Best Practices For Deploying Ips WP PDF

Best Practices for Deploying
Intrusion Prevention Systems

A better approach to securing networks
Contents
Introduction 3
Understanding deployment needs 3
Selecting placement points 5
Choosing the right IPS to meet your needs 5
Tuning and configuring 6
Ready for prevention 8
Other useful tips and practices 8
External notification 8
IPS authorized privileges 9
Retention considerations 9
Summary 9

Introduction
Interest in intrusion prevention has been gaining ground since late 2006. There
are a number of reasons for this, not least of which is the thinking that a defensein-depth strategy is essential in any enterprise network environment. Regulatory
compliance reports and other requirements are also leading many to consider
implementing intrusion prevention systems (IPSs) as a next-generation security
technology. Whatever the reason, it is important to not only select the right technology but to deploy this technology correctly. To enable the accomplishment
of both objectives, this white paper will outline the criteria for a successful IPS
deployment. First, it is important to remember that IPS can refer to network- and
host-based IPS, firewalls, and modified networking equipment like routers and
switches. Because of the limitations of certain network equipment and IPS solutions that are host-based, this white paper will only focus on the best practices
related to deploying a dedicated network IPS.
Understanding deployment needs

Before deploying an IPS, there has to be an understanding of what is going to be
protected. It would be easy to say everything. However, what does everything
mean? It certainly refers to applications and servers. But it could also mean printers, desktops, routers, switches, or IP infrastructure like mail, DHCP and DNS
servers, and other network-attached devices. The problem is that when everything is protected by IPS, it can set up unrealistic expectations. The key is to not
plan aggressively when initially deploying IPS.
Additional rules or control that is more granular can always be implemented as
security management skill sets and understanding of network and application
functionality rise. With IPS, it is best to concentrate at the perimeter and at externally facing services such as FTP, email, and Web services. The protected services
and resources should be the most business-critical processes, where relying
on a single mode of protection is impractical or insufficientespecially in consideration of regulatory compliance mandates like the Sarbanes-Oxley Act, the
European Union Directive 95/46/EC and the Gramm-Leach-Bliley Act.
Once you know what you want to protect, you can then think about the things
you want to protect them from. As an example, you may already have two types
of protection for protocol-based vulnerability exploits and Trojans in the form of
a firewall and antivirus software. But you may not have the means to protect your
critical processes from brute force or application-based attacks or insider attacks,
which could represent a targeted internal threat.
Successful IPS deployments include being able to define the threats you wish
to protect the enterprise from. Dont discount this seemingly simple notion.
Understanding the threats you want to protect your environment from has a tremendous impact on your deployment requirements. There are classifications for
most exploits, spyware, and malware that could find their way into your environment. It is important to classify threats so that they can be dealt with effectively
as a group, whenever possible. Managing threats individually can be daunting.
However, at many levels there are often commonalities between threats in how
they act, infect, and spread.
Check Point Software Technologies, Ltd. 3
A subset of the threat classification may include:

Authentication and authoritative issues. This could include:
Privileged accessacquiring administrative credentials (such as root)
without proper authorization
User accessacquiring the credentials of a user without proper authorization
Malware. This could include:
Wormsmatching known service exploits or perhaps acting similar to a
known exploit
Code executionthe execution of arbitrary exploit code on a targeted
system that may install unwanted components such as keyboard loggers
Denial of Service (DoS)denies service to legitimate uses. This could include:
Ping of death
Syn flood
Best practices violationsnot malicious activity but something that violates
best security practices such as a username with no password or a banner that
indicates a vulnerable software version. This could also include:
Security policy violationsthis could be characterized by instant
messaging, streaming video, or logging into a system or application from an
unauthorized subnet. This could be expanded to seeing traffic that indicates
a firewall or other security policy enforcement point has not been configured
correctly or has been compromised
Password lengths and the proper mix of letters and numbers
Information gathering as a prelude to an attack
Accessing data or attempting to move restricted files, directories, or data
Application-based attacksattempts to exploit vulnerabilities in certain kinds
of servers by means of buffer-overflow and injection-attack attempts including:
Web-based injection attacks that try to gain access to information or
privileges outside the domain of the application
Buffer-overflow attacks aimed at general applications or services
DNS usurping and spoofing
A method classified above is often preceded by a discovery or recon effort by
the threat. These efforts will determine for a potential attacker if some part of your
infrastructure is vulnerable. It could also allow for the tailoring of exploits for your
specific type of system. Many discovery efforts are so elaborate, that they can
even determine if your vulnerable component is capable of spreading infection,
influence, or control to other systems and components.
You will need to invest time tuning your IPS to your specific environment. Of the
aforementioned classifications; authentication, malware, and DoS are relatively
easy to implement. Keep in mind that establishing best practices by changing user
behavior will require some education and is best accomplished in modest segments. Best practices violations and application-level attacks are far more insidious
and are very important to catch early. Remember, that every time you patch those
applications or make a change to your policies, you may need to retune.
Check Point Software Technologies, Ltd.

