Intrusion Prevention Systems For Dummies® - Integrity Solutions

Making Everything Easier! IntrusionPrevention SystemsLearn to:• Understand common networkthreats• Select the right intrusionprevention system for yourcompany• Figure out how an intrusionprevention system can fit intoyour organization’s networkBrought to you bySteve Piper, CISSP, SFCP

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.About SourcefireSourcefire, Inc. (Nasdaq: FIRE), a world leader in intelligent cybersecuritysolutions, is transforming the way Global 2000 organizations andgovernment agencies manage and minimize network security risks. ALeader in Gartner’s 2010 Network IPS Magic Quadrant and recognizedby NSS Labs in 2009 and 2010 for offering best overall IPS detection,Sourcefire has received more than 60 awards and accolades. In 2011,Sourcefire was listed #15 on Forbes’ annual list of America’s top 25 fastestgrowingtechnology companies — ranked highest among all IT securityvendors in the United States.For more information, visit www.sourcefire.com.Sample Sourcefire Awards & Recognitions

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.IntrusionPrevention SystemsFOR‰DUMmIESby Steve Piper, CISSP, SFCP

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Intrusion Prevention Systems For Dummies ®Published byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774www.wiley.comCopyright © 2011 by Wiley Publishing, Inc., Indianapolis, IndianaPublished by Wiley Publishing, Inc., Indianapolis, IndianaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in anyform or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, withoutthe prior written permission of the Publisher. Requests to the Publisher for permission should beaddressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Referencefor the Rest of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related tradedress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in theUnited States and other countries, and may not be used without written permission. All other trademarksare the property of their respective owners. Wiley Publishing, Inc., is not associated with anyproduct or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKENO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY ORCOMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALLWARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR APARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES ORPROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BESUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THATTHE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHERPROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF ACOMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NORTHE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT ANORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR APOTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR ORTHE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAYPROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARETHAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEAREDBETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.For general information on our other products and services, please contact our Business DevelopmentDepartment in the U.S. at 317-572-3205. For details on how to create a custom For Dummies book foryour business or organization, contact info@dummies.biz. For information about licensing the ForDummies brand for products or services, contact BrandedRights&Licenses@Wiley.com.ISBN: 978-1-118-00474-6Manufactured in the United States of America10 9 8 7 6 5 4 3 2 1

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Publisher’s AcknowledgmentsWe’re proud of this book and of the people who worked on it. For details on howto create a custom For Dummies book for your business or organization, contactinfo@dummies.biz. For details on licensing the For Dummies brand for products orservices, contact BrandedRights&Licenses@Wiley.com.Some of the people who helped bring this book to market include the following:Acquisitions, Editorial, andMedia DevelopmentDevelopment Editor: Peter GregoryProject Editor: Jennifer BinghamEditorial Manager: Rev MengleBusiness Development Representative:Sue BlessingCustom Publishing Project Specialist:Michael SullivanComposition ServicesProject Coordinator: Kristie ReesLayout and Graphics: Carrie A. Cesavice,Samantha K. Cherolis, Melanee HabigProofreader: Debbye ButlerSpecial Help from Sourcefire: Steve Kane,Richard Park, Doug Hurd,Mike Guiterman, Kimberly Connor,Chris Chon, Marc SolomonPublishing and Editorial for Technology DummiesRichard Swadley, Vice President and Executive Group PublisherAndy Cummings, Vice President and PublisherMary Bednarek, Executive Director, AcquisitionsMary C. Corder, Editorial DirectorPublishing and Editorial for Consumer DummiesDiane Graves Steele, Vice President and Publisher, Consumer DummiesComposition ServicesDebbie Stailey, Director of Composition ServicesBusiness DevelopmentLisa Coleman, Director, New Market and Brand Development

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1How This Book Is Organized .................................................... 1Icons Used in This Book ............................................................ 2Chapter 1: Understanding IPS . . . . . . . . . . . . . . . . . . . . . . .3Defining Intrusion Prevention Systems ................................... 3Passive Detection versus Inline Prevention ........................... 5Network versus Host IPS ........................................................... 6Common Detection Methodologies ......................................... 7False Positives ............................................................................ 8False Negatives ........................................................................... 9Vulnerability-Based Rules versusExploit-Based Signatures ....................................................... 9Open versus Closed Architectures ........................................ 10Understanding IPS Components andNetwork Architectures ........................................................ 11Chapter 2: IPS Attack Coverage . . . . . . . . . . . . . . . . . . . .15Worms, Trojans, and Buffer Overflows ................................. 15Spyware, Phishing, and Botnets ............................................ 18SYN Floods and Denial of Service (DoS) Attacks ................. 20Zero-Day Attacks ...................................................................... 22Advanced Persistent Threats (APT) ...................................... 22Chapter 3: Modern IPS Features . . . . . . . . . . . . . . . . . . . .27Typical IPS versus Next-Generation IPS ................................ 27Chapter 4: IPS, Virtualization, andCloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Benefits and Risks of Virtualization ....................................... 36Securing Virtualization ............................................................ 38Virtualizing Security ................................................................ 41Securing the Cloud ................................................................... 42

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.viIntrusion Prevention Systems For DummiesChapter 5: IPS and Regulatory Compliance . . . . . . . . . .45Payment Card Industry Data SecurityStandard (PCI DSS)............................................................... 46U.S. Health Insurance Portability andAccountability Act (HIPAA) ................................................ 48U.S. Federal Information SecurityManagement Act (FISMA).................................................... 49U.S. Sarbanes-Oxley Act (SOX) ............................................... 50U.S. Gramm-Leach-Bliley Act (GLBA) .................................... 51Basel II ....................................................................................... 52SSAE16 and SAS70 .................................................................... 53Chapter 6: Selecting the Right IPS . . . . . . . . . . . . . . . . . .55Common IPS Selection Criteria .............................................. 55Industry-Specific Considerations ........................................... 60Hardware Considerations ....................................................... 61Third-Party Testing .................................................................. 62Chapter 7: Ten Ways to Lower TCO . . . . . . . . . . . . . . . . .63

