Step 2: Predeployment Planning

Good planning is a critical factor in the success of any IPS deployment. Planning must start well before the implementation begins, and the plan needs to be continually reviewed and updated during the entire project. ACME invites the relevant stakeholders to a series of NIPS project planning meetings. During the meetings, they take care of the following:

• Review the security policy

• Define deployment goals

• Select and classify sensor deployment locations

• Plan for ongoing management

• Choose the appropriate management architecture

Review the Security Policy

Chapter 4, "Security in Depth," describes corporate security policies. Your security policy guides all of your major decisions during a NIPS deployment. If you don't have a security policy, strongly consider creating one. Without it, your deployment is likely to take much longer and be far more difficult. Additionally, if you need to take corrective actions with an employee, a written policy describing what is considered acceptable use might also be required.

Luckily, ACME has a well-documented and up-to-date security policy. It started its planning session with a review of the security policy in light of Cisco NIPS components and capabilities. The intent of this review session was to begin thinking about the following:

• The items in the security policy Cisco NIPS might be able to address.

• If the security policy needs to be updated to reflect NIPS capabilities.

• The policy changes that govern the operation of Cisco NIPS at ACME.

Define Deployment Goals

It is important to have a well-defined set of measurable goals before the implementation begins. Goals give the stakeholders something to actively work toward and a way to measure the progress of the project. You also use them to restrict the scope of the project. Any decision or product functionality that does not contribute to the achievement of one the goals should not be a part of the implementation (unless you decide to add a goal that it does address).

Most of the goals you define for the project, such as deadlines, budgets, and so forth, are the same for any project. However, two goals are related specifically to NIPS deployments:

• Security posture

• Problems to solve

Security Posture

The first goal you should define is, in a general sense, where you want to fall in the security versus operability spectrum. This spectrum refers to the idea that, for the most part, as security increases, the ease of operability decreases, which can result in an undesirable impact on the users of your network. Try to characterize your organization's overall philosophical approach to security (commonly known as your security posture). To characterize your security posture, think about the following:

• What people, time, and dollar resources your organization can expend for security efforts

• The functionality that users need to perform their jobs

• The organization's overall vulnerability level

• The value of the information the security tools protect

• The likelihood of attack

A NIPS typically operates so that all traffic is permitted by default, and only malicious traffic is denied, while a firewall typically has opposite operation. A firewall typically permits only traffic that has been specifically allowed and denies everything else. NIPS can certainly be configured to operate more like a deep-inspection firewall, just as a firewall can be configured to be more permissive. Using the following implementation examples to illustrate the process, try to classify your organization as default deny or default allow:

• A default deny organization starts by denying everything. Then, necessary applications and their traffic are permitted only after they have been approved. The approval process determines that specific applications are both vital to business operation and do not adversely impact the overall security of the network. Users are only able to establish outbound connections through the IPS on specific ports using specific protocols. Inbound connections from the Internet are limited by port, protocol, and destination IP address (if allowed at all). Default deny organizations have the resources to make frequent changes to the IPS configuration in response to changing needs. Users are accustomed to having their change requests declined and having to wait for approved changes to occur. The information protected by the IPS is so critical and at such high risk that the default deny approach is necessary.

  Example organizations include banks, government intelligence agencies, and utility companies.

• Default allow organizations start by allowing everything. Then, when traffic is determined to be a significant security risk, it is denied on the network. Virtually all inbound connections are also permitted, except for those that are known to be dangerous. Default allow organizations have extremely limited resources to expend managing the IPS, so the configuration is designed to require almost no changes over time. Users never need to make change requests because almost everything is permitted. The information protected by the IPS is not particularly important, and the risk of attack is low.

  Example organizations include portions of educational institutions and some volunteer groups.

Note

Many attacks, such as worms, indiscriminately attack IP addresses on the Internet. These IP addresses might belong to a wide range of organizations, making any organization the potential target of an attack.

When ACME started to characterize its organization, it quickly realized that it more closely matches the profile of a default allow organization. At ACME, the following statements are true:

• It currently allows almost any outbound connection through the firewall, except for certain types such as common peer-to-peer (P2P) file-sharing connections, and anticipate using the IPS in the same mode.

• All inbound connections through the firewall are blocked except for a small number of demilitarized zone (DMZ) applications.

• Each member of the information security staff is trained to manage multiple technologies and projects because there aren't enough of them to dedicate resources to any one technology.