Selecting placement points

Placement of sensors is vitally important for a successful IPS deployment. Where
should you put IPS devices to maximize their effectiveness? Anywhere your
infrastructure or applications are unjustifiably at riskthese areas would be likely
targets. Typically, IPS devices are deployed:
1. Behind firewalls and WAN routers
2. In front of server farms or similar collections of resources
3. At other network access points
By concentrating on these critical points, you will reap greater rewards from your
initial deployment. The reason for this is that most compliance requirements focus
on the ingress and egress points to the network core. Also, deploying IPS at these
choke points in the network provides maximum protection opportunities because
they involve transporting and enabling the most network traffic. WAN router points
are excellent candidates for IPS deployment as they are often the ingress points
for exploits from remote siteswhere you have little direct control and perhaps no
authoritative control. If a remote site or business partner site is compromised, you
are often defenseless against an infection already running rampant at that location. If extranet or trading partner VPNs are a recurring source of vulnerability, you
should review the advantages of a Firewall-integrated IPS function like VPN-1 with
SmartDefense protections.
In addition to server farms and other hardened access points, a connection from
a wireless warehouse application is another type of access area. Blackberry servers or handheld wireless barcode readers are examples of this. These areas are
especially vulnerable points within any infrastructure. They often mark boundaries
within your network and may represent services and devices that cannot be protected by other methods. These boundaries also represent additional logical and
physical responsibilities. These access points signify hard-to-secure applications
or services. However, they must be protected.
Choosing the right IPS to meet your needs

Not all network IPS systems are created equal. With the myriad of vendor claims,
confusion can arise from the process of selecting the right IPS for your needs. The
following points are key criteria to consider when choosing an IPS:
Detection accuracywhen considering IPS, its easy to overlook the fact that
to do prevention right, you need accurate, granular detection. You need to pay
attention to on-the-wire detection capabilities and detection-test-accuracy
scores because unlike intrusion detection systems (IDS) where a false-positive
is frustrating, an IPS false-positive can have a direct impact on business
Bandwidth requirementsinstead of getting caught up in speeds and feeds;
consider the bandwidth requirements of your network. If the link to your remote
site is a T3 line, it does not make sense to place a Multi-gigabit-capable device
at that point. However, regardless of advertised bandwidth, always be sure to
validate that it meets your need in active inline mode rather than simply passive
monitoring mode
Management platformoften when evaluating IPS, the focus is on appliances

and sensors with no consideration of the overall management platform. The
situational visibility necessary to effectively manage network-wide intrusion
prevention, provide automated signature updates, deploy upgrades, and
configure policies should all be accounted for as part of your evaluation
Tuning flexibilityit is important that you have power and flexibility when
tuning IPS, particularly the ability to tune prevention/blocking to a qualitative
or confidence score that will help mitigate concerns regarding false-positives.
Review your architectural decision. Will your selected architecture be able to
meet the detection and processing requirements of evolving threats?
High availabilityin the IPS model, ensuring appliance high availability is a must.
The appliance should have requisite zero-power fail-open options. However, in
organizations where security is business critical, you should also give attention
to need for high availability throughout your overall IPS architecture. For
instance, the server components should offer failover capability
Scalabilityyou should weigh scalability based on the size of your environment,
and plans for expansion. However, if you are running more than a nominal
number of sensors or if you have plans to grow your deployment substantially,
you should ensure the overall architecture scales to meet your needs
Reportingin view of regulatory compliance requirements, the ability to
report on the state of known attacks, protection coverage, remediation, and
vulnerabilities has become a critical need
If you consider these seven key criteria, you will be able to make the right selection
for initial deployment.
Tuning and configuring