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.IntroductionWith this book, you get the “must have” knowledgethat you need to understand how intrusion preventionsystems (IPS) and emerging Next-Generation IPS (NGIPS)solutions improve the security in an organization’s networks.I help you understand why they’re needed and how to determinewhich features are most important for your organization.I also show you how to lower the total cost of ownershipof an intrusion prevention system, so that it will pay for itself.How This Book Is OrganizedThis book is organized so that you don’t have to read it coverto-cover,front to back. You can skip around and read just thechapters that are of interest.✓ In Chapter 1, Understanding IPS, I explain how intrusionprevention systems work, and the ways they detectnetwork-based attacks. I compare passive versus inlinesystems, and explain how they differ from firewalls.✓ Chapter 2, IPS Attack Coverage, explains the varioustypes of threats that IPSs are designed to detect anddeflect. I explain some of the nastier threats such aszero-day and advanced persistent threats.✓ In Chapter 3, Modern IPS Features, I explain many ofthe features and functions found in Next-Generation IPSs,including dashboards, reporting, management, forensics,and user identification. I also discuss nifty features suchas SSL inspection, network behavior analysis, and dataloss prevention.✓ Chapter 4, IPS, Virtualization, and Cloud Computing,includes in-depth discussions of virtualization and cloudcomputing technologies, and the role that IPSs play toprotect these new types of environments.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.2Intrusion Prevention Systems For Dummies✓ In Chapter 5, IPS and Regulatory Compliance, I explainstandards and regulations such as PCI, HIPAA, GLBA,SAS70, and FISMA, and explain how IPSs help an organizationbe compliant.✓ Chapter 6, Selecting the Right IPS, is all about helpingyou get your IPS shopping list organized so thatyou can be sure to get the IPS that is right for yourorganization.✓ In Chapter 7, Ten Ways to Lower TCO, I explain tenproven ways to improve your investment in an IPS.Icons Used in This BookThis book uses the following icons to indicate special content.You won’t want to forget the information in these paragraphs.These paragraphs provide practical advice that will help youcraft a better strategy, whether you’re setting up your softwareor planning to purchase.Look out! When you see this icon, it’s time to pay attention —you’ll find important cautionary information you won’t wantto miss.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 1Understanding IPSIn This Chapter▶ Understanding today’s intrusion prevention systems▶ Comparing and contrasting IPSs and firewalls▶ Looking at passive versus inline systems▶ Exploring detection techniques▶ Understanding how IPS fits into the big pictureIntrusion prevention systems (IPSs) are a critical part ofan organization’s overall network and systems protectionstrategy and a critical part of a defense-in-depth architecture.Without them, you’re fighting the bad guys with one arm tiedbehind your back.In this chapter, I look at the function of intrusion preventionsystems and how they fit into an organization’s network.Defining Intrusion PreventionSystemsIntrusion prevention systems, or IPSs, are devices or programsthat are used to detect signs of intrusions into networksor systems and take action. That action consists ofgenerating alarms and/or actively blocking intrusions.IPSs usually take the form of purpose-built hardware devices,software agents that run on servers, or software programsthat run within virtualized environments.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.4Intrusion Prevention Systems For DummiesUnderstanding the differencebetween IPSs and firewallsFirewalls and IPSs are both essential tools for protectingan enterprise from intrusions. Both are needed, primarilybecause they’re each designed to look at different things:✓ A firewall is designed to block all network traffic exceptthat which is explicitly allowed.✓ An intrusion prevention system is designed to permiteverything except that which is explicitly disallowed.✓ A firewall is designed to permit (or block) network packetsbased on their source, destination, and port number,regardless of the contents of each packet’s payload (thecontents of the message).✓ An intrusion prevention system is designed to permit (orblock) network packets based on the packet’s payload.Maybe an analogy will help here. Imagine a business buildingthat has a lobby with a security guard, who permits personnelto enter based on who they are. The guard permits the mailcarrier and the package courier to bring letters and packagesinto the building, but the guard doesn’t examine the contentsof the letters or packages. In the mailroom, a mail clerk opensall the letters and packages and examines them.In this analogy, the guard is a firewall, permitting personnel tocome and go, but doesn’t examine what they’re bringing in ortaking out. The mailroom clerk is an IPS, because the clerk isexamining the contents of each letter and package.In the 1990s, virtually all network-based attacks could beblocked with the combination of firewalls and anti-virus software.That isn’t the case today: Most new attacks are targeteddirectly at web applications. These attacks are impossible todefend with firewalls and anti-virus software alone. Withoutan IPS, attacks have a significantly greater chance to succeed.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Passive Detection versusInline PreventionChapter 1: Understanding IPS 5The two modes of operation used by intrusion detection andprevention systems are passive detection and inline prevention.These modes are described in Table 1-1.Table 1-1 Comparison of Passive IDS and Inline IPSPassive DetectionConnected to a “tap” or switchspan portReceives a “copy” of trafficCreates alertsCan’t block attacksDetection errors can result infalse alarmsDevice malfunctions will causea cessation of alarmsInline PreventionDirectly inlineTraffic actually flows throughsystemCreates alertsCan block attacksDetection errors can result inservice disruptionDevice malfunctions can result inservice disruptionIDSs in the early 1990s were notoriousfor generating hordes of falsepositives. Network engineers wouldhave to spend hours upon hours to“tune out” the false positives. Thiswas a laborious, manual task thatgave early IDSs a bad reputation.Not your father’s IDSThis was mostly the case becauseearly IDSs lacked intelligence andan easy way to root out false positives.Today’s IPSs are far superior inboth respects, to the point that falsepositives are now an anomaly and nolonger a major headache.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.6Intrusion Prevention Systems For DummiesAlthough IPSs can operate in a pure passive detection mode,you should understand that there are no longer any strictlypassive intrusion detection systems (IDSs) offered today;instead, today’s systems are IPSs that can be run in either passivedetection (alerting) mode or in inline prevention (blocking)mode, or both.Network versus Host IPSIntrusion prevention systems come in two basic flavors: network-basedand host-based. The differences and similaritiesbetween these types are described here.Network-based IPSNetwork-based intrusion prevention systems typically takethe form of a rack-mounted appliance or system that isattached to a data network. The network is configured to senda copy of all the traffic in the network through the IPS so thatthe IPS may examine it to identify possible intrusions.IPS alphabet soupThere are four main types of IPSs, each with its own FLA (fourletteracronym). They are:✓ HIDS (host-based intrusion detection system). This is anintrusion detection system that is installed on a host andis designed to detect attacks against the host system.✓ HIPS (host-based intrusion prevention system). This isan intrusion prevention system that is installed on a hostand is designed to block attacks against the host system.✓ NIDS (network-based intrusion detection system). Thisis an IDSs monitoring a network to detect attacks.✓ NIPS (network-based intrusion prevention system). Youguessed it — this is an IPS monitoring a network to blockattacks.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Common DetectionMethodologiesChapter 1: Understanding IPS 7Intrusion prevention systems use different methods to detectsecurity incidents. The makers of IPSs have learned that noone method is effective for detecting and stopping most kindsof incidents; instead, they have settled on a number of wellknownways to accomplish this.Rule-based detectionIPSs can detect incidents by comparing observations againsta list of previously defined incidents and known vulnerabilities.This type of detection is quite effective at detecting bothknown and unknown threats. Some examples of rules (alsoknown as signatures) are:✓ Attacks targeting vulnerabilities in operating systemsand applications✓ Botnets used to perform targeted Denial of Service (DoS)attacks or steal personally identifiable information (PII)✓ Unusually large ping packets, which may be an indicationof a ping of death attackBecause new types of attacks against information systems arecontinually being developed, IPSs need to regularly updatetheir rules. Rules are developed by the makers of IPSs, and insome cases a “community” of rule writers, and are distributedto running IPSs via the Internet.Savvy intruders know how signature-based detection works,and in response they have developed a number of ways ofevading detection, usually by introducing subtle variantsin their attacks. For this reason, leading IPS makers usuallypublish vulnerability-based rules (instead of exploit-based signatures)to detect all possible variants of an attack. They mayalso offer anomaly-based detection techniques, discussed inthe next section.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.8Intrusion Prevention Systems For DummiesIf you’re familiar with the basic workings of anti-virus software,particularly in regard to its use of signatures and signaturebaseddetection, then you’ll have little trouble understandinghow an IPS works. In this regard, they are quite similar.But unlike anti-virus solutions, leading IPS vendors rely onvulnerability-based rules (rather than exploit-based signatures)to detect any possible exploit variation targeting an operatingsystem- or application-level vulnerability, thus affording userswith the ultimate protection against zero-day threats.Anomaly-based detectionIPSs can detect incidents by comparing traffic patterns thatthe IPS considers “normal” with new traffic patterns, anddeciding whether new traffic patterns fall within acceptablepatterns or not. A distinct advantage of anomaly-based detectionis the capability to detect incidents that may not be triggeredby a standard IPS rule or signature.Stateful protocol analysisIPSs can detect incidents by observing individual networkconnections, for instance, and making alerting or blockingdecisions based on what’s considered normal for varioustypes of activities.For example, an IPS may learn the sequence of events whenthe user of a web application logs in, and after logging inissues commands to the application to perform work. The IPSmay consider a user issuing commands without logging in tobe an event that should be blocked, because this may be asign of an intruder who is attempting to perform unauthorizedtransactions.False PositivesIn the context of intrusion prevention, a false positive is anIPS declaring good traffic as bad, resulting in either a falsealarm (if the IPS is in passive detection mode) or service disruption(if the IPS is in inline prevention mode). A false positiveis usually caused by an ineffective IPS rule or signature.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 1: Understanding IPS 9A false positive should not be confused with a “real” attackthat is ineffective against the operating system or applicationit is targeting. For example, if Conficker attacks a Linuxhost, and an intrusion event is triggered, it is technically not a“false positive” but more of a “not applicable” since Confickeronly affects Windows operating systems. I go into this in moredetail in Chapter 3.First-generation IDSs were legendary for creating massivequantities of alerts, overwhelming administrators who spenthours trying to tune out the noise. Learning from those painfultimes, IPS vendors have made their systems much betterthrough intelligent learn modes, easier administration, andhighly tuned rule sets.False NegativesThe opposite problem is that of a false negative, where anIPS fails to recognize an intrusion or other security event.This can occur if the IPS doesn’t have up-to-date rules, or ifthe IPS vendor hasn’t released a rule for a new type of attackor vulnerability.When an IPS is placed in inline blocking mode, false negativesare generally far more damaging to an organization than afalse positive. A false negative permits bad traffic to enter thenetwork, potentially leading to compromised systems andpossibly stolen or lost data. A false positive blocks good trafficfrom entering the network, potentially leading to lost businessor productivity.Vulnerability-Based Rules versusExploit-Based SignaturesOne of the main problems with a signature-based (for example,exploit-based) approach is the inability to detect zero-dayattacks.Although some zero-day attacks are exploiting a new vulnerability,many target vulnerabilities that are already known.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.10Intrusion Prevention Systems For DummiesGiven this, it makes more sense for an IPS to have its rulesbased on actual vulnerabilities rather than signatures basedon known attacks.Let me explain with another analogy. Consider a padlock thatmay have a design weakness that makes it vulnerable to picking.It would be better for an IPS to be familiar with the lock’svulnerability, so that it will be able to detect any kind of anattack upon it. However, if the IPS were instead configured todetect only known lock-picking methods (attacks), then anynew methods for picking the lock would go undetected.Open versus Closed ArchitecturesOpen and closed architectures refer to the way that IPS providersdesign their products and control the publication of thosedesigns. In an open architecture, important parts of a product’sdesign will be openly published, permitting not only inspectionbut also integration with other companies’ products.Closed architectures, on the other hand, aren’t open for inspection.This makes it difficult or impossible for security administratorsto validate the architecture of the IPS, to inspect itsrules and create custom rules, and to integrate with commonthird-party platforms (for example, SIEMs, vulnerability managementsystems, network forensics, and so on).Selecting an IPS with an open architecture offers numerousadvantages, including increased levels of security, greater flexibilityfor defending proprietary systems, and superior integrationand intelligence-sharing with existing IT infrastructure.With more than 300,000 registered users, open source Snortis a popular choice for intrusion detection and prevention,boasting a huge quality assurance (QA) team of both commercialand open source users. A Snort-based IPS features anopen architecture, making it easy to inspect the quality of IPSrules and create custom rules for proprietary systems. Morethan 100 vendors have incorporated Snort into their networksecurity devices.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 1: Understanding IPS 11Understanding IPS Componentsand Network ArchitecturesTo understand how an IPS protects an enterprise, it helps tolook at the components of an enterprise-class IPS. Figure 1-1shows a typical organization’s Internet-network boundaryalong with IPS components.IPS sensorAn IPS sensor is typically a purpose-built hardware appliancethat is connected to the network. The sensor may be connectedin one of three ways:✓ Inline. Here, the IPS is placed inline behind a firewall,router, or switch so that all network traffic actually flowsthrough it. This configuration supports both IPS (blocking)and IDS (alerting) modes.✓ Network tap. A tap is a hardware device that providesa way to access the data flowing across a network. Abypass tap is typically used for inline IPS configurationsfor IPS devices that lack a fail-open capability or fororganizations that may wish to disconnect their inlineIPS from the network regularly for maintenance or reconfiguration.A regeneration tap is used for passive IDS configurationstypically when the span ports on monitoredswitch devices are already consumed.✓ Switch span port. This is a port on a network switch wherea copy of all traffic that flows through the switch can bemonitored. This supports a passive IDS configuration.Interface sets on an inline IPS should be configurable to failopen, meaning that all network traffic should continue toflow through the IPS sensor in the event of a hardware orsoftware failure in the IPS. This ensures high availability ofthe network.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.12Intrusion Prevention Systems For DummiesInternetRouterSwitchFirewallIPS SensorMonitoring interfaceManagementinterfaceMonitoring interfaceManagementSwitchSwitchInternalNetworkFigure 1-1: IPS components in an enterprise network.IPS ManagementConsoleEnterprises will typically have many IPS sensors, each locatedin a different part of the network. Some of the common placeswhere an IPS sensor might be placed are:✓ Perimeter or DMZ. Here, the IPS sensor is detecting trafficflowing from the Internet to public-facing web servers(and other hosts) placed in the Demilitarized Zone (DMZ)or hosts located near the perimeter behind the firewall.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 1: Understanding IPS 13Often, an IPS placed at the perimeter or DMZ will operatein inline IPS blocking mode to fend off potential attacks.✓ Core or data center network. More organizations areextending protection of their perimeter IPS by installingIPS sensors (typically placed in passive IDS mode) in thecore or data center. This provides an additional layer ofdefense and helps to detect attacks hand-carried into theoffice on mobile computing devices.✓ Extranets. Larger organizations with extranet connectionsto partner or supplier networks may place an inlineIPS device in front of associated routers to both defendagainst potential incoming attacks and to ensure thatlocal malware doesn’t spread to partner networks.✓ Wireless access points. Contractors and guests commonlyconnect to the network through wireless accesspoints. As these devices are typically uncontrolled by IT,many organizations place IPS sensors behind wirelessaccess points to monitor for potential unwanted traffic.✓ Virtualization platforms. Although virtualization providessignificant cost-saving benefits, it also introducesnew risks and uncertainties. A physical IPS placed infront of a virtualization network, or a virtual IPS installedon each virtualization host, can help defend againsthidden attacks originating from within or targeting virtualmachines.✓ Critical network segments. These may be networkscontaining critical systems (such as servers containingfinancial or medical data, for instance), where intrusionswould be especially serious.The Payment Card Industry Data Security Standard (PCI DSS)mandates the use of IPS technology on networks that processcredit card transactions. Learn more about the role of an IPSfor PCI DSS compliance in Chapter 5.IPS sensors placed at the perimeter and strategic pointsinside the network serve as the organization’s eyes and earsfor defending against today’s most sophisticated threats.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.14Intrusion Prevention Systems For DummiesIPS management consoleThe IPS management console provides centralized commandand control over all IPS sensors. Typical features of an IPSmanagement console include:✓ Security event aggregation✓ Centralized detection policy management✓ Downloading, importing, and applying IPS rule updates✓ User interfaces for viewing and filtering security events✓ Reports, alerts, and dashboards✓ Health monitoring, to monitor health and performance ofIPS sensors and the IPS management console itselfMore modern IPS management consoles provide additionalfunctionality beyond legacy IPS platforms, including:✓ Network forensics (for example, view full packet payload)✓ Event correlation and impact assessment✓ User identification and tracking✓ Application monitoring✓ Flow (for example, NetFlow, proprietary flow) storageand analysis✓ Advanced detection policy management (for example,policy layering)✓ APIs to enable streaming of events to external platforms,remediation to network infrastructure devices,and importing of external network and vulnerabilityintelligence✓ Granular administrative access permissions✓ “Manager of managers” hierarchy, enabling one IPS managementconsole to manage multiple subordinate IPSmanagement consolesThe IPS management console is typically offered on dedicatedhardware appliances, but may sometimes be offered asWindows-based software (requiring server-class hardware) oras a VMware, Xen, or other virtual machine.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 2IPS Attack CoverageIn This Chapter▶ Understanding common network threats▶ Determining what constitutes a zero-day attack▶ Coming to terms with advanced persistent threatsIntrusion prevention systems (IPSs) are designed to blockmany different types of attacks. It is easier to understandIPSs if you better understand the types of things they’redesigned to detect and prevent.If this were a book about law enforcement, this chapter wouldbe about different types of criminals and the crimes theycommit. Understanding the types of attacks you’re trying toprevent helps you gain perspective on the strategic role of anetwork IPS.In this chapter, I look at the types of attacks that intrusionprevention systems are designed to prevent.Worms, Trojans, andBuffer OverflowsThis section is kind of a grab bag of attack types.WormsA worm is a program that is designed to self-propagate fromone computer to the next. Typical worms are designed to discovernearby computers with specific features, particularly

