Large Enterprise

Previous page
Table of content
Next page

In 1974, Premium Airways transported its first passengers in two propeller-driven airplanes. Since then, Premium has grown to become a national carrier with hundreds of jets in service. Most of the company's 40,000 computers are located on the headquarters campus in Tulsa, Oklahoma.

The other 10,000 hosts are scattered at airports all over the United States. Some of the systems are kiosk-type machines that passengers use to check in. Others are used by the airline operations staff at each airport. Also, each gate has a computer that is used to scan boarding passes before the passenger gets on the plane.

All of Premium's airport computers, whatever their function, connect back to the data center in Tulsa. They use a site-to-site virtual private network (VPN) to communicate with a large Microsoft SQL database cluster. Each airport has its own VLAN. Aside from that, the administrative and airport computers are not separated.

This lack of separation proved to be a problem six months ago during a very severe virus incident. Somehow, a system at headquarters was infected by the Slammer worm. The worm propagated rapidly to almost all of the SQL database servers, including the cluster that supports the airport systems.

Slammer Worm

The SQL Slammer worm attacked Microsoft database servers with unprecedented speed. It infected most of its estimated 75,000 victims within the first 10 minutes. For more information on the SQL Slammer worm, refer to Chapter 1, "Intrusion Prevention Overview."


As a result, Premium had to delay and even cancel some flights because the database that supports boarding pass scanners, check-in kiosks, and gate personnel was down. Not only that, but the worm generated so much traffic that the overall network performance was significantly reduced. Remediation was difficult because many of the network links were saturated.

Premium lost a great deal of money that day. Refunds had to be paid to passengers, the whole schedule had to be changed because planes weren't where they were supposed to be, and airplanes cost money to operate even if they aren't flying. Premium's reputation also suffered a blow when the reason for the delayed and cancelled flights made front-page news.

To make sure this wouldn't happen again, Premium re-evaluated its entire security strategy. One of the projects that came out of the re-evaluation was to implement IPS. Premium started off its IPS deployment with a meeting where the stakeholders:

  • Identified limiting factors that would impact the IPS project

  • Used the corporate security policy to identify goals for the project

  • Started high-level HIPS implementation planning

  • Started high-level NIPS implementation planning

Limiting Factors

The stakeholders at the meeting recognized two company practices that would limit the way IPS could be deployed:

  • Premium Airlines classifies technology products as either "emerging" or "standard." Emerging technology is any product that has not been running in production at headquarters for at least a year. Even if the technology has been publicly available for over a year, Premium classifies it as emerging until it has run at Premium for a year and become a standard. Emerging technology cannot be deployed at the airports for fear of implementing an unproven product on mission critical systems.

    In this case, HIPS is categorized as emerging technology, so it cannot be used at the airports. NIPS is a standard because it has been in production at headquarters for a little over a year.

  • The corporate security policy doesn't allow users to disable host security countermeasures such as antivirus software.

Security Policy Goals

During the security re-evaluation in the wake of the Slammer worm, Premium's security policy was revised. The revision included three provisions that were in direct response to what it learned during the Slammer incident:

  • Greater effort must be made to prevent viruses from infecting headquarters hosts. Antivirus software is not a sufficient countermeasure for this task.

  • The airport systems must, wherever possible, be isolated from headquarters systems. If isolation is not possible, rigorous controls must be in place to prevent headquarters security incidents from affecting airport systems.

  • The IT security team had a difficult time identifying the origin of the Slammer worm. It took several days to determine that the attack came from an internal host rather than the Internet. The security policy was modified to require a tool be in place to help IT security quickly determine if an attack came through their Internet connections or from an internal source.

HIPS Implementation

Premium used the limiting factors and goals it had established to start HIPS implementation planning. It was too early to get into the details, but it wanted to define:

  • Target hosts

  • Management architecture

  • Agent configuration

Target Hosts

The team immediately excluded airport hosts from the HIPS implementation for three reasons:

  • Airport hosts are not particularly vulnerable to attack because they run only an operating system and one or two applications and are kept in locked cases.

  • As part of the overall project, they will be isolated from headquarters. If the headquarters systems are infected by something, isolation should reduce the risk that the infection spill over into the airports or vice versa.

  • HIPS is an emerging technology that can't be installed at the airports for a year anyway.

