Thursday, September 16, 2010

Intrusion Prevention Best Practice - IPS Placement


In today's organizations, attacks come from everywhere. As cliche as it sounds, networks are borderless and because of this organizations face more sophisticated threats. As networks evolve, many organizations struggle to have intrusion prevention or other security architecture evolve at the same pace. Visibility is everything: you must be able to detect and respond to threats before they cause significant damage. The following entry is all about how to gain visibility at the different areas of the network.

IPS Overview

Wikipedia defines Intusion Prevention Systems as a "network security appliance that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity."

By deploying IPS, organizations are able to identify, classify, and stop malicious traffic, including worms, spyware / adware, network viruses, and application abuse before they affect business continuity.

Internet Border & DMZ

The most common place to insert IPS is at an organizations' internet border(s) and DMZ(s). The following represents some of the options for placement of an IPS to protect an internet border and DMZ.

IPS Outside of Firewall

This architecture places the IPS outside of the internet firewall.This architecture was one of the first proposed when IPS came to market, but is not very common for today's environments.

  • Early indication of reconnaissance/scanning activities
  • Requires less interfaces to inspect traffic sourced/destined to the DMZ and Internal Network
  • Destination/Victims addresses will be NATed, causing research to determine which device inside the organization is being attacked. 
  • Source/Attacker addresses from the inside of the organization will be NATed causing additional research to track down the source of any malicious traffic coming from the organization.
  • Inspection of traffic that will be dropped by the firewall will create excess false positives.
  • No visibility of insider traffic destined to dmz
Figure 1 - IPS Placed Outside of the Firewall

IPS Inside of Firewall for DMZ and Internal Network

This architecture places the IPS inside of the internet firewall protecting both the Internal Network and DMZ segments.

  • Only inspects traffic that the firewall allows into the network. (Minimizing False Positives)
  • Events will include real IP addresses and not NATed IPs.
  • Differentiate traffic to/from DMZ and Internal Segments.
  • Requires 2 IPSs or an IPS with enough interfaces to protect both segments.
  • Traffic between internal and DMZ will be inspected twice.
Figure 2 - IPS Placed Inside the Firewall
IPS Software or Module in the Firewall

With the growing popularity of Unified Threat Management (UTM), this architecture is becoming extremely common. It places the IPS functionality inside the internet firewall protecting both the Internal Network and DMZ segments without a separate appliance.

  • No additional appliance required, saving rack space and energy.
  • Events will include real IP addresses and not NATed IPs.
  • Differentiate traffic to/from DMZ and Internal Segments.
  • Some manufacturers limit the throughput of integrated IPS (just be sure that the integrated IPS will support the required bandwidth)
Figure 3 - IPS Software or Module in the Firewall

Data Center

One of the most important assets an organization has is its data. Most data is stored on servers located in a data center. This is why placing IPS between users and the data center is becoming a must have for organizations.

Most designs will include placing the IPS at the most central point for the data center(typically distribution or core layers). The challenges faced when deploying IPS in data centers are making sure you keep the same levels of redundancy and throughput of the data center. This can be accomplished through using etherchannel load balancing of separate IPS Appliances. For more information on Cisco IPS in the Data Center with etherchannel load-balancing, please read Jamey Heary's blog post on the topic.

Remote Sites

Often forgotten, remote sites are an important part of an IPS deployment strategy. Advancements in WAN technology, like MPLS, allows for any to any access causing a gap in visibility. The challenges of deploying IPS to remote sites include: power, rack space, operations support, and cost. The following are the options associated with deploying IPS to remote sites:

IPS Appliance for each remote site

  • Full featured IPS
  • Scalable bandwidth for all sizes of remote offices.
  • Cost for a dedicated appliance, rack space and power
  • Management and Deployment of the appliance
IOS IPS running on the router at each remote site

  • Low Cost
  • No Additional HW
  • Manage with existing router management tools
  • Does not have full featured IPS code
  • Limited number of signatures
  • Can effect performance of the router 
  • Must run supported software and router
IPS Module inside the router at each remote site

  • Full featured IPS
  • Low Cost
  • No additional rack mount units (module fits in the router)
  • Bandwidth is limited
  • Must have a supported router

Determining where IPSs should be placed in an enterprise is a must do task. A single IPS on the internet border leaves organizations with a hard outer shell and chewy inside. Hopefully this gives you some more details on the areas (Data Center & Remote Sites) that you should focus on. If you have additional questions, please feel free to email me.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.