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.16Intrusion Prevention Systems For Dummiesfeatures with specific flaws that permit the worm to successfullyattack the next computer and install itself there. Thenthe worm begins to scan for other nearby potential victims,and the cycle repeats itself until the worm can find no newvictim computers to invade.The primary characteristics of worms are:✓ Self propagation; they travel automatically with nohuman intervention required.✓ Exploits a vulnerability to install itself.✓ Scans the network for additional potential victims.Worms cause harm in three different ways:✓ Network traffic. Worms have a tendency to flood networkswith their probes for new victims, and for the trafficcaused by their propagation.✓ System resources. Worms consume resources on thevictim system through their propagation operations.Worms can even consume resources on adequately protectedsystems if a worm’s attack is persistent.✓ Harmful payload. Individual worms may be programmedto do more than just scoot around on the Internet. Inaddition, they may be designed to hunt for specific dataon infected systems, implant other malware, or intentionallyharm data.Trojan horsesA Trojan horse is another type of malware. Like a worm, aTrojan is designed to propagate itself from system to system.But unlike a worm, a Trojan requires human intervention tokeep it moving.A Trojan horse is so-named because it is disguised as somethingbenign. For example, a Trojan may be embedded insidea computer program purported to be a game, screen saver, orother program. But once activated, a Trojan will do whateverharmful things that it was designed to do.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 2: IPS Attack Coverage 17When activated, a Trojan may scan nearby networks forneighboring systems that are potential victims. Or, the Trojanmay scan the user’s system to look for valuable data, or installother malware that it is carrying.Buffer overflowsA buffer overflow is a specific type of attack against a system,where the attack is designed to confuse the system into executingthe attacker’s instructions.A buffer overflow attack works like this. An attacking programestablishes a communications session with a specificcomponent on the target system, and sends a speciallycrafted message to the target system. The message deliberatelysends too much data into the target system’s inputbuffer. In a program that is vulnerable to a buffer overflowattack, the excess data will overwrite program instructionsin the vulnerable program, and eventually the program willexecute those instructions (thinking that it is executing itsoriginal instructions). Those new instructions usually containcode to open the target system and permit a partial orcomplete takeover of the target system.Sound complicated? You bet it is!A buffer overflow attack isn’t easy to develop. It takes detailedknowledge of the target system’s internal architecture (bothsoftware and hardware), as well as detailed knowledge of theprogram or service being attacked. That said, hackers whodevelop buffer overflow exploits often build a “kit” that makesit easy for others to exploit the same vulnerability.Worms, Trojans, viruses, and other types of malware oftenuse buffer overflows as a way of gaining a foothold in a newvictim system.Buffer overflows account for a significant portion of theattacks against systems on the Internet.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.18Intrusion Prevention Systems For DummiesSpyware, Phishing, and BotnetsHere is another grab bag of attacks on systems and people.SpywareSpyware is a term ascribed to a wide range of techniques usedto covertly obtain information from computers. Spyware mostoften takes on the form of computer code that is installed ona user’s computer without his or her knowledge or consent,gathers specific information, and sends that information toa central source. Spyware may also alter the behavior of thevictim’s computer.The activities performed by spyware include:✓ Tracking sites visited with a browser✓ Recording keystrokes and mouse clicks✓ Changing browser settings (for instance, changing homepage, default search engine, and so on)Unlike other types of malware such as viruses and Trojans,spyware doesn’t usually contain code for making copies ofitself onto other computers.PhishingA pun on the word fishing, a phishing attack is an attack oncomputer users in an attempt to con them into performing anaction that is intended to cause them harm. That harm maytake the form of financial fraud or the installation of malwareor spyware on their computer, for instance.A typical phishing scam works like this:✓ The bait. The scammer sends out large quantities ofgenuine-looking e-mail messages to intended victims in aneffort to entice them to open an attachment or click a URL.✓ The hook. Although most people ignore or don’t receive(because of anti-spam) the message, a few believe it islegitimate, or they’re just curious. They open the attachmentor click on the link.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 2: IPS Attack Coverage 19✓ The harm. The attachment installs malware or spywareon the victim’s computer, which may steal information,install a key logger, or perform some other harmfulaction. If the user clicks a URL, the website may trick theuser into believing she is logging into a legitimate website(such as online banking). If she types in her user IDand password, the scam artist will use these credentialsto log in later and steal money from the victim. Also, thewebsite may attempt to infect the user’s computer withmalware. The victim’s computer may also be made a partof a botnet, which is discussed later in this section.Phishing scams account for a significant portion of computersecurity incidents and malware infections by preying on auser’s gullibility.BotnetsA botnet is a collection of victim computers that have beencommandeered into a bot army, a powerful computingresource awaiting instructions from its owner. Creators ofbotnets are typically financially motivated.Here is how a botnet works. An individual or group will writea small software program — a bot — that will enable thecomputer it’s running on to be remotely controlled. This botwill be packaged into a worm, malware program, or loaded ona malicious website, at which time a campaign of some sort(say, a phishing scam) will ensue to get the bot installed on asmany computers as possible.The owner of these bots, usually known as a bot herder, has acentralized “command and control” program that can be usedto control all the computers that are running his bots. Thiscontrol program can then be used to perform work on behalfof the bot herder, such as:✓ Spam. A bot army can be used to send millions of spammessages — which themselves may contain malwareintended to grow the bot army.✓ Denial of service attacks. The bot army can be used toremotely attack a computer or network of the bot herder’schoosing. Denial of service attacks are discussedlater in this chapter.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.20Intrusion Prevention Systems For DummiesBotnets range in size from hundreds to millions of computers.According to the BBC, as many as a quarter of all personalcomputers may be members of one or more botnets.SYN Floods and Denial ofService (DoS) AttacksThe next grab bag of attacks includes two common networkbasedattacks.SYN floodsA SYN flood is an attack on a target system, specifically anattack in a key design attribute of the TCP/IP networkingprotocol.In a SYN flood, the attacker sends thousands of SYN packetsto a target system. A SYN packet is ordinarily a message sentfrom another computer that wants to establish a network connectionwith the target. Upon receiving the SYN, the targetsystem will reply with a SYN/ACK, at which point the conversationwill begin.An important fact to note is that the target computer will allocateresources (mainly, memory) in anticipation of the newconnection. But in a SYN flood, the attacker sends thousandsof SYNs and ignores all the SYN/ACKs. The purpose of this isto flood the target system until it is incapable of communicatingon any legitimate channels.A SYN flood is a special type of a denial of service attack.These attacks are discussed in the next section.Denial of serviceA denial of service (DoS) attack is an attack on a target systemwhere the objective of the attack is to partially or completelyincapacitate the target system. The purpose of a DoS attack isto render the target system unusable for legitimate purposes.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 2: IPS Attack Coverage 21Encryption and other detection evasionIn the malware economy, the developersof malware consider theirproducts successful if they’re ableto evade detection. Early attempts atthis involved the release of several“variants” that were constructed differentlyfrom one another. However,this has proven ineffective in comparisonto encryption.Encryption is a popular way of hidingfrom signature-based detectionsystems. This is particularly effectivewhen each computer’s copy of malwareis encrypted with a differentdecryption key, making every copy ofthe malware unique. This can makedetection by signature-based systemsvery difficult. Anomaly-basedsystems should have no troublewith encrypted malware, becausethe basic attack pattern is likelyunchanged.The reason that an attacker would carry out a DoS attackcould include revenge, jealousy, ideology, or economics.Committing a DoS attack is akin to blocking the entrances to abusiness so that its customers are unable to patronize it.There are two basic types of DoS attacks:✓ Flooding. The most common form of DoS attack is onewhere the attacker sends such a high volume of messagesto a target system that it either malfunctions or isotherwise unavailable for legitimate purposes.✓ Malfunction. The other common form of DoS attack isone where a specially crafted message is sent to thetarget system; the message causes the target system tomalfunction or crash.Another type of DoS attack is known as the DistributedDenial of Service (DDoS) attack. In a DDoS attack, the attackercauses many different systems to flood a target system simultaneously.Such an attack can be nearly impossible to block ifthere are hundreds or thousands of different sources.Botnets are often used to commit DDoS attacks.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.22Intrusion Prevention Systems For DummiesZero-Day AttacksA zero-day attack is a brand new attack on a previouslyunknown vulnerability, or a new type of an attack on an existingvulnerability.The term zero day comes from the number of days of warningbetween the time when the vulnerability is announced andwhen it is exploited. In other words, these are vulnerabilitiesfor which no patches are available.Zero-day attacks are significant because signature-based(exploit-based) IPS devices are generally defenseless againstthem. However, IPSs that also use anomaly-based detectionand leverage vulnerability-based rules (as opposed to exploitbasedsignatures) can protect effectively against zero-dayattacks.Advanced PersistentThreats (APT)There is presently more hype and misinformation aboutadvanced persistent threats (APTs) than practically everythingelse in this book combined. In truth, there is no silverbullet or single security device for defending against APTs.But a network IPS is a strategic component of a defense-indepthstrategy that can help you get ahead in the game.What is APTTo understand what APT is and what it is not, start with ashort definition and then delve into the details.An advanced persistent threat is information warfare, conductedby sophisticated adversaries who are determined to controlinformation systems and gather intelligence on persons, organizations,and governments.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 2: IPS Attack Coverage 23Does this definition scare you? Good! It should, because theactors who are responsible for these threats are financiallymotivated, patient professionals with research and developmentresources at their disposal. They’re not looking forinstant gratification, but instead are willing to go “low andslow” to patiently, systematically infiltrate the systems usedby individuals and organizations.So enough about the actors. What about the actual threats?Advanced persistent threats are malicious, and they certainlyfall into the class of malware. However, for highly sophisticatedthreats, you won’t find signatures of this malware inanti-virus products or intrusion detection systems, becausethese threats are custom made for their specific targets.Advanced persistent threats do consist of attacks that aredetectable. However, these attacks may be subtle and takeplace over a very long period of time. Traditional defensessuch as anti-virus, IPS, and firewalls may not see anything atall. The actors behind an advanced persistent threat don’twant to set off any alarms.IPS’s role in APTResisting advanced persistent threats requires advanceddetection systems. An IPS with an effective vulnerabilitycentricdetection system is helpful. APT actors often try totarget vulnerabilities in operating systems and applications,but often do so with custom-built tools instead of “off theshelf” malware. An IPS that knows how to spot novel, zero-dayattacks against known vulnerabilities will help.Another effective tool to combat APTs is network behavioranalysis (NBA). NBA, which is incorporated into better IPSs,helps to detect changes in the composition of network traffic,which may be a sign that spies have infiltrated the network.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.24Intrusion Prevention Systems For DummiesNetwork versus host-baseddetectionArguably, APTs most often target systems that store, transmit,or process data. So it would make sense that a host-baseddetection and prevention would be best, right? Well, not really.The problem with host-based detection is that the attacker,once he has been able to compromise a system, will be ableto notice the presence of HIDS or HIPS on the system. This isakin to a burglar who spots a video surveillance camera afterhe has broken into a home or office. Not that the NIDS, NIPS,or video camera will necessarily scare off the intruder, but itmay force the intruder to change his tactics in order to makehis actions less noticeable.In order to detect attacks on systems, network-based IDSsand IPSs offer a key advantage over host-based solutions. Themain reason for this is that the intruder will not be able toobserve any of the detection/prevention capabilities. Doneright, NIDS and NIPS are virtually undetectable. This gives theorganization an advantage, because intruders, who can’t know(for certain) that they’re being watched, may be a little morelax in their tactics, and as a result they may be a little easierto detect.Other advantages to network-based IPSs are:✓ Network-based IPSs/IDSs don’t consume system resources✓ Passive implementations of IPSs/IDSs don’t interrupt networktraffic flowAlthough I hope that I have convinced you that network-basedIDSs/IPSs is the way to go, I don’t want you to throw out thebaby with the bathwater. Some systems-based security toolsshould still be used, and may detect APTs. These tools include:✓ Anti-virus and anti-spyware. You need this anyway tostop the cheap stuff, and these may also slow down APTattacks.✓ Firewalls. Packet filtering at the system level may stillbe a good idea, particularly if outbound connections arealso limited to those services that are truly required.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 2: IPS Attack Coverage 25✓ File integrity monitoring (FIM). Another good idea fordetecting unauthorized changes to operating system andapplication files. FIM also helps to detect other types ofthreats, including systems engineers who make changesto systems without going through proper procedures,such as change management.These other security controls comprise a defense-in-depthstrategy necessary to combat APT.APTs, while more difficult to detect than ordinary malware,can often be detected, provided the organization is willing toinvest in the tools required to repel them.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.26Intrusion Prevention Systems For Dummies