Once your system is installed, you may be tempted to turn on every available
inspection method. However, this is not the ideal way to configure your system.
Remember the business objectives and the earlier classifications. Enable just
one group at a time, starting with the ones that you know are most likely to impact
business operations. Then examine the sensor alerts, watching for just those classification exploits. You will likely gain insight to your network that you never had
before, even if you regularly run vulnerability scans or penetration tests.
Explore these alerts and verify if they are true (positive) or not true (false-positive).
If they are not true, tune the entire system or just the specific systems involved
with the false-positive. Typically, this can be done by using the IP address of the
source and destination systems involved in the alert. You may choose to configure
your IPS to ignore the traffic entirely (white-list) or record the event but not report
it to the console. You can also directly modify the applications causing the event
and thus eliminate the alerts at the source. Once you complete this for one alert
classification, you should enable more groups and repeat the process.

This process should also account for the confidence score that a particular
detected event is actually malicious. Some products may have this capability built
in and offer you a more granular level of tuning. This can be tremendously beneficial because it allows you the capability to configure the level of prevention based
on the confidence score associated with a given security event. An attack with a
known signature match should get a high confidence score while suspicious activity that may be ambiguous in nature will be given a lower confidence score. As the
user, you could set the IPS to block attacks that score 90 percent or higher. This
ensures that you can prevent serious attacks while not risking the possibility of
inadvertently blocking legitimate traffic.
Once you have done your initial tuning, and any necessary remediation, you may
think you are ready for the next step. But many applications do not run all the time,
where they would be seen early and often by an IPS. Many, like backups, run only
at night or on odd days. Financial and payroll applications may only run weekly
or monthly. Accounting packages may only run at month-, quarter-, or year-end.
So, although the bulk of the tuning can be done at the beginning, you will most
likely have to revisit this process over the course of the next few days, weeks, or
months. A common approach is to tune initially, and then tune again one weekend
and one month- or quarter-end later.
An easy place to start is with inspection for known malware and/or malicious code
execution. This will offer immediate benefits because the IPS immediately will
begin mitigating worms and viruses at the point of deployment. It is also important
to bear in mind that systems already infected with malware can be carried into
your network from the outside. Some consideration should be made to identify
internally infected resources. Once you have conducted your advanced tuning
regarding external threats, you can then create rules and policies for your IPS to
address internal compromised resources. Laptops are prime targets since they
are often used outside the protective corporate environment for extended periods. The backdoor communications of these infected systems is what gives them
away. Certain malware and spyware have a replication and reporting component
where the infected system tries to communicate with a master system while it tries
to spread its infection. For example, an exploit may launch its own email server
and then emails out its infection to every person listed in your address book. This
can be detected by looking for outgoing email traffic coming from an email server
not identified as a corporate mail server. It may even be sending over a nonstandard mail IP port number.
Ready for prevention

Up to this point, you might think you are in good shape, having deployed an IPS
system and tuned it to a high degree of confidence. You should be comfortable
that the received alerts are real attacks. As such, you can now take action. It is
time to determine how you want to eliminate the offending traffic. Examine and
then make your choices for stopping attempts before configuring a preventive
response. Your choices usually break down into three approaches:
Drop the trafficin this case, the packet is dropped and there is no protocolbased handshake with the participating parties to notify them of the event. This
can be good news since it makes it harder for an attacker to figure out what is
thwarting his/her efforts. At this point, it is harder for this person to decide how
to proceed
Blacklist the attackerthis means that once an attacking source is identified, it
is added to a list that is first examined when a packet shows up for inspection. If
it matches a previous entry, no further inspection is required, and the packet can
just be dropped. The benefit here is that it is less overhead for the IPS system.
This capability is an important layer in your defense against a DoS attack
Resetsends TCP resets to the attacker and the intended victim so they both
know the connection has been closed. This is the gentlest method and is
often used for policy violations. This allows both parties applications to
recover gracefully
Other useful tips and practices

