For both Network and Host IPS, the configuration of your IPS is crucial for providing a strong defense against attack. Some of the major factors to consider with respect to IPS configuration include the following:
Signature TuningMost IPS devices and applications provide a single default configuration or multiple default configurations. Using one of these default configurations is an ideal starting point for your IPS deployment. As you use your IPS, you need to tune specific signatures that generate false positives on your network.
Besides false positives and false negatives, many people describe alarms using the terms true negatives and true positives. Table 3-2 highlights the differences between these different terms.
Event ResponseWhenever your Network IPS sensor identifies potentially malicious traffic, it must respond to the traffic by performing some type of action. You can usually configure each signature to generate one or more of the following actions:
Note Many intrusion systems provide filtering capabilities that enable you to limit the hosts or conditions in which signatures actually trigger (perform their configured actions). For example, if a signature is prone to false positives, you might configure the signature to trigger only on traffic that involves at least one external system, thus preventing false positives on traffic between two internal systems. DenyIf a signature identifies a serious threat against your network, you might want your IPS sensor to stop the traffic. Operating in inline mode, your IPS sensor can selectively drop any traffic that it analyzes, thus preventing intrusive traffic from reaching the target system. AlertAn alert or alarm is an indication that an attack has been detected by your IPS. Your security operators use the alerts generated by your IPS devices to understand the attacks and other traffic that traverse your network. BlockBesides denying traffic with inline IPS devices, most IPS devices also enable you to initiate access control lists (ACLs) on other infrastructure devices to block network traffic. These ACLs, however, are applied only after initially detecting malicious traffic. LogThe final IPS response is to log traffic. Logging traffic enables your security operators to analyze the traffic that an attacker sent to the network. By analyzing the captured traffic, the security operator can more effectively understand what an attacker is doing against your network. Logging is usually initiated when a signature triggers and continues for a specified amount of time. Either all traffic from the attacking system (or the target system) is logged. Software UpdatesEvery IPS is continually being enhanced to identify new attacks against your network. Furthermore, many existing signatures(see Chapter 2), "Signatures and Actions") are revised to make them more effective. Applying software updates to your IPS devices and applications is vital to maintain the optimum operation of your IPS. By keeping your IPS software current, you ensure that your network is being protected as effectively as possible. Applying IPS software updates involves the following tasks:
Configuration UpdatesBesides software updates, you also need to identify the process by which you plan to deploy configuration updates to your IPS devices. Configuration updates refer to the changes that you make to the configuration of the IPS software to match the unique characteristics of your network. This information involves settings such as which signatures are enabled and which signatures actions are configured for each signature. As your network grows and changes or when your security policy changes, you need to update the configurations on your IPS devices.
Device FailureWhen your IPS devices have problems, you need to understand what the impact is going to be to your security posture. You need to know how your IPS reacts to the following two failure situations:
Inline Sensor FailureIf the software on your IPS sensor fails, you need to understand how the sensor handles network traffic. If the sensor software is not functioning, you need to know whether the network traffic is passed without inspection or whether all traffic is dropped while the analysis software is not operating.
With Cisco IPS, you have the following three options with respect to software bypass:
Software bypass is the configuration that defines how the sensor processes network traffic when the sensor's analysis software is not operating. In Auto mode (also known as Fail Open mode), a sensor running in inline mode continues to forward traffic even if the sensor's analysis engine stops processing traffic. Although this traffic is not inspected by the sensor, the network is still operational. Auto mode is useful on networks where operation of the network takes the highest priority. In Off mode (also known as Fail Close mode), a sensor running in inline mode stops forwarding traffic if the sensor's analysis engine software fails or stops. Because the sensor stops forwarding traffic, none of the traffic is allowed to pass the sensor without inspection. Off mode is useful on networks where the security of the network takes the highest priority. In On mode, a sensor running in inline mode always forwards traffic without inspecting it. This mode is useful in debugging situations when you want to configure the sensor to forward traffic without performing any inspection on the traffic. Note With Cisco IPS devices, you can also configure multiple sensors using an EtherChannel group. In this configuration, if any of the individual sensors loses power or stops operating, the traffic is automatically load balanced between the remaining sensors that are members of the EtherChannel group.
Management Console FailureYour management console provides a mechanism for your security operators to view the events that are occurring on your network. The management console needs to retrieve alerts or alarms from your IPS devices or applications (such as the Cisco Security Agent [CSA]). Your management software uses one of the following models to retrieve events from your IPS devices:
Note When managing the devices on your network, you will find it beneficial to have a separate management VLAN or out-of-band management network. Besides minimizing management access to your crucial network devices and thus enhancing your network's security, a separate management network (or VLAN) also prevents you from losing connectivity to your devices if an IPS sensor protecting those devices fails closed. In the Push model, the IPS devices push events to your management console as they happen. If the management console is unreachable, you can lose events. Therefore, a failure of the management console can impact the security of your network. In the Pull model, the management console itself retrieves events from the IPS devices when it is ready to receive them. The IPS devices basically buffer a certain amount of alert information, waiting for the management console to retrieve them. Short failures of your management console do not cause any alerts to be lost, as long as your management console retrieves the buffered events before the event buffer on the sensor is exceeded. Note The Cisco IPS solution uses the Pull model for both its network and host products. Therefore, a temporary failure of the management console should not result in a loss of event information, because the sensor stores the events in a local circular buffer until they are retrieved by the management console. If the management console fails to retrieve the event information before the buffer starts overwriting events, event information can be lost during a management console failure. On a normal network, however, the circular buffer can easily hold a couple of days' worth of events before the buffer starts overwriting unread events. |