An Intrusion Defense Solution

Rather than write another piece on security in general for today’s post, I’m going to share my team’s experience in selecting an intrusion defense solution that expands on our existing firewall perimeter defense.  During the past several weeks, my team and I struggled with the new infrastructure and management design to support our enterprise security strategy.  We looked at IDS and IPS.  We looked at SIM products.  And we assessed each solution based on the following criteria:

  1. It has to provide general protection at the perimeter from common intrusions.
  2. It has to provide visibility into our entire network.  The solution has to collect log data from all firewalls, switches, routers, IDS, and IPS devices and place it in a central repository.  It has to aggregate and correlate the data into meaningful information about the state of the network.  This information must be presented to approved IT personnel via a portal delivered through a browser interface.
  3. We have to be able to implement tough access rules at the entry points to the network segments in our data center on which our critical information assets reside.
  4. The solution must be able to identify and report on vulnerabilities in our data center.

This list is a high-level version of our requirements, but you get the idea.  As we assessed various solutions, we also asked ourselves whether it was better to meet our monitoring requirements with a managed service or whether we should do it ourselves.  These are our conclusions:

  1. The effort in configuring and managing IPS devices is usually at the front end – especially if you just use the default blocking rules and leave IDS turned off.  Based on our research, we believe we can implement an IPS behind our Internet firewall that we can manage with very little recurring cost.
  2. Contrary to reports, IDS is not dead.  IDS devices provide an inexpensive, non-intrusive way to gain visibility into our network.  In the graphic below, we show how we plan to leverage it.  IDS solutions are different from IPS.  IDS devices can collect thousands of lines of data each day.  The trick is to sort out the false positives, and try to make some sense out of what’s left.  This function was definitely a candidate for outsourced management.
  3. IPS and IDS products are typically not very good at scanning the network to locate vulnerabilities.  So we decided to implement a network scanning tool, the output of which is fed to the SIM database.  But this tool requires regular updating to remain current on known vulnerabilities.  This became one more candidate for outsourced management.
  4. Collecting log data from over 30 devices and churning it into SIM dashboard information was found to be another time-consuming task.  This also was a candidate for outsourced management.

Overall, we found that outsourcing the management of the monitoring tools released the Security Team to concentrate on dealing with the findings of the various solutions rather than on managing the tools.  But we also realized that whether we outsourced management of the solution or not, we were ultimately responsible for protecting our network. 

We decided to outsource all aspects of monitoring and the management and presentation of the collected data.  Using a web portal, we’ll have access to information about the health of our network at any time.  We’ll use this information in risk management activities designed to mitigate overall risk to the company’s information assets.  The graphic below is a conceptual depiction of our solution.


Let’s walk through this diagram, starting at the perimeter routerPackets from the Internet enter our network through this device.  A Network-based IPS (NIPS) is placed behind it.  In this example, the NIPS is positioned in a DMZ

All data passing through the DMZ must pass through the NIPS.  In other words, this is an inline device that is configured to fail open. The NIPS will block known packet or network anomalies as well as known network attack signatures.  When an attack is detected, an alert is sent to the responsible security analyst.  All non-attack traffic is allowed to pass through to the internal network.

Upon entering the internal network the packets pass through a core switch.  Attached to the core switch is an IDS Sensor.  This is known as a Network Intrusion Detection System (NIDS).  Unlike a NIPS, a NIDS is not typically placed inline with the data.  This is due to performance issues common with intrusion detection devices.  But we still want to gather all the data passing through the switch.  We do this by configuring one of the switch ports as a Switched Port Analyzer (SPAN).  All traffic passing through the switch is copied to the SPAN port.  The NIDS scans the data and logs the results; it doesn’t block any information.

Also connected to the core switch is another NIPS.  Like the DMZ device, this NIPS is inline with the data and configured to fail open.  It acts as a security gateway between the servers housing the critical business systems and the rest of the network, blocking traffic that it suspects of containing suspect packets.

Note the layered approach to implementing IPS and IDS.  Each of these technologies has strengths and weaknesses.  IPS is great at blocking traffic, but if you tighten the rules too much you might cause your own DoS incident.  On the other hand, IDS is great at collecting large amounts of information about your network traffic, but it isn’t suitable for inline operation.  Nor is it reliable enough to end sessions over which attacks are traveling.  But putting the two technologies together creates a synergistic environment in which each technology helps shore up the weaknesses in the other.

Next, we come to vulnerability scanning.  The vulnerability scanning solution is not pictured in our conceptual drawing.  But it’s a critical piece of our intrusion defense implementation.  NIPS and NIDS are great at providing visibility into the network, but they’re not perfect.  Malicious packets will get through.  So another layer of defense is the process of identifying and remediating hardware and software vulnerabilities.  Regular scans of the network, or of specific network segments, provides a list of vulnerabilities known to exist in operating systems, applications, or network devices.  This information is passed to the portal where we’ll assess the risk posed by the vulnerability and manage remediation activities.

Now we’ll discuss the portal.  Click here to view an example of a security dashboard.  All the information collected by the IPS, IDS, and vulnerability scanner will be aggregated, correlated, and posted to a dashboard like this one.  Further, logs from the network firewalls and switched will be included in the dashboard statistics.  This provides a single window into the health of our network instead of trying to piece it together by looking at 30 or 40 individual logs or reports.

Is this a perfect solution?  Absolutely not.  But it’s good enough.  We implement security solutions based on risk management principles.  The use of sound risk management practices allows us to see just how critical a vulnerability or a potential threat is to our environment.  It also helps us decide what resources to apply to risk mitigation and how much to reduce the risk.  Yes, we will make improvements over time.  No, we probably didn’t do everything we should or could have.  Resource constraints are as real in our organization as they are in yours.  But I believe this is a good start.


Juniper IDP Solutions

Verisign Managed Security Services

LURHQ Managed Security Services



Leave a Reply

You must be logged in to post a comment.