• A procedure is in place to request changes to the firewall configuration, but it is fairly simple. Most of the time, the requestor just sends an e-mail to the security staff requesting the change. This same procedure is expected to work with IPS.

• Most of the information behind the firewall is not confidential. ACME does have trade secrets, financial information, and employee personal information that should be protected, but that's about it.

• ACME is not subject to any specific regulatory requirements.

Problems to Solve

The second goal you need to define clearly is the purpose of the implementation. Start by identifying the problems NIPS should solve. Maybe the only problem you want NIPS to address is to identify if internal ACME users are launching attacks against fellow employees or other systems on the Internet. Perhaps your corporate security policy includes some restrictions that NIPS could enforce (such as preventing peer-to-peer applications from sending traffic through your firewall using port 80). Try to make as thorough and detailed a list as possible.

The following list indicates some sample problems that can be solved using either host or NIPS:

• Prevent mobile users from infecting other machines when they attach their system to the corporate network

• Control the flow of confidential data out of the organization

• Control the internal and external propagation of viruses, worms, and Trojans

• Conserve network bandwidth by preventing the use of P2P file-sharing applications

• Enforce corporate acceptable use policies

At ACME, the list of security-related problems that need to be solved never seems to shrink. Every time one problem is solved, another is added to the list. At a stakeholders' meeting, they put their list of 20 or so potential security initiatives on the whiteboard and eliminated the ones that NIPS could not help with. They ended up with eight problems that NIPS could solve.

After some discussion, they decided that as a default allow organization with limited resources, they should not try to tackle all eight problems at once. Instead, they put the eight problems in order of importance and eliminated the bottom four. The following goals were left for the implementation:

1. ACME went through a lengthy legal battle in which one of its employees attacked various Internet servers from the ACME network. ACME barely managed to avoid serious monetary damages. It would like to detect and stop attacks launched from its internal network toward other systems on the Internet. P2P file-sharing applications are becoming a nuisance because they are using a significant percentage of ACME available Internet bandwidth. It tried to block the connections using its firewall, but it wasn't successful because the P2P programs can use any port. It wants to prevent users from downloading music and movies from the Internet using P2P file-sharing applications.

2. ACME just deployed Voice over IP (VoIP) to the headquarters facility and the large sales offices. ACME is afraid that the VoIP network might be attacked from internal or external users. It wants to detect and stop common attacks launched from the data VLAN (which houses the users' computers) to either the voice VLAN or the server VLAN.

3. ACME wants to prevent the spread of network worms and viruses both on the internal networks and from the Internet. This protection supplements the Host Intrusion Prevention Systems (NIPS) and antivirus software already installed on many of the hosts throughout ACME's network.

Select and Classify Sensor Deployment Locations

After having established your goals for the project, move on to the next predeployment task, which is to determine where and which type of IPS sensors to deploy on the network. ACME decides to break down the sensor deployment into the following four types of sites:

• Austin headquarters site

• Large sales office sites (New York, Atlanta, Chicago, Portland, and San Diego)

• Manufacturing sites (DeKalb, Midland, Gary, Huntsville)

• Small sales office sites

Austin Headquarters Site

The headquarters site is a major component of the ACME network. All the other sites communicate with each other via the headquarters network. The core of the headquarters network is a Catalyst 6500 switch. ACME decides to deploy two IDSM-2s in this switch to monitor the internal VLANs at the headquarter's facility. It also decides to deploy a Cisco IPS 4255 sensor to monitor the public servers and attacks outside the perimeter firewall, because many of these attacks are not seen on the internal network (they are blocked by the perimeter firewall). Because the number of attacks directed toward the outside of the firewall is likely to be high, ACME decides to initially focus only on virus and worm detection. Gradually, ACME plans to add other important signatures as well.

Note

ACME's security policy clearly outlines which traffic is allowed to its publicly accessible servers, such as its web server and mail server. ACME plans to utilize IPS to provide analysis on this allowed traffic to gain an extra measure of protection against attacks that use these easily accessible traffic channels. The Cisco IPS 4255 sensor running in in-line mode prevents many attacks directed to the corporate web server.

The IDSM-2 sensors can detect attacks launched from the data VLAN to either the server VLAN or the voice VLAN. Cisco IPS also supports signatures that detect P2P traffic. These signatures can identify and stop traffic for common P2P applications. The Cisco IPS 4255 sensor can monitor all the attacks being launched against the ACME network.