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 3Modern IPS FeaturesIn This Chapter▶ Understanding Next-Generation IPS▶ Automating key IPS functions▶ Removing network blind spots with SSL inspection▶ Integrating third-party products into an IPSIntrusion Prevention Systems have come a long way sincethe introduction of open source Snort in 1998. Although a“typical” IPS contains everything you need to bring the boxonline and start blocking attacks, a new breed of IPS technologyhas raised the bar in terms of what organizations shouldexpect from their IPS investment.In this chapter, I contrast the key features of a typical IPSagainst those of a Next-Generation IPS (NGIPS), with emphasison capabilities related to security, automation, and total costof ownership (TCO). I also discuss strategies for SSL (SecureSockets Layer) inspection and integration with existing ITsecurity products and infrastructure.Typical IPS versus Next-Generation IPSFigure 3-1 compares the key attributes of a typical IPS and aNext-Generation IPS.In the remainder of this chapter, I describe common featuresfound in virtually all IPS devices, but then delve deeperinto the sophisticated capabilities found in today’s Next-Generation IPS solutions.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.28Intrusion Prevention Systems For DummiesTypical Next-GenKey IPS Attributes IPS IPSInline IPS & Passive IDS Modes ü üDefault Detection Policy ü üReports, Alerts & Dashboards ü üCustom RulesüVulnerability-Based ProtectionüAutomated Impact AssessmentüAutomated TuningüUser Identity TrackingüApplication MonitoringüNetwork Behavior AnalysisüVirtual IPS & Management ConsoleüFigure 3-1: Features of typical versus Next-Generation IPS.Common functionsVirtually all of today’s IPS devices share the followingcommon functions:✓ Inline IPS and passive IDS modes. However, when anIPS device is placed inline, be sure it supports fail-openports. Some IPS providers offer fail-open ports on onlya portion of their models.✓ Default detection policy. Every IPS vendor should providea detection policy comprised of the most commonIPS rules to help get you started. But an organizationshould never just rely on a default policy because itnever adapts to your dynamically changing networkenvironment. Don’t let IPS vendors fool you about this.“Tuning” is required to select the IPS rules that are mostrelevant for your organization. In IPS, one size does notfit all.✓ Reports, alerts, and dashboards. Most IPS providersoffer a selection of reports, alerts, and dashboards usuallypresent in the management console. Reporting

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 3: Modern IPS Features 29should be flexible, alerts should be offered throughe-mail, syslog, and SNMP, and dashboards should be customizablebased on the user’s role in the organization.The managers who paid for IPS want to see their reportsand dashboards, to know that the IPS is really workingand providing business value.Advanced protectionMost of today’s IPS devices are black boxes that offer littlevisibility into the protection being offered. However, aNext-Generation IPS — especially one based on an openarchitecture — is different:✓ Visibility. Vendors with IPS offerings based on closedarchitectures require you to “trust” that they have thebest protection for your needs, as you have no visibilityinto how the detection engine works or whether theirrules (or signatures) are designed to defend vulnerabilitiesor simply detect known threats. In contrast, a NGIPSfeatures an open architecture with full visibility into thedetection engine and rules, yielding higher quality products,increased effectiveness, and peace of mind.✓ Custom rules. Most typical IPS vendors will tell you thatyou can create custom rules, but few provide the meansto do it effectively. It’s best to select an IPS vendor thatmakes it easy to create custom IPS rules through trainingand an easy-to-use wizard interface.✓ Vulnerability-based protection. Most IPS providers offerexploit-based signatures that detect a single variant ofmalware. A Next-Generation IPS puts in the extra effortto construct IPS rules to detect any possible variant of anexploit that targets an operating system or applicationvulnerability. This approach provides the best securityand offers the greatest zero-day protection. It’s betterto be able to detect any possible exploit of a faulty lockthan it is to have to detect every possible skeleton key.The general trend in IT products is the capability to see insidethe product to view and manage detailed configuration andoperation. Make sure you select an IPS that gives you thecapability to view and manage detection rules.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.30Intrusion Prevention Systems For DummiesLower TCO throughIPS automationWhether you work for a small, medium, or large organization,there never seem to be enough IT security resources to goaround. IT security must work smarter — not harder —to defend today’s dynamic network. A Next-Generation IPSmakes it easier to do more with less:✓ Automated impact assessment. It’s not uncommon for anIPS device to generate hundreds of security events on adaily basis. When you take into account that a traditionalenterprise may have a dozen IPS devices or more, siftingthrough thousands of security events each day is virtuallyimpossible and can effectively render an IPS useless,because it will be ignored. A Next-Generation IPS, on theother hand, correlates threats against endpoint intelligenceto reduce the quantity of “actionable” securityevents by 95 percent or more.✓ Automated tuning. Every network is different. Customizeyour IPS detection policy with rules that are relevant foryour organization. If the detection policy is too small, theIPS will offer inadequate protection. And if it’s too big,it can overburden the IPS, causing decreased networkthroughput and increased latency. A Next-GenerationIPS can passively profile your network and automaticallyrecommend rules to enable and disable at a user-definedinterval (for instance, weekly or monthly).✓ User identity tracking. What good is an IP address for anend-user device related to a security or compliance eventif you don’t know who is being attacked or who is violatinga company IT policy? Instead of sifting through DHCPand Active Directory logs to manually cross-referenceusers with IP addresses, a Next-Generation IPS can placeusernames and user identity at your fingertips. The timeit takes to tie a user to a security event can be shrunkfrom one hour to under a second.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 3: Modern IPS Features 31Reducing TCO through IPS automationAccording to a SANS Institute whitepaper entitled “Calculating TCO onIntrusion Prevention Technology,” amulti-national credit reporting organizationwith approximately 20,000nodes and 7,500 employees savedmore than $230,000 per year in annualTCO reductions through automatedimpact assessment, automatedtuning, and user identification. Byleveraging a Next-Generation IPSsolution, organizations can recovertheir initial IPS investments in amatter of months by automating keyIPS administrative tasks.Protection beyonda typical IPSToday’s Next-Generation IPS offers network security capabilitiesbeyond just intrusion detection and prevention:✓ Application monitoring. Most enterprises have documentedacceptable use policies (AUPs) depicting operatingsystems and applications approved and/or restricted fromuse, but few organizations have the means to monitor andenforce them. A Next-Generation IPS helps IT to “reducethe surface area of attack” by alerting IT to the unauthorizeduser of operating systems, applications, and devices.✓ Network Behavior Analysis. Not all attacks comethrough the perimeter. Many are hand-carried on mobilecomputing devices right through the front door, thusbypassing a perimeter IPS. Network Behavior Analysis(NBA) technologies baseline “normal” network traffic(using NetFlow or proprietary flow technology) anddetect anomalies, such as the spread of malware.✓ Virtual IPS & management console. A typical appliancebasedIPS can’t inspect traffic between one virtualmachine (VM) and another on a VMware or Xen server.A Next-Generation IPS provider solves this challenge byoffering virtual IPS sensors and management consoles toprotect virtualization environments from within and todefend cloud computing infrastructures.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.32Intrusion Prevention Systems For DummiesSSL inspectionEvery network security device is blind to SSL-encryptedtraffic, including a network IPS. This is because an SSL sessionis encrypted end-to-end, and the IPS in between seesonly encrypted data. As the use of SSL grows within anorganization — oftentimes comprising one-quarter to onethirdof traffic — the potential of an SSL-encrypted attackrises.To mitigate this risk, a Next-Generation IPS should be complementedby a dedicated SSL inspection appliance — whetherfrom the same vendor or another third party. The SSL inspectiondevice should decrypt SSL traffic, pass it to the IPS forinspection, and then re-encrypt the (clean) traffic before placingit back onto the wire — all with minimal added latency.When placed inline, the SSL inspection appliance should alsofeature fail-open ports.Beware of IPS providers that only offer on-board SSL decryption.Enabling SSL decryption on an IPS can adversely affectthe performance (for example, throughput) of the box by upto 80 percent. In most instances, organizations will want tooffload the SSL decryption process to a stand-alone appliance,which not only decrypts traffic for the IPS, but all networksecurity devices placed behind it. But regardless of whetherSSL is decrypted by the IPS or a stand-alone appliance, ensurethe SSL decryption capability also re-encrypts the original(clean) traffic before placing it back onto the wire to maintainconfidentiality of the data and to maintain compliance withPCI or other regulatory standards.Third-party integrationA best-of-breed security device should integrate with otherdevices on your network to share intelligence, coordinateresponses, and lower total cost of ownership. The followingare common examples of how a Next-Generation IPS can integratewith popular third-party systems:

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 3: Modern IPS Features 33✓ Security Information and Event Managers (SIEMs).Stream security, compliance, and health events toyour SIEM of choice (for example, Arcsight, Q1 Labs)for centralized security monitoring.✓ Vulnerability Management (VM) platforms. Importvulnerability intelligence from popular VM platforms(for example, Qualys, Rapid7) for security event impactassessment and greater network visibility.✓ Network infrastructure devices. Remediate to routers,switches, and NAC devices from leading network infrastructureproviders (for example, Cisco, Juniper, CheckPoint) to quarantine hosts related to security and complianceevents.✓ Network forensics. Launch packet-level forensics queriesdirectly from the IPS management console to leading networkforensics devices (for example, NetWitness, Solera),saving both time and effort.After you integrate your IPS into your SEIM and other platforms,you’ll be humming right along at a level of securityyour organization has not experienced before.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.34Intrusion Prevention Systems For Dummies

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 4IPS, Virtualization, andCloud ComputingIn This Chapter▶ Considering the benefits and risks of virtualization▶ Securing virtualization▶ Virtualizing security▶ Securing the cloudVirtualization and cloud computing are revolutionizinginformation technology by facilitating a more efficientuse of computing resources.Virtualization is the technology that enables many separatelyrunning operating system instances to occupy a single computer.Each virtual machine (VM) instance runs as though itwere occupying its own dedicated server. This can enable anorganization to more easily deploy and manage servers.Cloud computing is the term encompassing many technologiesthat enable an organization to enjoy a dynamically expandingand contracting computing environment. Organizations canbuild their own clouds, or buy services offered by externalcloud computing providers.In this chapter, I discuss virtualization and cloud computing,and the relationship that each has with intrusion preventionsystems.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.36Intrusion Prevention Systems For DummiesBenefits and Risksof VirtualizationVirtualization is the technology that permits an organization torun many separate instances of operating systems on a singleserver. This permits an organization to greatly enhance theefficiency of its server hardware, by grouping many separatelyrunning operating systems onto a single server. Figure 4-1illustrates virtualization.VM#1VM#2VM#3VM#4Base OS or HypervisorFigure 4-1: Virtual servers.Server HardwareBefore virtualization, an organization whose environmentrequired six servers had to purchase six separate hardwareservers. With virtualization, the organization can purchaseone server and install six virtual machines on that server.The primary benefit of virtualization is that an organizationcan implement new virtual machines at will and with verylittle effort.The primary risk of virtualization is that an organization canimplement new virtual machines at will and with very littleeffort.Yes, you read that right: The main benefit is also the mainrisk. What I’m saying here is that, without proper safeguards,virtualization can introduce risks that can negate the benefits.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 4: IPS, Virtualization, and Cloud Computing 37The benefits of virtualization include:✓ Agility. Virtualization allows an organization torespond more quickly to changing needs in its technicalenvironment.✓ Rapid deployment. With virtualization technology, youcan build and deploy a new server in just a few minutes.No more running down to the local computer store for aserver and loading an OS.✓ Improved system availability. Virtualization enablesan organization to implement servers that are moreconsistent with each other. Consistency breeds higheravailability, because there are fewer differences betweensystems, which means systems engineers are less likelyto make mistakes that cause unexpected downtime.✓ Energy savings. Running many virtual servers on just afew physical servers means there are a lot fewer physicalservers consuming energy.✓ Space savings. The amount of space that servers consumeis expensive, especially in commercial data centersthat literally charge for rack space by the inch.With these benefits, what’s not to love? However, there arealso risks related to virtualization, and it’s important to understandthese risks, so that you won’t make the same mistakesthat others have made.✓ VM sprawl. Because virtualization makes it so incrediblyeasy to deploy a new server, it can sometimes betempting for an engineer to deploy a server and bypassthe management processes that usually accompany thedeployment of a new server. The result can be manyunauthorized servers that are doing who-knows-what.VMs created outside of management processes may beunmanaged and invite malware infection. For more onthe topic, see the section “Controlling VM sprawl,” laterin the chapter.✓ Vulnerabilities. One of the neat features of virtualizationis the capability to roll back to an earlier snapshot, whichis a fancy way of reverting to an earlier version of thevirtual server. Doing so, however, can also result in the

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.38Intrusion Prevention Systems For Dummiesremoval of critical security patches that can leave serversvulnerable to attack or malfunction.✓ Lack of separation of duties. In the physical serverworld, there is more management and team coordinationrequired to deploy a new server: Someone has toapprove the hardware purchase, and network engineersprovide support by enabling the connection of a newserver to the network. With virtualization, none of thiscoordination is necessary. A single individual can deploya server without telling anyone.✓ Blind spots. In the physical world, it is easier to observethe logical architecture and data flow in an environment,and control security with firewalls and IDSs where needed.With virtualization, however, servers that were once separatedby firewalls or IPSs may end up on the same physicalserver, resulting in the loss of those network controls.These risks may sound pretty scary — so is virtualizationworth it? You bet it is. And IT management, aware of the costsavings realized with virtualization, will insist on it. So it’sbest to hang on and make your virtual systems secure.Some IPS providers offer virtual versions that can be incorporatedinto virtual environments, providing greater visibilityand control of VM-to-VM traffic.There are two approaches to virtualization and security. Oneis the process of securing virtualization, and the other is virtualizingsecurity. Both are discussed in the next section.Securing VirtualizationLike any information technology, virtualization needs to besecured. In other words, virtualization needs to be configuredand managed in a way that will result in the virtualizationenvironment being free of vulnerabilities that could lead tocompromised systems.There are three main areas where virtualization needs securitycontrols: with the people, processes, and the virtualizationtechnology itself.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 4: IPS, Virtualization, and Cloud Computing 39Virtualization: People securityWhat I’m getting at here is the fact that all personnel whodesign, implement, manage, or operate virtualized environmentscan do so only when they have the knowledge requiredto do it properly. Not only do personnel need to understandvirtualization technology, but they also need to be familiarwith the organization’s policies and procedures regardingvirtualization.You can have all the right virtualization technology in place,but if personnel don’t understand how to use it (or are unwillingto understand), your virtual environment will not besecure.Virtualization processesLike personnel, a virtualized environment will not be verysecure unless the right business processes are in place. Someof the processes that I feel are important include:✓ Change management. Changes to virtual machines, aswell as changes to virtualization configuration, should bedone under the control of a formal change managementprocess. Just how formal this process should be is dependenton the organization’s needs. However, under nocircumstances should changes be made without at leastinforming all affected parties!✓ Technical standards. Configuration settings for virtualization,as well as the virtual machines themselves,should be written down. This is not a one-time exercise,but a process of establishing standards and then stickingto them. Sure, things need to change — in that case, youuse Change Management to manage change.✓ Audit. Virtualization settings and virtual machines needto be examined from time to time, to ensure that they’rebeing deployed and operated properly, and that no unauthorizedactivity is going on.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.40Intrusion Prevention Systems For DummiesSecuring virtualization technologyVirtualized environments need to be properly designed andconfigured, so that they will be free of vulnerabilities thatmay expose them to threats. Virtual environments should bedesigned and configured according to the following principles:✓ Least-privilege administration. Each staff member whoadministers virtualization should have his or her ownuser ID, and each person should have only the privilegesrequired.✓ Logging. Administrative activities within the virtualizedenvironment should be logged. This helps to identifywho is performing what administrative functions. Adocumented history of administrative activities makestroubleshooting a lot easier.✓ Disable unneeded components. Just as disabling unusedports and components on a server is good for security,this same principle applies to virtualization.✓ Backup. Certainly it should be obvious that all virtualmachines in a virtualized environment should be backedup. But what may be less obvious is the need to back upvirtualization configurations themselves if they’re notcontained in an OS being backed up.✓ Placement of IPS sensors. Just as the placement of IPSsensors is critical in a traditional environment, it’s alsocritical in a virtualized environment. This may necessitateboth hardware IPSs as well as virtual IPSs that areinstalled within virtualized environments. This will helpto protect VM-to-VM traffic even within individual hardwareplatforms.✓ Configuration standards. Virtualization and virtualmachines need to be configured according to a set ofdocumented standards. There are two main benefits tostandards. First, when properly circulated, reviewed, andapproved, standards should represent a collective agreementon how systems should be configured. Second,standards (when enforced) help systems be more consistentwith each other.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 4: IPS, Virtualization, and Cloud Computing 41Controlling VM sprawlVM sprawl is a result of the practice of deploying virtualmachines without obtaining approval. Because engineers canunilaterally deploy VMs without obtaining approval, someenterprises are liable to experience uncontrolled growth ofVMs and the chaos that results. Here I discuss some neatways that IPSs can be used to control it.Better IPSs can help to control VM sprawl by detecting a VMby its virtual network card’s MAC address. An IPS can be configuredto generate an alert whenever it sees a new VM on thenetwork. This can help management to keep an eye on newVMs, so it is important that these alerts not be sent to theindividuals who create VMs but to other personnel, in orderto prevent engineers from creating VMs on the sly.Organizations that are zealous about controlling VMs can usetheir IPSs to prevent new, unauthorized VMs from being ableto communicate on the network. This is one important waythat segregation of duties can be retained in a virtualizedenvironment.Virtualizing SecurityVirtualization creates several new opportunities, includingthe capability to implement more than just operating systemsin virtual environments. Besides OSs, you can also deploynetwork switches, firewalls, and IPSs as virtual machines, thusleveraging the cost-saving benefits that virtualization brings.At first blush, it may appear that cost savings is the only motivatorfor virtualizing security devices. Sure, virtual versions ofsecurity devices may (or may not) cost less than their physicalcounterparts, but sometimes using a virtualized securitydevice is the right thing to do.For example, imagine that an Internet-facing application isdeployed in a virtualized environment. The application consistsof a web server, an application server, and a databaseserver. Regulation requires IPS protecting the web server