All of the 30,000 hosts at headquarters are perfect candidates for a HIPS product. The first hosts to get protection will be any system that connects to the airports so that they are less likely to be infected by malware. After that, the agent will be deployed to desktops because that is where the Slammer infection originated. Finally, the rest of the hosts are covered.

Malware

Basically malware refers to any form of malicious software. Common examples include viruses, Trojans, worms, spyware, and adware.


Management Architecture

Premium Airlines has a good-sized team of computer security experts. A portion of the security team has only one dutyto "clean up" after virus incidents. When the IPS project is finished, Premium Airlines should have fewer virus incidents, so some of the cleanup team can take over HIPS management.

The team also decided that the management architecture should have the following characteristics:

  • The management server is to be located in the Tulsa data center. Most of the agents are to be in that office, and the data center is staffed 24 hours per day.

  • They need a tiered management server to support 30,000 agents.

  • Premium has an out-of-band management network. The HIPS management server should reside on that network. Some network configuration changes will probably be required to secure the server and so that the management server can connect to the agents.

Agent Configuration

The IPS project has three goals: prevent headquarters virus infections, isolate airport systems, and provide a way to identify a virus' origin. The team talked about each goal and identified agent configuration settings for each.

To stop headquarters viruses, the agent configuration has to be fairly restrictive. Also, one of the problems the team had during the Slammer incident was that the network was so saturated that they couldn't push antivirus updates out to their hosts. They had an update that would stop Slammer, but couldn't deploy it. Thus, the agent should be configured so that it can stop viruses without needing updates.

One concern with the restrictive configuration approach is that false positives could be an issue. The group decided that if they had to err, they would prefer false positives over another major virus incident. One team member suggested that one way to handle false positives would be to allow users to turn the agent off. It was a good idea, but the corporate security policy prohibited that.

To isolate airport systems, the agent is to be configured to prohibit network access to the airport systems for any hosts that do not absolutely require it. The hosts that do require access are to have their access restricted to required services. For example, databases that the airport hosts use accept connections only on database ports.

Finally, the HIPS is to be configured to log permitted but unusual network connections between hosts. Ordinarily, network connections that are permitted are not logged. The team decided that if unusual connections were logged, they could use the logs to help them identify the origin of a virus.

NIPS Implementation

Premium deployed NIPS at the headquarter location approximately more than a year ago. This deployment consisted mainly of several sensors to monitor traffic between various operational VLANs on the Premium network (see Figure 11-1). It also deployed sensors to monitor its inbound Internet connections.

Figure 11-1. Initial Premium Airways Network Configuration


That initial deployment worked well, but Premium did not fully utilize the NIPS functionality because it used its sensors mainly to monitor attacks to the internal server VLAN. Only the sensors protecting the Internet connections were configured for in-line functionality. During this upgrade to the IPS solution, it plans to enhance the NIPS deployment through the following measures:

  • Deploy more sensors at the network core in Tulsa to provide in-line monitoring to all airport VLANs

  • Utilize in-line functionality to more closely regulate inter VLAN traffic at the headquarters facility and traffic destined for airport VLANs

Sensor Deployment

Premium decides to take advantage of its existing NIPS deployment at the headquarters facility. Initially, it monitored only Internet connections and traffic destined to the server VLAN. With this upgrade, it plans to deploy in-line sensors monitoring all airport VLANs. This new NIPS functionality adds 40 sensors to the Premium NIPS deployment.

To increase the separation between the airport systems and other hosts on the Premium network, the in-line sensors are to have custom signatures developed that restrict the connections allowed to access the airport computers. Furthermore, all connections between the headquarters site and any airport site are logged by the NIPS using informational custom signatures (see Figure 11-2).

Figure 11-2. Final Premium Airways Network Configuration


NIPS Management

Premium already has NIPS deployed at its headquarters location. Presently, it is managing these five sensors using a centralized management application via an out-of-band management network. The upgrade adds 40 sensors that need to be managed. The current management infrastructure, however, can support approximately 150 sensors, so it can easily handle the extra sensors.

To improve configuration and monitoring of the NIPS deployment, Premium also decides to add three more people to the current NIPS security staff of one person.



Previous page
Table of content
Next page
Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115
Authors: Earl Carter, Jonathan Hogue
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
High-Speed Signal Propagation[c] Advanced Black Magic
C++ How to Program (5th Edition)
MySQL Cookbook
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy