Good planning is a critical factor in the success of any IPS deployment. Planning must start well before the implementation begins, and the plan needs to be continually reviewed and updated during the entire project. ACME invites the relevant stakeholders to a series of NIPS project planning meetings. During the meetings, they take care of the following:
Review the Security PolicyChapter 4, "Security in Depth," describes corporate security policies. Your security policy guides all of your major decisions during a NIPS deployment. If you don't have a security policy, strongly consider creating one. Without it, your deployment is likely to take much longer and be far more difficult. Additionally, if you need to take corrective actions with an employee, a written policy describing what is considered acceptable use might also be required. Luckily, ACME has a well-documented and up-to-date security policy. It started its planning session with a review of the security policy in light of Cisco NIPS components and capabilities. The intent of this review session was to begin thinking about the following:
Define Deployment GoalsIt is important to have a well-defined set of measurable goals before the implementation begins. Goals give the stakeholders something to actively work toward and a way to measure the progress of the project. You also use them to restrict the scope of the project. Any decision or product functionality that does not contribute to the achievement of one the goals should not be a part of the implementation (unless you decide to add a goal that it does address). Most of the goals you define for the project, such as deadlines, budgets, and so forth, are the same for any project. However, two goals are related specifically to NIPS deployments:
Security PostureThe first goal you should define is, in a general sense, where you want to fall in the security versus operability spectrum. This spectrum refers to the idea that, for the most part, as security increases, the ease of operability decreases, which can result in an undesirable impact on the users of your network. Try to characterize your organization's overall philosophical approach to security (commonly known as your security posture). To characterize your security posture, think about the following:
A NIPS typically operates so that all traffic is permitted by default, and only malicious traffic is denied, while a firewall typically has opposite operation. A firewall typically permits only traffic that has been specifically allowed and denies everything else. NIPS can certainly be configured to operate more like a deep-inspection firewall, just as a firewall can be configured to be more permissive. Using the following implementation examples to illustrate the process, try to classify your organization as default deny or default allow:
Note Many attacks, such as worms, indiscriminately attack IP addresses on the Internet. These IP addresses might belong to a wide range of organizations, making any organization the potential target of an attack. When ACME started to characterize its organization, it quickly realized that it more closely matches the profile of a default allow organization. At ACME, the following statements are true:
Problems to SolveThe second goal you need to define clearly is the purpose of the implementation. Start by identifying the problems NIPS should solve. Maybe the only problem you want NIPS to address is to identify if internal ACME users are launching attacks against fellow employees or other systems on the Internet. Perhaps your corporate security policy includes some restrictions that NIPS could enforce (such as preventing peer-to-peer applications from sending traffic through your firewall using port 80). Try to make as thorough and detailed a list as possible. The following list indicates some sample problems that can be solved using either host or NIPS:
At ACME, the list of security-related problems that need to be solved never seems to shrink. Every time one problem is solved, another is added to the list. At a stakeholders' meeting, they put their list of 20 or so potential security initiatives on the whiteboard and eliminated the ones that NIPS could not help with. They ended up with eight problems that NIPS could solve. After some discussion, they decided that as a default allow organization with limited resources, they should not try to tackle all eight problems at once. Instead, they put the eight problems in order of importance and eliminated the bottom four. The following goals were left for the implementation:
Select and Classify Sensor Deployment LocationsAfter having established your goals for the project, move on to the next predeployment task, which is to determine where and which type of IPS sensors to deploy on the network. ACME decides to break down the sensor deployment into the following four types of sites:
Austin Headquarters SiteThe headquarters site is a major component of the ACME network. All the other sites communicate with each other via the headquarters network. The core of the headquarters network is a Catalyst 6500 switch. ACME decides to deploy two IDSM-2s in this switch to monitor the internal VLANs at the headquarter's facility. It also decides to deploy a Cisco IPS 4255 sensor to monitor the public servers and attacks outside the perimeter firewall, because many of these attacks are not seen on the internal network (they are blocked by the perimeter firewall). Because the number of attacks directed toward the outside of the firewall is likely to be high, ACME decides to initially focus only on virus and worm detection. Gradually, ACME plans to add other important signatures as well. Note ACME's security policy clearly outlines which traffic is allowed to its publicly accessible servers, such as its web server and mail server. ACME plans to utilize IPS to provide analysis on this allowed traffic to gain an extra measure of protection against attacks that use these easily accessible traffic channels. The Cisco IPS 4255 sensor running in in-line mode prevents many attacks directed to the corporate web server. The IDSM-2 sensors can detect attacks launched from the data VLAN to either the server VLAN or the voice VLAN. Cisco IPS also supports signatures that detect P2P traffic. These signatures can identify and stop traffic for common P2P applications. The Cisco IPS 4255 sensor can monitor all the attacks being launched against the ACME network. Large Sales Office SitesACME has five large sales office sites in the following locations:
ACME decides to use a single Cisco IPS 4255 at each large sales office. Each of these sensors is deployed with four monitoring interfaces. This enables each sensor to operate in in-line mode at the following locations:
When the Cisco IPS 4255 supports eight monitoring interfaces, ACME plans to add the four more interfaces and use one of the new interfaces to promiscuously monitor attacks detected outside the perimeter firewall and two more to provide in-line monitoring for the server VLAN. Manufacturing SitesACME has four manufacturing facilities located in the following cities:
At each manufacturing site, ACME decides to deploy a Cisco IPS 4240. Each sensor uses two interfaces to operate in in-line mode at the inside of the perimeter firewall. Another interface operates in promiscuous mode to monitor attacks outside the perimeter firewall. Small Sales Office SitesACME has approximately 20 small sales offices spread across the United States. Each of these sites is connected to the headquarters facility over an IPsec tunnel. ACME decides to implement IOS-IPS in the perimeter router at each small sales office. Plan for Ongoing ManagementIt crucial to think about the ongoing management of your NIPS after it has been implemented. Try to decide who is going to take over sensor administration when the project is finished. Also, decide where the administrators are to be physically located and who has responsibility for what types of administration. If you can plan for ongoing management at this stage in the project, you can involve the future administrators in the deployment early on, so that they are ready to go when it is finished. ACME decided that four members of the corporate security team are to be responsible for sensor administration, event monitoring, and incident response. All NIPS devices are to be managed and monitored from the ACME headquarters. All the personnel who are to manage sensor post-deployment are located at ACME headquarters. Using CS-MARS, the security personnel are able to correlate all of their security-related events, such as NetFlow data and syslog messages as well as IPS alerts. Choose the Appropriate Management ArchitectureThe final predeployment planning task is to architect the solution that is going to manage the NIPS sensors. Be careful and take your time finishing this task. If you don't plan well and realize later that your management should be different, it can be difficult to change after sensors are deployed and actively managed. At least five factors affect your choice of management architecture:
The entire ACME NIPS solution involves the following sensors (see Figure 10-2):
Figure 10-2. ACME IPS Network ConfigurationThese sensors can easily be managed by a single IPS MC system. |