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.42Intrusion Prevention Systems For Dummiesand a firewall protecting the database server. All these componentscan be incorporated into a single physical platform,with the necessary detective and preventive controls in placeto protect all these virtual components with as much confidenceas though they were physically separate. Configuredcorrectly, these components are every bit as secure as if theywere air-gapped.Virtual IPS solutions can also be deployed to small remoteoffices (equipped with virtualization hosts) to monitor bothphysical and virtual hosts for threats, without incurringthe expense of physical IPS devices and the human costs todeploy them. Virtual IPS VMs can be dragged and dropped toprotect virtually (no pun intended) any corner of the networkwith a few clicks of a mouse, saving both time and money.Securing the CloudCloud computing is all the rage these days. Whether they’reproviding cloud services or consuming them, enterprisesare flocking to cloud environments faster than prospectorsflocked to the Klondike in the 1896 Alaska gold rush.In order to preserve the context of intrusion preventionsystems, stay with the fairly general definition of cloud computingas the use of computers and networks as a generalpurpose,on-demand, and dynamically scalable computingenvironment that hosts applications and other computerbasedservices.Organizations that wish to move their applications “into thecloud” generally desire to outsource an application’s infrastructure(computers and network devices), with the expectationthat computing resources will expand and contractbased on demand. Growing and managing a dynamic computinginfrastructure is expensive and time consuming, andoutsourcing this frees the organization to focus on its corecompetencies.One of my favorite sayings is, “You can’t outsource accountability.”This means that, even if you hire an outside organizationto perform work, you’re still responsible for the outcome.In the context of cloud computing, an organization that outsourcesits infrastructure (and, possibly, applications and

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 4: IPS, Virtualization, and Cloud Computing 43other services) to the cloud needs to make sure that its systemsand data are protected from security threats.Cloud computing doesn’t always mean “run by others.”An organization can have its own private cloud.The controls used to protect cloud-borne applications anddata from threats are discussed in the remainder of this chapter.These controls are necessary, whether an organization isbuilding and running its own cloud, or using the services froma cloud services provider.FirewallsThese access control devices are used to control the communicationsflowing to and from networks and specific endpointsby blocking unauthorized access as well as many types ofintrusion attempts.Intrusion preventionsystems (IPSs)These systems watch for signs of malfunction, intrusion, andsome types of malware attacks. IPSs detect and block theattacks that other controls (such as firewalls) are incapable of.Strict access controlsA well-designed access controls program is necessary to effectivelysecure a network, a system, or a cloud environment.Some of the characteristics of an effective access controlsystem include:✓ Formal access request process✓ Least privilege access✓ No shared accounts✓ Access logging✓ Strong password quality standards✓ Periodic access reviews

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.44Intrusion Prevention Systems For DummiesLoggingSignificant events at every layer of the cloud infrastructureneed to be logged. Preferably, logging will be centralized forease of management and the capability to correlate individualseparate events and be able to see them as incidents.Precise time synchronization is a key ingredient for accuratelogging. Computers’ time-of-day clocks are notoriously inaccurate;use NTP to synchronize all computer and network deviceclocks to well-known standard time sources.Change managementChange management is the formal process where all changesin an environment are formally requested, reviewed, scheduled,performed, and documented.The heart of an effective change management process is aperiod change review meeting, where stakeholders discussupcoming proposed changes. This helps ensure that changeswill have the desired effect, be coordinated with the right parties,and help to reduce unscheduled downtime.Configuration managementDeveloping good standards and using tools to ensure consistentconfiguration helps to make systems more resistantto intrusion and misuse. Configuration management toolscan help to automate the settings on each virtual machine,enabling even instantaneous configuration changes acrossall systems in a virtualized environment.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 5IPS and RegulatoryComplianceIn This Chapter▶ Understanding how IPS is needed for PCI, HIPAA, and otherregulations▶ Knowing how COBIT supports Sarbanes Oxley, Basel II, and SSAE16▶ Seeing why IPS supports most security-related regulations andstandardsSecurity is no longer just a good idea: It’s the law.When organizations put their information and their businessprocesses online and made them available over the Internet,there were scores of large-scale security breaches and thousandsof smaller incidents. This resulted in a backlash of lawsand regulations designed to force organizations to take atleast basic safeguards to protect information stored online.Regulations and standards regarding information security arestill young but beginning to mature. Many consistent themesare emerging that allow an organization to figure out how tobe compliant to different laws and regulations.This chapter discusses the heavyweights of laws and regulations,and how IPSs can help.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.46Intrusion Prevention Systems For DummiesSecurity or compliance?As various laws and regulations ondata security emerged, conflictedwith one another, and matured, oftenthere was a question of whether anorganization was secure or compliant.What does this mean?Some of today’s laws and standardson data security are very exacting intheir demands. They require specificprocesses and technologies, regardlessof the actual risk associatedwith those processes and technologies.And some of these same lawsignore other measures that organizationsneed to take.Organizations that are focusing oncompliance often take their eyes offthe need for security. One can’t besacrificed for the other. Althoughcompliance is important, security iseven more important. Organizationscan’t rely merely on compliance tobe secure, although many do justthat.Organizations still need to performa periodic risk assessment inorder to determine where the risksare. Controls mandated by lawsand regulations will take care ofmany — but not all — of those risks.Organizations need to put additionalcontrols in place to manage risks notcovered by regulations.Payment Card Industry DataSecurity Standard (PCI DSS)The Payment Card Industry Data Security Standard (PCI DSS,commonly known as just PCI) is a highly detailed and comprehensivestandard that is required for every merchant, retailer,and service provider that stores, processes, or transmitscredit card data for any purpose. PCI compliance is requiredby all the major credit card companies, including MasterCard,Visa, American Express, Discover, and JCB.The credit card brands, working through card issuers andbanks, require every organization that handles credit carddata to be compliant to the PCI standard. Merchants that processmore than six million transactions per year, and serviceproviders that process more than 600,000 transactions peryear, are also required to undergo an external audit every yearto ensure their compliance. Merchants and service providersare also required to undergo quarterly external security scans.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 5: IPS and Regulatory Compliance 47Several specific PCI standards require the use of IPSs,specifically:✓ 1.1 - Configuration standards and acceptable ports/services for business use. Organizations are required todevelop configuration standards for all information systemsand devices. These standards must contain a list ofports and services on these systems that are required forthose systems to properly run.✓ 2.2 - Development and enforcement of configurationpolicy. An IPS can be configured to generate alarms orblock traffic that violates these standards. Better IPSsolutions offer compliance rules and whitelists, enablingcustomers to monitor and continuously enforce acceptableuse policies (AUPs) for use of operating systems,applications, ports, protocols, and services.✓ 6.2 - Identify and remediate vulnerabilities. Organizationsare required to have a formal vulnerability managementprogram to proactively identify and remediate vulnerabilitiesin all layers of infrastructure. Better IPS solutionsincorporate passive network intelligence collectionto complement active scanning technologies to betterdefend the network against emerging zero-day threats.✓ 11.2 - Quarterly vulnerability scans. Organizations arerequired to undergo scans that are carried out by PCIapprovedscanning vendors. Leading IPSs augment thisby delivering this information to organizations’ securityspecialists in real time. This helps an organization to discoverand remediate vulnerabilities prior to the officialquarterly scans.✓ 12.5.2 - Monitor and analyze events. Organizations arerequired to monitor systems for security events. An IPScan perform this monitoring.✓ 12.9 - Incident response. PCI requires organizations tohave an organized incident response program and test it atleast once per year. An IPS can provide automated alertingand response, as well as provide alerts to personnel whocan perform manual analysis and remediation.Every organization that is required to comply with PCI musthave an IPS — there is no way to interpret this requirement inany other way.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.48Intrusion Prevention Systems For DummiesPCI, the effective non-lawPCI DSS is a standard that wasdeveloped by the consortium ofcredit card brands. Despite the factthat PCI isn’t a law, card brandshave been able to effectively enforcecompliance to PCI.The credit card brands enforce PCIthrough fines, as well as the threatto block the organization’s capabilityto process credit card transactions.U.S. Health Insurance Portabilityand Accountability Act (HIPAA)HIPAA (pronounced HIP-uh) is a U.S. federal regulation that,among other things, requires that each organization thatstores electronic health records (known as PHI, or protectedhealth information) develop a set of controls to ensure theprotection of that information. HIPAA is about security aswell as privacy, requiring organizations to restrict access toPHI and also to handle it properly. HIPAA applies to all typesof medical practices (hospitals, clinics, and doctors’ offices)as well as insurance companies and other organizations thatstore or process patient medical records.HIPAA requires organizations to enact several controls, someof which are easier to implement with an IPS. These are:✓ 164.306 - General requirements. Organizations arerequired to protect PHI against reasonably anticipatedrisks and threats. These threats include, of course, intrusion,which is detected and blocked by an IPS.✓ 164.308 - Administrative safeguards. Organizations arerequired to enact policies and procedures to prevent,detect, correct, and contain security violations. AnIPS is perfectly suited to protect an organizationagainst network-borne security violations, intrusions,and incidents.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 5: IPS and Regulatory Compliance 49✓ 164.312 - Technical safeguards. Organizations arerequired to implement controls to detect and preventsecurity threats. An IPS is a part of the total solution forblocking network-based threats, from the Internet as wellas from within the organization.✓ 164.316 - Documentation requirements. Organizationsare required to implement reasonably appropriate policiesand procedures to comply with standards and implementationspecifications.It would be hard to imagine a HIPAA-compliant organizationthat lacked an intrusion prevention system.U.S. Federal InformationSecurity ManagementAct (FISMA)All agencies of the U.S. government, as well as service providersthat process information for the U.S. government, arerequired to comply with the Federal Information SecurityManagement Act (FISMA). FISMA (pronounced FIZZ-muh)requires all agencies to develop, document, and implementagency-wide information security programs. The publicationNIST 800-53 (“Recommended Security Controls for FederalInformation Systems”) describes the control framework for allefforts to comply with FISMA.Intrusion prevention systems help organizations to complywith several parts of FISMA, including:✓ CA-7 - Continuous Monitoring. Agencies are required tocontinuously monitor their networks for security eventsand intrusion attempts. It’s difficult to imagine anythingbut an IPS for this job.✓ RA-5 - Incident Monitoring. An IPS helps securityresponse teams to focus on critical events and incidents.✓ RA-3 - Risk Assessment. Output data from an IPS helps asecurity team to complete its risk assessment by learningwhat security events are occurring on an agency’snetwork.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.50Intrusion Prevention Systems For Dummies✓ RA-5 - Vulnerability Scanning. Passive monitoring datafrom a leading IPS solution supplements results fromactive scans with tools such as Nessus.✓ SI-3 - Intrusion Detection Tools and Techniques. Withdetection and automatic remediation, a leading IPS canexceed the NIST 800-53 requirements for intrusion detectiontools.✓ CM-1 - Configuration Management Policies andProcedures. Agencies are required to document theirconfiguration management policies and procedures,including actions to take when an IPS detects intrusions.✓ CM-4 - Monitoring Configuration Changes. Better IPSsolutions can detect changes in a system’s baseline configurationthrough passive observation.An IPS is one of the necessary ingredients for any governmentsystem in scope for FISMA.U.S. Sarbanes-Oxley Act (SOX)The Sarbanes-Oxley act — also known as Sarbox or SOX —was passed by Congress in 2002 in response to a number ofsignificant accounting scandals in the U.S. The goal of SOXis to ensure the accuracy of financial statements for all U.S.public companies.SOX requires that organizations have a system of internalbusiness and technology controls that ensure no possibility oftampering with organizations’ financial systems.Unlike other standards and regulations such as PCI, HIPAA,and FISMA, SOX doesn’t include a standard set of controls.Many organizations have enacted the Control Objectives forInformation and related Technology (COBIT) framework ofcontrols to be compliant with SOX.An IPS part is an essential of every U.S. public company’sinfrastructure, in order to be compliant with several COBITcontrols, including:

