IDS IPS Buyer s Guide

Transcription

1 Learn what an IDS IPS can do for you and understand what issues you should consider during your decision-making process. IDS IPS Buyer s Guide Copyright 2007, Tippit, Inc., All Rights Reserved

2 Contents Executive Summary 3 IDS IPS Overview 5 Market Overview 7 The Benefits of IDPS 9 Basic Features 11 Advanced Features 13 Cost 15 Checklist 16 Conclusion

3 Executive Summary An IDS (Intrusion Detection System) device is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules and setting off an alarm if it detects anything suspicious. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services; datadriven attacks on applications; host-based attacks such as unauthorized logins; and malware such as viruses, Trojan horses and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection and stateful protocol analysis. An IPS (Intrusion Protection System), has all the features of a good IDS but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits in-line with traffic flows on a network, actively shutting down attempted attacks as they re sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack; by blocking access to the target from the user account, IP address or other attribute associated with that attacker; or by blocking all access to the targeted host, service or application. Layered security is the key to protecting any size network. For most companies, that means adding both IDS and IPS products to the network. When it comes to IPS and IDS, it s not a question of which technology to add to your security infrastructure both are required for maximum protection against malicious traffic. In fact, vendors are increasingly combining the two technologies into a single box. In 2003, research firm Gartner Inc. predicted the death of IDS by 2005, believing that the passive monitoring technology would be rendered obsolete by its more intelligent cousin IPS. Reality didn t quite play out that way. The two technologies are now regarded more as siblings than cousins, complementary technologies rather than rivals. In fact, the combined IDS and IPS market grew to more than $1 billion in Revenue grew 19 percent last year, largely because of sales of IPS equipment, according to Infonetics Research. Instead of fading way, IDPS (Intrusion Detection and Prevention Systems) have become a significant component in a complete security infrastructure, which is no surprise considering the daily barrage of enterprise security threats every organization faces. 3

4 Today, most commercial IDPS offerings are a combination of IDS and IPS technologies capable of working solely in IDS watch-and-alert mode or being fully deployed to also stop attacks in IPS mode. An IDPS, though, is more than a proactive security device. A company can also use it to create and enforce security policies, guarantee some quality of service for business-critical Web applications and help comply with government regulations, such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Essentially, an IDPS provides a spectrum of security and security-related features in a single box. The increasingly sophisticated nature of today s zero-day threats means that companies can t rely on their firewalls and software patches to protect the enterprise network from known and new attacks, whereas an IDPS device can deflect a new attack before anyone else has a chance to post details about a previously unknown threat that has broken loose on the Internet. In this Buyer s Guide you will find details on what to look for in an IDPS offering, the benefits it should bring to your enterprise and what you need to know before you buy an IDPS device. 4

5 IDPS Overview There are three types of IDPSs: network-based, which monitor network traffic on particular segments or devices; wireless, which monitor wireless traffic; and host-based, which monitor a single computer. This buyer s guide focuses on network-based IDPS products, which watch the activity of protocols to detect suspicious events attacks that are becoming more sophisticated, getting more difficult to detect and causing more damage to businesses. Consider the results of the 2006 E-Crime Watch survey, which was conducted by CSO magazine, the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute s CERT Coordination Center and Microsoft Corp. Released in September 2006, a vast majority 74 percent of the 434 security-executive and law-personnel respondents saw a security incident at their companies. Seventy-two percent reported that automated attacks such as viruses, worms and malware were still the most common form of e-crime. Also, 60 percent reported unauthorized access to or use of information systems or networks, 51 percent reported spyware, and 40 percent reported the illegal generation of spam . Respondents also revealed that many had been the victims of targeted attacks. The theft of proprietary information, such as customer records, was reported by 33 percent of respondents; 33 percent of those respondents reported sabotage of their systems, while 30 percent reported intellectual-property theft. A pre-emptive security measure, an IDPS device makes your network smarter, giving it the intelligence to instantly recognize and react to attacks, threats, exploits, worms, Trojan horses, spyware and viruses. Installing a network-based IDPS goes a long way toward battening down the network hatches. A pre-emptive security measure, an IDPS device makes your network smarter, giving it the intelligence to instantly recognize and react to attacks, threats, exploits, worms, Trojan horses, spyware and viruses. Most IDPS products use several different methods of detection, including stateful signature detection, protocol- and traffic anomaly detection, and backdoor detection. An IDPS device usually records data about detection events, sends alerts to network administrators about potentially dangerous events and produces reports. The intrusion-prevention technology lets the device stop a threat it has detected, either by shutting down the attack, 5