Large Sales Office Sites

ACME has five large sales office sites in the following locations:

• New York, New York

• Chicago, Illinois

• Portland, Oregon

• San Diego, California

• Atlanta, Georgia

ACME decides to use a single Cisco IPS 4255 at each large sales office. Each of these sensors is deployed with four monitoring interfaces. This enables each sensor to operate in in-line mode at the following locations:

• Access to data VLAN

• Access to voice VLAN

When the Cisco IPS 4255 supports eight monitoring interfaces, ACME plans to add the four more interfaces and use one of the new interfaces to promiscuously monitor attacks detected outside the perimeter firewall and two more to provide in-line monitoring for the server VLAN.

Manufacturing Sites

ACME has four manufacturing facilities located in the following cities:

• DeKalb, Illinois

• Midland, Texas

• Gary, Indiana

• Huntsville, Alabama

At each manufacturing site, ACME decides to deploy a Cisco IPS 4240. Each sensor uses two interfaces to operate in in-line mode at the inside of the perimeter firewall. Another interface operates in promiscuous mode to monitor attacks outside the perimeter firewall.

Small Sales Office Sites

ACME has approximately 20 small sales offices spread across the United States. Each of these sites is connected to the headquarters facility over an IPsec tunnel. ACME decides to implement IOS-IPS in the perimeter router at each small sales office.

Plan for Ongoing Management

It crucial to think about the ongoing management of your NIPS after it has been implemented. Try to decide who is going to take over sensor administration when the project is finished. Also, decide where the administrators are to be physically located and who has responsibility for what types of administration. If you can plan for ongoing management at this stage in the project, you can involve the future administrators in the deployment early on, so that they are ready to go when it is finished.

ACME decided that four members of the corporate security team are to be responsible for sensor administration, event monitoring, and incident response. All NIPS devices are to be managed and monitored from the ACME headquarters. All the personnel who are to manage sensor post-deployment are located at ACME headquarters. Using CS-MARS, the security personnel are able to correlate all of their security-related events, such as NetFlow data and syslog messages as well as IPS alerts.

Choose the Appropriate Management Architecture

The final predeployment planning task is to architect the solution that is going to manage the NIPS sensors. Be careful and take your time finishing this task. If you don't plan well and realize later that your management should be different, it can be difficult to change after sensors are deployed and actively managed. At least five factors affect your choice of management architecture:

• Number of sensors The number of sensors the management solution should support. Make sure to plan for future needs when you select the number. For example, if you want this solution to be in place for at least three years, the number of sensors it should support is the number of sensors you expect to have deployed in three years.

  Remember that the IPS MC can be implemented in a single-server manner. A single server supports up to 300 sensors. To support more sensors than that, you must deploy several IPS MCs.

• Geographical distribution Your company might have only one location, it might have several offices within one country, or it could have hundreds of branches across the globe. Consider how many sensors are at each branch and how much network bandwidth each location has.

  If your company is widely distributed and the branches have limited network connections, you might decide to manage the branch sensors individually (instead of centrally from your headquarters location). Managing and monitoring each branch individually increases the burden of correlating events across your entire network.

  If the company is not distributed or is but has reliable network connections between the branches and headquarters, a single IPS MC probably makes more sense. Large organizations might have a number of network operation centers (NOC), which would be suitable for single IPS MCs as needed for the number of sensors each NOC is expected to support.

• Administrative model In the prior section of this chapter, called "Plan for Ongoing Management," you identified which people manage the NIPS after the implementation is finished. The location of the people who manage the solution and what sensors they are responsible for can impact your management architectural choices.

  For example, if you choose to have headquarters personnel manage branch sensors, it is logical to locate the management solution at headquarters. If you have multiple branches and choose to have personnel at each branch administer their own location, branch sensor management can be handled on an individual sensor basis unless the number of sensors requires the deployment of an IPS MC at the larger branch locations.

• Budget The amount of money you have earmarked for the management solution. The budget also includes the number of people that you plan to use to configure and monitor your IPS solution.

• Uptime requirements Your organization might have a policy requiring all management solutions to meet certain availability requirements. To achieve the requirements, you might need to consider management architectures that are more suited to high availability and fail more gracefully than others.

The entire ACME NIPS solution involves the following sensors (see Figure 10-2):

• Two IDSM-2 (headquarters)

• One IPS 4255 (headquarters)

• Five IPS 4255 (large sales offices)

• Fout IPS 4240 (manufacturing sites)

• Twenty IOS-IPS Sensors (small sales offices)

These sensors can easily be managed by a single IPS MC system.