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 5: IPS and Regulatory Compliance 51✓ DS5.10 - Appropriate controls are in place to preventunauthorized access via public networks. An IPS is akey component to prevent unauthorized access of anorganization’s systems from the Internet.✓ DS5.5 - Monitoring and logging of security activity.An IPS continuously monitors network-based securityactivity.✓ DS5.3, 5.4, 5.10 - System infrastructure is properly configuredto prevent unauthorized access. Intruders aren’twelcome! An IPS helps to prevent unauthorized access byblocking unwelcome access attempts.✓ DS9.2 - Authorized software only on IT assets. An IPScan help to detect the presence of unauthorized softwareon IT systems through the detection of new types of networktraffic.Whether an organization adopts COBIT or another set of controlsfor SOX compliance, certainly these controls will includethose listed here. An IPS is a key component for achievingcompliance with these controls.U.S. Gramm-Leach-BlileyAct (GLBA)The Gramm-Leach-Bliley Act, usually known as GLBA, is a U.S.law passed by Congress to require financial services firmsto protect sensitive information about their depositors andclients from theft and abuse. GLBA applies to all banks, investmentfirms, brokerages, and insurance companies doing businessin the U.S.GLBA requires every financial services organization tocomply with three major rules: Financial Privacy Rule, havingprimarily to do with the privacy and handling of sensitiveinformation; the Safeguards Rule, which requires firms tohave a written data security plan that describes how they willprotect their clients’ information; and Pretexting Protection,which requires that firms train their employees to recognizeand deflect attempts at pretexting — a social engineeringattempt to obtain client information.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.52Intrusion Prevention Systems For DummiesBasel IIGLBA is enforced by the FDIC (Federal Deposit InsuranceCorporation), FRB (Federal Reserve Board), and the NationalCredit Union Association (NCUA). The Federal FinancialInstitutions Examination Council (FFIEC) provides guidancefor GLBA audits. IPSs are required to meet the following FFIECexamination guidelines:✓ Information Security Assessment — gathering data onassets and threats to those assets. Better IPS solutionscan enumerate a network using passive sensing technology.Each asset’s operating system can be mappedagainst a database of vulnerabilities to aid impact assessmentfor associated intrusion events.✓ Security Strategy that includes prevention, detection,and response. Management is required to establish aformal strategy for protecting client information thatincludes an IPS that aids in the detection and response tosecurity incidents.✓ Monitor network access for policy violations and anomalousbehavior. An IPS will naturally be a major componentin network monitoring.✓ IDS/IPS monitoring of incoming and outgoing traffic.Can this be any more obvious?✓ Hardening — documented minimum system requirementsand disallowing of noncompliant activity. An IPScontributes to this by detecting exceptions to hardeningstandards, primarily through the detection of disallowedcomponents and programs.✓ Security monitoring: policy violations, anomalous activity,and security events. An IPS is the key component inany security monitoring strategy.It’s no surprise that IPSs play a key role in compliance toGLBA by preventing many kinds of security incidents andproblems.Basel II is the second of the Basel Accords, an internationalstandards committee on banking laws and regulations. Thepurpose of Basel II is sound capital management for banksand other depositor institutions.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 5: IPS and Regulatory Compliance 53Like Sarbanes-Oxley, Basel II doesn’t prescribe specific controls,but many organizations that are required to complywith Basel II adopt the Control Objectives for Information andrelated Technology (COBIT) framework of controls.See the earlier section on Sarbanes-Oxley for information onhow IPS supports compliance to COBIT controls.SSAE16 and SAS70U.S. publicly traded companies that outsource any of theirfinancial services to other organizations have a potentialproblem: Their external auditors who are measuring companies’compliance to Sarbanes-Oxley aren’t able to directlyaudit the activities performed by the outsourcer.Those auditors could require that they audit the service provider,but that would add considerable cost to each audit.And, the service provider would have a lot of auditors snoopingaround for their customers. A service provider with a lotof customers wouldn’t be able to tolerate this many audits ofits operations.The answer: The outsourcing service provider undertakes anSSAE16 (formerly known as SAS70) audit. The audit reportcan be sent to its customers’ auditors, who can then completetheir audit on their U.S. public companies’ financialoperations.Like Sarbanes-Oxley itself, there is no prescribed set ofSSAE16 controls. Instead, most adopt COBIT controls tomanage their services. The service provider’s SSAE16 auditorscan then audit the service provider’s COBIT controls and thenwrite an audit opinion that can be sent back to its U.S. publiccompany customers.Take a look at the Sarbanes-Oxley section earlier in this chapterfor a discussion on how IPSs support compliance withCOBIT.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.54Intrusion Prevention Systems For Dummies

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 6Selecting the Right IPSIn This Chapter▶ Developing IPS selection criteria▶ Understanding the unique requirements needed from enterprise andSMB organizations▶ Unraveling industry specific requirements▶ Exploring independent test labsSo here you are in the selection criteria section. You’reprobably thinking about getting an IPS for your organizationnow, or at least thinking about thinking about it. Ormaybe you want to see what criteria other organizations usewhen they’re ready to buy.Regardless, it is important to develop objective criteria forany IT system, and then compare various products againstyour criteria. This may sound tedious, but would you ratherbuy based on emotion? Well, it may feel good at the moment,but later on you might not be happy with what you purchasedat the time.Common IPS Selection CriteriaIn this chapter, I discuss selection criteria, starting with generalrequirements in this section, and moving to specializedrequirements by company size and industry sector later on.Here are the primary characteristics that organizations needto consider when shopping for an IPS:

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.56Intrusion Prevention Systems For Dummies✓ Detection. How an IPS detects unwanted traffic. This canbe signature-based, anomaly-based, or both. Considerboth false positives as well as false negatives. Is the rulebase visible so that you can examine them or add more?✓ Scalability. Rather than just consider what is neededtoday, what modes of change, growth, or future regulationsor standards may require additional sensors,additional bandwidth, new technologies (such as virtualization),or different types of sensors (physical versusvirtual)?✓ Performance. Make a purchasing decision with thelong-term in mind. If any type of growth is anticipated,then you should select a security platform that willgrow with you without having to replace hardwaresooner than you’re ready to.✓ Compliance. Understand how your IPS investment maysatisfy any relevant governmental and/or industry complianceregulations that affect your organization. In thecase of PCI DSS, for example, some IPS solutions may satisfymore requirements than others.✓ Vision. You will need to consider whether you want topurchase an IPS from a market leader, or from a companythat just does what everyone else does. As for me,choose a leader who is consistently respected for visionand execution, knowing that provider will develop newkinds of detection and prevention long before the followerswill even think of it.✓ Viability. I prefer to buy a product from a company thatwill be in business for the long haul. There may be someadvantages from buying some products from a startupor a garage outfit, but for something as strategic as IPS,I would rather buy from a company that I know will bein business in five or ten years. Several years after purchase,I still want someone to answer the phone whenI call.✓ Manageability. There’s nothing worse than a productthat is difficult to operate and figure out. Most organizationswill want a fully configurable IPS with deep levelsof configurability — even if they don’t plan on tinkeringwith the details too often.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 6: Selecting the Right IPS 57✓ Support. Everyone gets stumped now and then, andevery product is going to be prone to hardware or softwaretrouble, no matter how good its quality program is.You want a company that stands behind its product andis ready to offer whatever kind of help you need.✓ Cost. Don’t be afraid to understand and specify yourspending limits.In the rest of this section, I discuss requirements that are specificto large (enterprise) organizations, smaller organizations,and government.Small-to-medium-business (SMB)buying requirementsHats off to small and medium sized businesses (those withfewer than 500 employees) that recognize their need for IPSand wade into the fray!To the requirements listed earlier in this chapter, add onemore that SMB customers are looking for: ease of management.They don’t have deep staffs to take training courses andspend man-weeks planning their IPS implementation. In theSMB world, the IT guy (or gal) who has 12 other jobs besidessecurity just wants to open the box and have the IPS runningin a couple of hours. This means: easy setup and easy-tounderstandconfiguration without having to take a week-longclass on managing the device. They just want to set it andforget it!Enterprise buying requirementsEnterprises are typically those organizations with, say, 500or more employees. They generally have many businesslocations, often in more than one country. Usually they havelarger IT organizations with network engineers, system engineers,security engineers, IT operations, and other individualsand departments — in other words, a lot of people who getinvolved in things like IPS because it potentially affects manypeople in the organization.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.58Intrusion Prevention Systems For DummiesTwo types of IPS usersRegarding how they approach security,there are generally two typesof IPS users. First, there are “leanforward” users that truly care aboutsecurity, are somewhat paranoid, butthey use their fear as a tool to gainmore knowledge and meet securityproblems head on.Then there are “lean back” usersthat are either in senior-level positionsor simply don’t have time tospend monitoring and tuning the IPS.Some “lean back” users are drivenby regulatory compliance and simplywant to “check the IPS box” to satisfycompliance.It’s not only important to gauge theorganization’s goals for IPS usage,but also understand the types ofusers that will interact with the platform.In addition to the general requirements discussed earlier inthis chapter, enterprises are generally also interested in someof these requirements:✓ Management. Rather than just a single administrativeuser for their IPS, enterprises need an IPS that can supportmany users and different roles.✓ Forensics. Enterprises need their IPSs to be able to provideforensics-quality information to support securityevents related to sophisticated threats or those thatmay find their way into the criminal justice system asevidence.✓ Fault tolerance. Enterprises build high-availability,fault-tolerant infrastructures to support high-demandapplications. These organizations need IPSs that canmatch the five-nines availability environments theysupport, meaning there is practically zero minutes ofunscheduled downtime per calendar year.✓ High throughput. Moore’s Law has proven that processingspeed is doubling every two years. Thus, you willcontinue to see network speeds grow. IPS vendors, inparticular, should have a broad range of products to supportthe smallest to the very largest network needs.✓ Low TCO. Although enterprises have larger operatingbudgets than smaller organizations, they also have greater

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 6: Selecting the Right IPS 59demands for securing the network. Thus, enterprisesmust select an IPS that helps them to work smarter — notharder — by automating key functions, such as impactassessment, user identification, and IPS tuning.Government buying requirementsGovernments, especially the U.S. federal government, aretough customers, primarily because they know what theywant and they communicate this through a comprehensiveset of requirements. In addition to the general requirements atthe beginning of this chapter, plus the requirements wantedby enterprises, governments often ask for these additionalrequirements:✓ Custom rules. Some government organizations arerequired to “throw out” IPS rules provided by the manufacturerin favor of creating custom rules for proprietarysystems. Selecting an IPS with an open architectureand easy-to-use rule creation wizard is optimal for suchorganizations.✓ IPv6 compliant. U.S. federal government regulationsrequire all IT systems to be IPv6 compatible. In the caseof an IPS, it must be capable of detecting and blockingIPv6 attacks and be managed on an IPv6 network.✓ Federal Information Security Management Act (FISMA)compliance. This is a complete end-to-end securityframework required of all federal information systemsand supporting environments. FISMA requires federalagencies (and their service providers) to establish andcarry out a security plan, maintain IT asset inventories,categorize information and information systemsaccording to risk level, enact security controls, performrisk assessments, perform continuous monitoring, andundergo periodic certification and accreditation. An IPSis an essential tool for achieving FISMA compliance.✓ NIST compliance. Government customers will frequentlycite various NIST (National Institute of Standards andTechnology, the U.S. government’s IT standards settingorganization) standards as part of their IPS selection criteria,especially NIST Special Publication 800-94, “Guideto Intrusion Detection and Prevention Systems.”