6 reconfiguring another network device to change the environment or changing the content of the attack itself. An IDPS appliance sits in-line, monitoring traffic as it flows through it, in from and out to the Internet. It can be deployed at the core of a network or on the perimeter. It can be used to segment an extended network which includes mobile users, VPN (Virtual Private Network) tunnels, wireless LANs and all the attendant possible points of entry and prevent threats from propagating inside the network should they break through the perimeter. Regardless of where on the network it is installed, an IDPS protects all of the downstream segments and machines. The general wisdom when it comes to deploying separate IDS and IPS boxes is to install them on different points in the network. The IDS box should sit inside the firewall to monitor internal activity, guarding against the ever-present threat from users and giving greater visibility into security events, both current and historical. The IPS device should sit on the perimeter of the network, where it can stop zero-day attacks. You can use an IDPS almost as a virtual device, enabling the IDS portion of the device on the internal network and enabling the IPS portion on the external part of the network. Nevertheless, when a security officer first switches on an IDPS box, he is usually not going to immediately block traffic. Companies generally set up the IDPS first in a passive (intrusion detection) mode for the first weeks or months so that they can monitor traffic and watch the alerts the new system sends. This allows the IT staff to both fine-tune the settings, training the device on the types of network traffic common to that organization, and gain trust in the product s capabilities to protect network assets. Typically, a security officer will gradually raise the threshold on the device to block suspicious traffic. 6

7 Market Overview The IDPS market is a $1.6 billion market, according to Infonetics Research. Leading IDPS vendors include network hardware giants such as Cisco, as well as smaller niche security players such as Reflex Security. Other leading vendors include IBM Internet Security Systems (ISS), Juniper Networks, McAfee and 3Com/TippingPoint. Also according to Infonetics, Cisco and Juniper Networks are the two leaders in the overall network security market as of June Because they re network devices through which traffic flows, IDPS offerings are generally built for specific speeds and uses: small- and medium-sized businesses, small enterprises, large enterprises, service providers, carrier networks and datacenter networks. The range of speeds is vast, and there is an appliance suitable to any network infrastructure, starting at 10 Mbps and going as high as 10 Gbps. Popular IDPS Products and Speeds Product Cisco IPS 4200 Sensor IBM Proventia Network Intruson Prevention System Juniper Networks IDP McAfee s IntruShield Network IPS Speeds Available 1 Gbps, 600 Mbps, 250 Mbps, 80 Mbps 2 Gbps, 1.2 Gbps, 400 Mbps, 200 Mbps 1 Gbps, 500 Mbps; 250 Mbps; 50 Mbps 2 Gbps, 1 Gbps, 600 Mbps, 200 Mbps, 100 Mbps Reflex Security 10 Gbps, 5 Gbps, 1 Gpbs, 200 Mbps, 100 Mbps, 30 Mbps, 10 Mbps TippingPoint IPS 5 Gbps, 2 Gbps, 1.2 Gbps, 600 Mbps, 200 Mbps, 50 Mbps 7

8 In September 2006, Info-Tech published a product comparison on 11 midmarket intrusion detection and prevention appliances, testing products from McAfee, TippingPoint, Juniper Networks and Cisco. Each vendor had clear strengths over the others. The comparison ranked McAfee s IntruShield appliances on top, calling them exceptional in the areas of viability/stability, strategy and features. TippingPoint s offerings also scored high, earning an exceptional rating in strategy, and were considered best in the ease-of-use category; however, Info-Tech was not impressed with the vendor s support. Juniper Networks appliances earned the highest stability/viability rank but scored low with its poor management interface. Finally, Cisco s products ranked exceptional in architecture, but they, too, had a disappointing interface score. Before you embark on any kind of product evaluation, you should first pinpoint the organization s goals for the IDPS solution. Info-Tech says that even though each solution will improve network security, not all are appropriate if your staff has minimal security expertise, and others are not appropriate if you are unwilling to risk throwing in with a smaller vendor. You should also define the requirements your organization needs the IDPS offering to meet by understanding which systems and network segments need to be monitored. The requirements for a variety of needs should be defined clearly, including security capabilities, such as logging and information gathering; performance, such as maximum capacity; management, including interoperability and scalability; and life cycle costs, including ongoing maintenance. 8

