Contents Background 3 NIST SP 800-94 3 Intrusion Detection and Prevention Principles 4 Key Functions of IDPS Technologies 4 Detection Options 4 Types of IDPS Technologies 5 IDPS Technologies 5 Proper Installation 6 Testing and Deployment 6 Securing the IDPS 6 IDPS Updates 6 Building and Maintaining Skills – Additional Resources Required to Support 6 Using and Integrating Multiple IDPS Technologies 7 Review of the IDPS Marketplace 8 Comparison of IPS Products 9 Summary 9
Background
The National Institute of Standards and Technology commonly known and referred to as NIST, is a government funded agency. NIST defines their mission statement as “NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” (NIST General Information, 2014).
NIST is involved in mostly every area of Information Technology from the latest Trusted Identity (Leithauser & Curran, 2012) standards formatting to the handling and processing of DNA (DNA research, 2013). In recent years the President of the United States signed a Memorandum implementing a Digital Government Strategy. The government recognizing mobile device vulnerabilities and the high risk of data loss assigned NIST to implement IDS and other security standards. In a recent Mobile Security Report published NIST highlights “As a part of the strategy, NIST was asked to report on its ongoing work in mobility, including the applicability of NIST’s standards and guidelines to mobile devices and platforms. As a part of that mission, NIST has responsibilities under the Federal Information Security Management Act of 2002 (FISMA) to develop mandatory standards and guidelines for federal agencies information and information systems.” (NIST Role, 2014) NIST produces standards documents which are referred to as ‘special publications’ or ‘SP’. NIST notes “Special Publications in the 800 series (established in 1990) are of general interest to the computer security community. This series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.” (SPECIAL PUBLICATIONS, 2014).
NIST SP 800-94
In February of 2007 NIST Special Publication (SP) 800-94 was published. NIST 800-94 title is ‘Guide to Intrusion Detection and Prevention Systems (IDPS)’. As with all other NIST 800 series special publications, NIST 800-94 discusses and highlights proper use of Intrusion Detection Systems (IDS). NIST 800-94 is divided into different chapters covering IDS as a topic (Introduction, IDS Principles, IDPS Technologies, Network IDPS, Wireless IDPS, Network Behavior Analysis (NBA), Host IDPS, Integration of Multiple IDPS systems, and Product Selection).
NIST 800-94 classifies Intrusion Detection and Prevention Systems (IDPS) into the following technologies; 1. Network-Based – Monitors network traffic to detect events 2. Wireless – Monitors wireless traffic for suspicious activity 3. Network Behavior Analysis (NBA) – Monitors network traffic looking for unusual traffic patterns 4. Host-Based – monitors host looking for unusual host files or activity
Following the NIST 800-94 headings order, this report will examine and discuss each section as it relates to IDPS solution selection and implementation.
Intrusion Detection and Prevention Principles Intrusion Detection and Prevention Systems (IDPS) are systems (software and hardware) that are specifically designed to identify network or suspicious activity that could harm an organization. The harm could come from industrial espionage, personnel policy/misuse, malware, Trojans, corruption or loss of data, denial of service attacks, just to mention a few. IDPS is a combined acronym for Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Each piece (IDS and IPS) performing a unique service. IDS systems are designed to detect and notify on suspicious activity, while IPS systems are designed to react and prevent access to systems based on detected suspicious activities. IDPS systems can also be used to audit and assist with; * Ensuring Firewalls are setup correctly in accordance with security policies – detection of correct ports blocked on firewall setup * Providing an audit log of events – IDPS systems can furnish valuable historical forensic information regarding the event (attack, frequency, characteristics) * Acts as a policeman – deterring external or internal violation of security policies risking being detected.
Key Functions of IDPS Technologies
IDS, IPS and IDPS system can also provide additional monitoring and analysis of events/threats. The additional functions they bring with them are; * Acts as a Central Log Authority – providing centralized logging server services allowing event management systems (SIEM) to perform additional data modeling forensics. * Event Notification – depending on the alert defined per event an IDPS system can send emails, pages, messages in accordance with how the organization desires alerting to be performed. * Event Reporting System – provides the ability to report on events of interest
As noted, IPS systems provide the ability to ‘stop the attack’. Once the correct event triggers are met an IPS systems can stop an attack cold by termination of the network connection, blocking the address (blacklisting) permanently, change the security routing rules on the firewall to block the incoming attack, or remove the malicious portion to render it benign.
Incorrect identification by and IDPS system labeled malicious is what is referred to as a ‘false positive’. No IDPS system can be one hundred percent accurate; the goal is to find the false positive tolerance level that the organization will tolerate (commonly referred to as ‘tuning’).
Detection Options
There are three IDPS detection methods NIST 800-94 identifies; the first being signature based, next being anomaly based, and the last being stateful protocol analysis. Signature based systems look for a ‘signature’ or pattern that represents a known threat. Signature based systems are the simplest detection method since is just compares activity to set event rules. The second detection method is ‘anomaly’ based detection. This detection method looks for observations that fall outside the normal (abnormal or anomaly) operating expected behaviors. An example might be a PC that is sending ‘abnormally’ high amounts of email; example 100 per hour versus the expected company norm of 10 per hour. The last and more complex method of detection is the use of Stateful Protocol Analysis (SPA) that monitors all the network traffic using generally accepted protocol definitions to alert on malicious activity. The name Stateful comes from the understanding that the IDPS system has knowledge of the ‘state’ of all network, transport and application protocol management. SPA systems possess the ability to classify the network traffic as trusted or untrusted. With the ability to apply different IDPS traffic management rule sets for each.
Types of IDPS Technologies
NIST 800-94 identifies the following IDPS available technology groups; 1. Network-Based – monitoring network traffic for selected subnets or devices 2. Wireless – monitoring and analyzing for suspicious activity 3. Network Behavior Analysis (NBA) – monitoring network traffic for unusual activities that malware typically exhibit, example DDoS attacks, etc. 4. Host-Based – locally installed on the ‘host’ being monitoring i.e. the server, workstation or mobile device. Looking for file access mods, new files, etc.
IDPS Technologies
Typical components of an IDPS system are; 1. Sensor or Agent – Sensors are typically used to monitor networks, while agents are typically installed on and used to monitor host-based systems. 2. Management Server – An IDPS solution typically has one or many servers that act as a ‘management server’ providing storage for all identified/alerted on events from sensors or agents. 3. Database Server- do to the volume of IDPS alert and event data recording required Database servers are used to store and provide historical reporting for all IDPS events. 4. Console – As with any software system an administration ‘console’ is required to program and configure an IDPS solution. Consoles flavors can be administration programs requiring installation on the administrators PC or can be delivered via Web server administration webpages.
Depending on an organization financial recourses complex IDPS implementation can be designed using a separate IDPS dedicated network providing improved IDPS separation and security. Typical IDPS installation use the same corporate LAN network instead selecting to use dedicated VLANs to separate the IDPS management network from the standard network traffic. Proper selection of an IDPS solution involved critiquing of the systems customization and configuration capabilities. Typical capabilities involve setting or creation of; Thresholds (setting of normal vs abnormal values), Blacklists and Whitelists (ability permanently block or allow traffic from IP addresses, domains, etc.), Alert Settings (ability to set levels, activate/deactivate, Code Viewing and Editing (depth of IDPS system to allow viewing of protocol/traffic code with the ability to customize settings).
Proper Installation
Once an IDPS solution has been selected proper installation is critical for proper event detection and insulation of the IDPS system itself from malicious attack. Areas that should be discussed are; * Having multiple sensors installed in case of sensor failure * Where the components of the IDPS solution will be located (servers) along with discussion on redundancy and load balancing requirements. * External Non-IDPS system integration – what other systems need to communicate with the IDPS system (paging gateways, email servers, firewalls, routers, etc) * Should a separate management IDPS network be created? * Influence of other systems (firewall rule sets) on the IDPS system
Testing and Deployment
Complexity of testing and deployment of the system will depend on the IDPS system selected. Appliance based systems that are centrally located are the simplest to deploy. Software based IDPS whether centrally located on servers or distributed using the host-based model are more complex requiring a higher level of attention for the building of the IDPS server, future upgrades and deployment of agents.
Securing the IDPS
Policies should be established to ensure system administrators; create separate accounts for user versus administrator access into IDPS system, verification that ONLY required filters are put in place allowing direct access, and that the IDPS system is adequately protected (VLAN, encryption, etc.).
IDPS Updates
IDPS systems require on-going maintenance. Signature or system patch updates are required. The methods of updating the IDPS system will vary across system manufacturers. Typical methods are; updating via file download from the IDPS vendor’s website or via FTP (automated or manually triggered) or via Removable media (CD, DVD or USB thumb drive). Updates are typically applied via the downloading of the most recent signature file or application updates from the vendor’s website. Caution should be taken to verify the integrity of these updates.
