In keeping with the theme from an earlier post about IDS/IPS I recently attended a webinar on IDS/IPS and the best practices for implementation in ones network. This webinar was put on by Neil Anderson , Principal Consultant, Dell SecureWorks. Here are my notes.
What is an IDS/IPS?
IDS is passive and monitors the network for malicious traffic.
IPS is actively involved in the traffic flow of a network, allowing it to block traffic inline.
Characteristics of IDS/IPS
- Passive device, that can’t interfere in the network.
- Generally capable of greater throughput.
- Attacks are detected, not blocked.
- Active device in the traffic.
- Can block attacks as they happen.
- Can be be assigned point of failure.
- Need to be careful that legitimate traffic isn’t blocked.
- Sits in the middle of the network.
Why deploy an IDS or IPS
- Defense in Depth (see earlier article on definition of Defense in Depth and why it should be implemented).
- Deep packet inspection
- Audit Trail
- Inside Threats
- YOU WILL GET HACKED at some point.
Which one should I implement on my network
- Ideally you would want both to be on your network since one can monitor for attacks inside and out and the other can potentially stop the attacks from happening.
Challenges to consider when implementing an IDS/IPS on your network
- Where to deploy sensors for maximum coverage.
- where are your choke points of your network?
- Make sure that you have your alerts going to various devices. No use having alerts if now one is listening.
- 24×7 monitoring will be needed.
- We are under attack, what do we do now.
- See your security policy for this. You do have one right? If not see my earlier article on why you need one and what should it cover.
Features I should be looking for in an IDS/IPS
- Look for applications that can perform both functions of and IDS and IPS.
-Integration with existing infrastructure : logging, SIEM integration
- Inline Bypass: what happens if the IDS/IPS goes down.
- Management: How easy is it to maintain and configure
- Signature base: How often is it updated, Can rules be defined
- Virtualization support
- Consider how to deploy based on your security policy.
- What are you trying to protect?
- Where will you place the sensors: Passive monitoring for the rest/ Inline for high value.
- How will you react when your assets are attacked: Security and Incident Policy should help you here.
- Who will manage your deployments.
- Need 24×7 monitoring by a security professional.