9 The Benefits of IDPS As a unique component of an overall security suite, an IDPS offers wideranging benefits. By providing proactive security at a network s most vulnerable points, an IDPS appliance protects an organization from the many deleterious effects of succumbing to a security attack data loss, wasted time, loss of business availability and a damaged reputation, all of which inevitably leads to taking a big hit in the bottom line. If an attack does make it through your defenses, an IDPS can help you understand what exactly happened and why the attack was successful, which is critical to preventing it from happening again. In addition to enforcing stricter security, companies that deploy an IDPS appliance also gain help in maintaining regulatory compliance. Laws such as the Financial Modernization Act (otherwise known as Gramm- Leach-Bliley Act), SOX and HIPAA have raised the bar when it comes to ensuring data security, integrity and privacy. Myriad organizations, from public companies and federal agencies to financial institutions and health care providers, are using IDPS devices to help safeguard their confidential data, preventing threats such as backdoor programs that allow unauthorized access to information. Such crimes are frequent in CSO magazine s 2006 E-Crime Watch survey, 60 percent of respondents reported unauthorized access to systems. Also, IDPS reports can be an invaluable tool for documenting security events and responses for compliance purposes. The automated interdiction capabilities of an IDPS device make it easier to consistently enforce a security policy, showing compliance with stated security policies when audit time rolls around. An IDPS device is helpful beyond the attacks it stops and the reports it logs. An IDPS can take the place of specialized security personnel a company can t afford to retain. The automated interdiction capabilities of an IDPS device make it easier to consistently enforce a security policy, showing compliance with stated security policies when audit time rolls around. In addition, the IDPS tool maintains the availability of a computing resource, network or system when it thwarts DoS (denial of service) attacks. Those that have rate-limiting capabilities can be used to guarantee a level of quality of service for mission-critical Web applications; this often is set up by allowing only a certain percentage of bandwidth to be used for video streaming, IM (instant messaging) and other nonbusiness-related activities. 9

10 Specific Benefits of an IDPS Proactively protects security at a network s most vulnerable points Documents security events and responses Identifies where and why attacks happen Maintains regulatory compliance Streamlines security audits Makes it easier to enforce security policies Limits nonbusiness network activities (video, IM and so on) Helps IT staff better understand network activity overall Uncovers unauthorized applications installed on the network 10

11 Basic Features Any IDPS you should consider should have certain non-negotiable features for maintaining network reliability and for performing security tasks. Here s what to look for: Speed: To be compatible with your network, an IDPS appliance needs to perform at speeds that match those of the environment it is protecting. Most are purpose-built, performing at speeds specific to their intended deployment environments, from SMB (Small to Medium Business) networks all the way up to serviceprovider networks. In general, models are commonly available at speeds ranging from 10 Mbps, 50 Mbps and 80 Mbps; to 200 Mbps, 400 Mbps and 600 Mbps; to 1 Gbps, 2 Gbps, 5 Gbps and even 10 Gbps. Of paramount importance is the device s ability to perform transparently in the network environment the IDPS appliance should inspect traffic as it flows through the device, reacting to threats as necessary, with nary a blip on the user s radar screen. Reliability: Installed at critical points in a network infrastructure, an IDPS could cause drastic system outages if it fails. Therefore, a network-based IDPS tool must be highly reliable with a long MTBF (mean time between failures). In case it does go down, the IDPS device should fail open. Rules of Engagement: An IDPS appliance provides its high level of protection by using a variety of signature-based and anomalybased detection methods, as well as protocol identification and analysis technologies to accurately determine the nature good or bad of the traffic it monitors. When malware is detected, an IDPS must be able to take immediate action based on a set of rules determined by the network administrator. An IDPS device might drop a packet that it recognizes as malicious and block all traffic coming from that IP address or port. If so configured, it might also forward a copy of the dropped packet to the network administrator for further remediation, or it might delete the packet if it contains a known threat. The device would continue to forward legitimate traffic to the intended user with no obvious delay of service. Information Collection and Analysis: An IDPS device can take a variety of actions some products do more than others. Functions include collecting information about hosts, such as which operating systems are in use, logging data related to detected events and capturing packets. 11