Building and Maintaining Skills – Additional Resources Required to Support
Additional areas or items that should also be considered when implementing and IDPS system are; * Training for IDPS Administration Staff – Vendor Training * Additional Training for Programming – customization of alerts, reporting building, etc. * Product Documentation – ensure you have the latest IDPS system manual on-hand * Vendor Technical Support – what are the levels offered by the vendor? What is the level the organization requires? * Professional Servers (aka Consulting) – What additional resources are required to implement and provide on-going IDPS system configuration and support? * User Communities – is there an online community forum available?
Using and Integrating Multiple IDPS Technologies
Each IDPS technology; network based, wireless, network behavior or host-based offer different information gathering, alerting, detection and prevention capabilities. Merger of mixing of the different IDPS technology systems can be considered typical. Leveraging different unique IDPS system technology can also improve the accuracy of detection and lower false positives. The first decision for multiple IDPS solutions is whether to integrate them or not. Do they work together? Do they share feeds or centralized logging? Etc. As noted on NIST 800-94 table 8-1 on page 85 each IDPS technology has its own strengths.
(NIST 800-94, 2007)
Review of the IDPS Marketplace
Today there are many IDS and IPS solutions available within the IDPS market space supplying products for the NIST identified IDPS technology types. In order to compare each vendor and their system offerings a matrix comparing the; features, type (general and network, wireless, NBA or host-based), and costs was created using the CVE products listed on Mitre.org (Common Vulnerabilities and Exposures, 2014). The IDPS products selected were obtained from IPS Gartner ‘Magic Quadrant’ data obtained from Gartner.com (Gartner IPS, Figure 1, 2013). The vendors selected for IDPS comparison where; * Cisco – SourceFire * Enterasys – Dragon IPS * HP – Tippingpoint * Huawei - NIP5500 * IBM - GX7800
(Gartner IPS, 2013)
Comparison of IPS Products
Summary
In summary the selection of an IPS product can be very daunting. Not all vendors are created equal; some like Cisco are considered experts in network traffic management but not necessarily experts in IPS security management. Alternatively Huawei while getting rated on the Gartner ‘IPS Magic Quadrant’ as a challenger and niche player, while offering a price competitive product has the challenges of support and being a China based manufacturer.
Evaluating and selecting the correct IPS product comes down to; * Concentrate on what area you are looking to secure. * Select the best product (matrix of wants/needs weighted average) that meets the organizations requirements and budget. * Be cautious of what resources are required to support the systems (internal versus external). * Ensure you plan well, working with the vendor and all required internal groups (legal, security, IT, network, server and dBA teams, etc.) to ensure the system is design and implemented correctly.
Implementing an IDPS solution is complex and should not be underestimated in the amount of planning and resources required for pulling off a successful installation yielding the desired outcomes.
References
NIST General Information. (n.d.). NIST General Information. Retrieved June 29, 2014, from http://www.nist.gov/public_affairs/general_information.cfm
Leithauser, T., & Curran, J. (2012). RESEARCH FUNDING OFFERED TO SPEED ROLLOUT OF 'TRUSTED IDENTITIES' EFFORT. Cybersecurity Policy Report, , 1. Retrieved from http://search.proquest.com.ezproxy.saintleo.edu/docview/926345613?accountid=4870
DNA research; dirty job made easier: Microfluidic technique recovers DNA for IDs. (2013). NewsRx Health & Science, , 61. Retrieved from http://search.proquest.com.ezproxy.saintleo.edu/docview/1436894610?accountid=4870
The Role of the National Institute of Standards and Technology in Mobile Security. (n.d.). NIST Role. Retrieved June 29, 2014, from http://csrc.nist.gov/documents/nist-mobile-security-report.pdf
SPECIAL PUBLICATIONS (800 SERIES). (n.d.). NIST Computer Security Publications. Retrieved June 29, 2014, from http://csrc.nist.gov/publications/PubsSPs.html
Scarfone, K., & Mell, P. (2007, February 1). Guide to Intrusion Detection and Prevention Systems (IDPS) . NIST SP 800-94. Retrieved June 29, 2014, from http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
Common Vulnerabilities and Exposures. (n.d.). CVE - Products & Services by Product. Retrieved June 29, 2014, from http://www.cve.mitre.org/compatible/product.html
Hils, A., Young, G., & D'Hoinne, J. (2013, December 16). Magic Quadrant for Intrusion Prevention Systems. Gartner IPS. Retrieved June 29, 2014, from http://www.gartner.com/technology/reprints.do?id=1-1OAVJS3&ct=131217&st=sb