Here are some helpful tips and practices to keep in mind.
External notification
The first involves automatically externalizing notification. In many small- to
medium-size companies, it is impractical to dedicate a single person to continuously watch the console. If a designated security person is available, duties are
often widespread and the console may not be kept in constant view. Therefore,
you can choose to have the critical notification externalized to a mobile device like
a wireless PDA or cell phone. The choice of what should be externalized will be
done based on the severity of the attack. To add to that line of thinking, you could
also categorize each event into groups based on severity.
Attacks of opportunityan attacker, usually an automated process, suspects
one of your systems has a vulnerability. This is usually a random shotgun
attempt to infect or exploit as many systems and networks as possible, like a
worm or Trojan. These can also include the difficult-to-detect blended threats
where more than one type of discovery, attack, or threat replication is combined
with others
Attacks of intentan attacker has focused on a target or enterprise and will
keep up the assault until success or the arsenal is exhausted. If your signatures
and policies are up-to-date, most attacks of opportunity should be handled
automatically and do not require direct notification, unless it is targeting a
specific system of high value to your business operations. Attacks of intent are
something else. Someone making a deliberate attempt to breach corporate
security or violate policies should warrant your immediate notification,
especially if the attempted breach involves a business-critical server

IPS authorized privileges

Another item of importance is related to privileges. IPS is not just an appliance that
stops bad traffic: it is a point of protection and policy enforcement. Like with all
critical infrastructure components and systems, each administrator should use a
separate set of credentials to gain access so that all activity and changes can be
logged and traced back to that individual, if necessary. Many IPS systems support
a hierarchical approach to managing administrative users that makes this easier.
Retention considerations
Although this is less of an issue in IPS, the last topic to consider is the retention of alert
information. To answer the retention question, start with two pieces of information:
Your companys policy on retaining informationlook at policies that relate
to phone records or system log files as a guide
The recommended practices or compliance requirements that govern
your business
Hopefully, a straight-forward comparison to prevailing retention policies and
backup procedures will affirm that they align and agree. When considering how
you will retain and store this alert information, remember to consider that some
jurisdictions will not allow IPS/IDS records to be admitted into evidence at a legal
proceeding if they have been altered in any way. If they were compressed, or truncated to save space, they may not be allowed from a forensic perspective. This
may be a concern if your organization ever has a need to use this information to
prosecute or defend an individual or organization. It is also a good idea to check
with your IPS vendor on guidelines for disk space planning.
Summary
Leading a successful IPS deployment will require the following steps:
Understanding your needs for real-time threat protection
Selecting the right IPS product for your organization
Determining the right placement points for your IPS deployment
Taking the time to tune your system right
Setting up your compliance-reporting parameters
Configuring your IPS for data retention and backup
Periodicbut necessaryevaluation of your overall system use
About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leader in securing
the Internet. The company is a market leader in the worldwide enterprise firewall, personal firewall, data security and VPN markets. Check Points PURE focus is on IT security
with its extensive portfolio of network security, data security and security management
solutions. Through its NGX platform, Check Point delivers a unified security architecture for
a broad range of security solutions to protect business communications and resources for
corporate networks and applications, remote employees, branch offices and partner
extranets. The company also offers market leading data security solutions through the
Pointsec product line, protecting and encrypting sensitive corporate information stored
on PCs and other mobile computing devices. Check Point's award-winning ZoneAlarm
Internet Security Suite and additional consumer security solutions protect millions of consumer PCs from hackers, spyware and data theft. Extending the power of the Check Point
solution is its Open Platform for Security (OPSEC), the industry's framework and alliance
for integration and interoperability with "best-of-breed" solutions from hundreds of leading
companies. Check Point solutions are sold, integrated and serviced by a network of Check
Point partners around the world and its customers include 100 percent of Fortune 100
companies and tens of thousands of businesses and organizations of all sizes.
CHECK POINTOFFICES
Worldwide Headquarters
5 HaSolelim Street
Tel Aviv 67897, Israel
Tel: 972-3-753 4555
Fax: 972-3-624-1100
email: info@checkpoint.com
U.S. Headquarters
800 Bridge Parkway
Redwood City, CA 94065
Tel: 800-429-4391 ; 650-628-2000
Fax: 650-654-4233
URL: http://www.checkpoint.com
20032008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point
Endpoint Security, Check Point Endpoint Security On Demand, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL,
Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance,
CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1
GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity
Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall,
Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security,
the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform
Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1,
SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard,
SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor,
SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security,
VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX,
VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence,
ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro,
ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software
Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein
are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent
No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign
patents, or pending applications.
May 30, 2008 P/N 503062

Best Practices For Deploying Ips WP PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best Practices For Deploying Ips WP PDF

Uploaded by

Copyright:

Available Formats

Best Practices for Deploying

Intrusion Prevention Systems

A better approach to securing networks