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.60Intrusion Prevention Systems For Dummies✓ Evaluation Assurance Level (EAL). Government customersmay require that an IPS be tested and certified to aspecific EAL standard. EAL testing is extremely expensive,so any vendor that claims EAL compliance is noteworthyfor any government or non-government customer.Industry-Specific ConsiderationsOrganizations in some industries will impose additionalrequirements on IPS vendors, generally as a “pass through”where organizations are asserting requirements on the suppliersthat are imposed upon them.Public utilitiesPower, water, natural gas, and other public utilities rely onSupervisory Control and Data Acquisition (SCADA), ProcessControl Network (PCN), and Smart Grid technology for remotecontrol and monitoring of utility equipment. These systemsare almost always IP-based and frequently utilize the publicInternet for transmission.An IPS helps to secure SCADA, PCN, and Smart Grid systemsby detecting and blocking intrusions that could include terroristattacks. Leading IPS solutions may offer special SCADA,PCN, and/or Smart Grid rule sets and may also incorporatepassive network intelligence collection for correlating threatswithout actively scanning the network.HealthcareHealthcare providers and other industry organizations subjectto HIPAA requirements need to incorporate IPSs into theirnetwork infrastructure as part of their technical safeguards.These organizations’ requirements will often resemble thoserequired for most enterprises, as discussed earlier in thischapter.FinancialBanks, credit unions, brokerages, and insurance companiesare required to protect sensitive customer information from

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 6: Selecting the Right IPS 61theft and abuse. These organizations will often impose enterpriselevel requirements, including enterprise scalability andmanagement.FISMA and Basel II are the primary regulations requiring financialinstitutions to protect their systems and networks.TelecommunicationsCommon carriers, including telecommunications providersand Internet service providers, have the world’s most extensivenetworks over which the world’s Internet and privatecommunications take place. Most of these organizations areunder market or regulatory pressure to provide five-ninesavailability. Such organizations will require the most robustIPS platforms, including support for high-throughput environments,fault-tolerant hardware, and fail-open interfaces.Hardware ConsiderationsOrganizations shopping for IPSs need to understand whathardware features are important for them. Hardware centricrequirements will generally fall into these categories:✓ Inline IPS or passive IDS. An organization needs todecide whether it is looking for an inline IPS, which willblock unwanted traffic, or a passive IDS, which will onlyreport on (but not block) unwanted traffic. Althoughthere are no purely passive IDS products available, thisrequirement speaks more to the functional requirementand purpose of the IPS — primarily whether it isintended to be an active (blocking) or passive (reportingonly) device.✓ Purpose-built appliances. Organizations may wish tospecify whether they’re looking for IPS software that theywould install on their own servers, generic appliances, ora purpose-built appliance with IPS features built into thehardware. If you consider an IPS vendor with purposebuiltappliances, ensure that this doesn’t hinder theextensibility of the solution by verifying the availabilityof Virtual IPS offerings for VMware, Xen, or other virtualizationplatforms.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.62Intrusion Prevention Systems For DummiesSome IPS appliances rely on ASICs (application-specificintegrated circuits) to accelerate certain network processingfunctions. Although ASICs make it easier for thevendor to achieve higher throughputs, it usually makes itmore difficult for them to port their software to VMware,Xen, and other virtual platforms. Even if you don’t havea budgeted virtualization security project today, you willtomorrow. Be sure to select an IPS partner that offersboth physical and virtual appliances so you don’t eventuallyend up with two sets of IPS solutions.✓ Hardened operating system. Organizations’ requirementsmay be as detailed as specifying the desiredoperating system that supports the IPS software. Most oftoday’s IPS products incorporate a hardened Linux OS intheir appliances.✓ Fault tolerance. Organizations may specify various faulttolerance features including redundant power supplies,disk drives, fans, and fail-open interfaces.✓ Fail open. Organizations doing their homework will wantan IPS appliance that fails open, meaning, in the event ofa catastrophic hardware failure, network traffic will continueto flow through the IPS appliance uninterrupted.This feature requires special hardware not found in generalpurpose appliances.Third-Party TestingThere are two independent test laboratories in particular thatactively test IPS products — ICSA Labs and NSS Labs. Thesecompanies evaluate leading IPS devices for accuracy, reliability,and performance. Organizations that are serious aboutthe desired quality of their IPS systems should consider onlyproducts that have been independently evaluated by a reputablethird-party testing organization.Test reports on leading IPS products may be purchased fromICSA Labs and NSS Labs directly or can often be obtained atno charge from the IPS vendors themselves.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 7Ten Ways to Lower TCOIn This Chapter▶ Recapping the benefits of a Next-Generation IPS▶ Describing ten ways to lower IPS total cost of ownership (TCO)When assessing the cost of a network IPS, it’s not onlyimportant to assess the acquisition costs and annualmaintenance fees, but also the cost to deploy and maintainthe IPS — which often represents the bulk of total cost ofownership (TCO) over a three- to five-year period.A Next-Generation IPS leverages real-time network, application,behavior, and user awareness to automate key IPSfunctions. These awareness capabilities provide you withunparalleled visibility, minimizing your reliance on other ITteams and empowering you to automate key IPS functions thata more traditional IPS simply can’t.By leveraging this newfound awareness, a Next-Generation IPSoffers numerous advantages over a traditional IPS, including:✓ Stronger network protection✓ Superior performance, scalability, and availability✓ Simpler deployment and ongoing maintenance✓ Lower total cost of ownershipTotal cost of ownership (TCO) includes all costs associatedwith acquiring, deploying, maintaining, and operatinga system — in this case, a network IPS. Through powerful

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.64Intrusion Prevention Systems For Dummiesautomation and advanced feature sets, a next-generation IPScan lower TCO significantly — in many cases recovering thecost of IPS acquisition through drastic reductions in operatingexpenses.The following are ten ways to lower TCO through the acquisitionof a Next-Generation IPS:✓ Reduce the noise through impact assessment. By correlatingthreats against real-time endpoint intelligence,a Next-Generation IPS can reduce the quantity of actionablesecurity events by 95 percent or more. For example,why investigate a Conficker event that can only harmWindows hosts when it is targeting a Linux host?✓ Take the guesswork out through automated IPS tuning.A Next-Generation IPS knows what’s running on yournetwork and can recommend IPS rules to enable anddisable, resulting in increased protection, optimized IPSsensor performance, and recovery of up to a day’s worthof effort each month.✓ Link users to security and compliance events. Whatgood is it to know that 192.168.4.12 is under attack ifyou don’t know whom to contact? A Next-GenerationIPS instantly provides usernames and contact informationfor users associated with security and complianceevents, negating the need to manually sift through ActiveDirectory, LDAP, and DHCP logs. Done the old-fashionedway, the attack might be over before you even knowwhere to start looking!✓ Leverage one platform for physical and virtual IPS.Don’t buy physical IPS products from one vendor andvirtual IPS products from another. Insist on one unifiedplatform from a single vendor, negating the need forduplicative reports, alerts, dashboards, and technicalsupport departments.✓ Customize IPS rules for proprietary applications andsystems. Don’t spend money on a web application firewall(WAF) or other network security products to do thejob of a Next-Generation IPS. Leverage custom rules toprotect proprietary web applications and other systems.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Chapter 7: Ten Ways to Lower TCO 65✓ Remove network blind spots through SSL inspection.Improve your security posture by decrypting SSL trafficprior to IPS inspection. Ensure that original (clean) SSLtraffic is re-encrypted before being placed back onto thewire to maintain data confidentiality and regulatory (forexample, PCI) compliance.✓ Reduce the surface area of attack through compliancerules and whitelists. Today’s Next-Generation IPS canhelp you model and enforce your organization’s acceptableuse policies (AUPs). Leverage compliance rules andwhitelists to help reduce your network’s surface area ofattack.✓ Detect threats from the inside that your IPS may miss.A perimeter IPS will miss every exploit that is handcarriedthrough the office front door on mobile computingdevices. Increase your defense-in-depth posture byimplementing Network Behavior Analysis (NBA) to baselinenormal network traffic and detect anomalies.✓ Improve security by controlling VM sprawl. Be alertedwhen new VMware, Xen, or other virtual machines (VMs)pop up on the network without knowledge or approval ofthe IT security team. Audit new VMs for compliance withinternal security policies. This will help you to be in controlof your VM infrastructure.✓ Integrate your IPS into your existing IT security infrastructure.Leverage existing investments in SIEM, vulnerabilitymanagement, network forensics, network accesscontrol (NAC), and other infrastructure components toshare intelligence, automate remediation, and accelerateincident response.

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.66Intrusion Prevention Systems For Dummies

These materials are the copyright of Wiley Publishing, Inc. and anydissemination, distribution, or unauthorized use is strictly prohibited.Sourcefire would like to thank its sponsorsN E T W O R K S TM

Find out why intrusion preventionsystems are needed and whichfeatures are most important foryour organizationIntrusion prevention systems are a critical part ofan organization’s overall network and systemsprotection strategy. Without them, you’re fightingthe bad guys with one arm tied behind your back.This book gives you the need-to-know informationthat can help you understand how these solutionsimprove the security in an organization’s networks.• How intrusion prevention systems work — andthe ways they detect network-based attacks• What types of threats that IPSs are designedto detect and deflect — including some ofthe nastier threats such as zero-day andadvanced persistent threats• Which features and functions are found inNext-Generation IPSs — including impactassessment, application monitoring, automatedIPS tuning, and user identificationOpen the book and find:• What constitutes a zerodayattack• A look at the benefits andrisks of virtualization• A list of ways to lower thetotal cost of ownership• Information on complyingwith regulations• The difference betweenpassive and inline systems• How cloud and virtualization fit in — andthe role that IPSs play to protect these newtypes of environments• Look at IPS and standards and regulations —such as PCI, HIPAA, GLBA, SAS70, and FISMA• Select the right IPS — get your IPS shopping listorganized so that you get the IPS that is rightfor your organizationGo to Dummies.com®for videos, step-by-step examples,how-to articles, or to shop!Steve Piper, CISSP, SFCP, is Sr. Director ofProduct Marketing with Sourcefire and an18-year high-tech veteran. Prior to Sourcefire,Steve held senior-level positions with Citrixand NetIQ and has achieved technicalcertifications from ISC 2 , Microsoft, Novell,Sourcefire, and more. Steve holds BS andMBA degrees from George Mason University.978-1-118-00474-6Not for resale