffic for attacks and other traffic that violates the defined security policy.

Even in the small deployment, you must decide whether to deploy the sensor outside your firewall (as shown in Figure 3-1) or behind your perimeter firewall. Placing the sensor outside the firewall enables you to observe all the attacks that are being launched against the network. Analyzing these attacks, however, can be manpower intensive because all traffic can reach the sensor. Furthermore, many of these attacks are going to be blocked by your firewall anyway before they reach the internal network. By deploying the sensor behind the firewall, you observe only attacks that make it through your firewall or attacks that originate from the internal network.

When deploying Network IPS on a large network, such as an enterprise network, you have to consider many factors. Some of the more important considerations include the following:

• Security policy requirements

• Maximum traffic volume

• Number and placement of sensors

• Business partner links (extranet connections)

• Remote access

• Identification of unprotected segments

You must consider these factors not only during your initial Network IPS deployment, but also as your network grows and changes. On an ongoing basis, you must reevaluate these factors to determine if your Network IPS deployment needs to be enhanced or revised to maintain optimum protection.

Security Policy Requirements

Your security policy might require that an IPS be in place to protect your network. The security policy might also contain other policies that your IPS sensors can be used to enforce. Identifying the security policy requirements that your Network IPS can enforce is one of the first steps that you should perform when planning your Network IPS deployment.

Maximum Traffic Volume

Whenever deploying an IPS sensor at a location in your network, you must consider the maximum bandwidth, the volume of new connections, and maximum concurrent connections that the sensor can support. At first, you might think that you would never deploy a sensor that could not handle the amount of traffic on the network. The traffic volume becomes an issue mainly because of the following two factors:

• Network segments are not fully utilized.

• Sensors can be costly.

If you have three 100 Mbps network segments that you want to monitor, you can guarantee that all the traffic is processed by using one or more sensors that are capable of handling 300 Mbps. With Cisco IPS sensors, you can use a single Cisco IPS 4255 that supports 600 Mbps. The Cisco IPS 4255 can easily process the 300 Mbps with extra processing power for future network growth. (For more information on specific Cisco IPS devices and capabilities, refer to Chapter 8, "NIPS Components.")

The cost of an IPS sensor usually varies based on the amount of traffic that it can process. So to save costs, you might want to deploy sensors that support the typical traffic volume on your network, because most network segments are not usually fully utilized. For example, suppose that we examine our three networks segments and discover that their maximum bandwidth almost never exceeds 80 percent of their capacity. Now the maximum amount of traffic that we need to examine is 240 Mbps. Instead of using a Cisco IPS 4255, we can now use a Cisco IPS 4240, because it can examine up to 250 Mbps.

Deploying your sensors based on the typical traffic volume enables you to save money on your IPS deployment. However, it does have a couple of drawbacks. First, you do not have any excess capacity to handle network growth. Secondly, you need to make sure that you verify that the actual amount of traffic on your network is not exceeding the sensor's capacity. If the traffic does exceed the sensor's capacity, some of the network traffic will not be analyzed by your sensor.

Number and Placement of Sensors

The maximum traffic volume is one of the factors that impact the number of sensors that you need to deploy. Besides deciding on the number of sensors and where you want to deploy them on your network, you also need to plan how you can manage the devices.

Most IPS products enable you to deploy IPS functionality in various locations throughout your network. Some of these locations include the following:

• Standalone appliances

• Specialized hardware blades

• Integrated into the operating system on infrastructure devices such as routers and switches

Examining the unique characteristics of your network helps you decide which of these options works best for your network topology. Chapter 10, "Deploying Cisco Network IPS," provides a detailed analysis of the issues that you must consider when deploying Network IPS using the Cisco products as an example.

Business Partner Links

Any link between your network and your business partners (known as extranets) needs to be monitored. Your business partner usually has a different security policy than you. Furthermore, you might run into legal liability issues if your business partner is attacked from a compromised system on your network. Therefore, deploying Network IPS to protect all of your extranets is very important.

Note

It is also beneficial to have a high degree of coordination between the technical security team for your company and the technical security teams of your business partners. Through coordination, each team can proactively keep the other informed of potential attacks and other security concerns.

Remote Access

Most networks provide some type of remote access functionality to enable workers to access the corporate network from home and while traveling. Because this capability enables remote access into your network, it is also a prime target for attack. Monitoring any remote network access is vital to deploying an effective Network IPS solution.

Identifying Unprotected Segments

As your network grows, you need to continually verify that all the network segments are being monitored by your Network IPS sensors. Again, your security policy might help define your requirements. For example, deploying Network IPS at the edge of your network identifies attacks launched against your network from the Internet as well as attacks launched against hosts on the Internet from your network. But if you only examine the edge of your network, however, you are not able to identify attacks from one host on your network to another host on your network.

When you try to identify unprotected segments, identifying the source and destination for intrusive traffic that you are trying to monitor is beneficial. Table 3-1 shows some common source and destination segments.