12 Prevention: An IDPS also often offers prevention capabilities, even when in passive IDS mode, such as ending a TCP session by resetting it. When in IPS mode, the appliance may perform in-line firewalling, throttling bandwidth usage and altering malicious code. An IDPS can reconfigure other network security devices and run third-party software to begin additional prevention actions. Load Handling: Despite all of its functionality, a network-based IDPS device does have its limitations. Most importantly, it can t detect attacks sent inside encrypted traffic. Some offerings can t perform full analysis when under high loads of traffic. Because it is a network device, it, too can be the target of various types of security threats, generally those that use large volumes of traffic. System Updates: Finally, like an anti-virus solution, an IDPS is only as good as its security data, which it uses to recognize known threats, vulnerabilities and exploits. To maintain accuracy, it relies on current security intelligence that vendors regularly and automatically update, some daily and some weekly. All IDPS providers at least any vendor worth trusting your enterprise security to send updated signatures as soon as a threat is identified. 12

13 Advanced Features Essentially, an IDPS device must accurately identify all the different attacks, vulnerabilities and other security threats hiding in network traffic while limiting the number of false alarms. Because there is no single magic mode of detection, IDPS appliances use a variety of detection techniques. If you re interested in an advanced solution, you need to evaluate how the product you re considering handles the following: Signature Detection: Detects known attack patterns in network traffic. Certain attacks can be recognized by using an attack signature if the IDPS tool finds the pattern of the attack in network traffic. For instance, to determine if a hacker is trying to log in to your server as a root user, an IDPS might react any time it detects the word root. If you know what network behavior you want to identify and stop, it s relatively easy to develop a signature. On the downside, the signature-detection method only detects known attacks and every new attack needs a new signature. Also, signature engines may generate many false positives if they re setting alarms off on expressions that are too common. Protocol Anomaly: Detects unknown or permutated attacks. Most IDPS appliances use protocol-anomaly detection, which halts attacks that deviate from the protocols that traffic usually follows. It can only stop the attacks that exploit the protocols the device supports, such as SNMP (Simple Network Management Protocol). Backdoor Detection: Detects unauthorized interactive backdoor traffic, which indicates worms and Trojan horses. It looks for the interactive traffic that indicates an intruder may be taking control of a computer, detects unauthorized interactive traffic and spots backdoors on the network, such as those found in IM applications. Traffic Anomaly: Detects attacks spanning multiple sessions and connections. Some attacks are not contained within a single session, instead gathering information over a number of connections for future attacks. Traffic anomaly detection can pinpoint this type of activity by finding deviations in the incoming traffic from normal traffic patterns. 13

14 Network Honeypot: Detects attackers that are impersonating network resources and tracks attacks against them. A network honeypot sends fake information faux services to hackers scanning the network, allowing the IDPS to identify the attacker when he tries to connect to the service. Any attempt on these nonexistent services is essentially an attack, which the IDPS appliance shuts down. Layer 2 Detection: Detects Layer 2 ARP (Address Resolution Protocol) and man-in-the-middle attacks, which are prevalent in switched environments. DoS Detection: Detects certain DoS attacks, often including distributed DoS and SYN flood attacks. DoS attacks attempt to crowd out legitimate traffic with huge numbers of DoS activity or overload network services such as authentication. DoS isn t an attempt to break into the network but rather to interfere with normal traffic and applications. Spoofing Detection: Detects IP spoofing attacks. Rate Limiting: Allows the IDPS device to limit certain types of traffic by preventing it from using an excessive amount of bandwidth. IPv6 Detection: Detects malicious traffic on IPv6 traffic. IP in IP Detection: Detects malicious traffic within mobile IP traffic. An IDPS wouldn t be much use for regulatory compliance without robust reporting capabilities. Many IDPS appliances can generate different types of reports on current attacks, some for managers and some for compliance purposes. Reports might show the big picture of network security and the actions taken to protect the enterprise, or they might be context-sensitive and created on-the-fly to make quick investigations. Most IDPS devices allow the network administrator to customize reports to show the current status of activity on the network. Some of these devices even deliver forensic features to analyze characteristics of known threats and intrusions, providing information and reporting relation to intrusion identification, relevancy, direction, impact and analysis. Most IDPS devices are centrally managed and offer more than one interface typically, there is an easy-to-use Web-based management interface for configuration and reporting tasks, as well as monitoring security events happening on the network. These devices can also be usually be configured via a command-line interface. 14

15 Cost CSO magazine s 2006 E-Crime Watch survey revealed that the damage done by enterprise security events is getting worse. Sixty-three percent of respondents reported operational losses as a result of e-crime, 23 percent reported harm done to their organization s reputation and 40 percent reported financial losses, which averaged $740,000 in 2005 compared to an average of $507,000 in When talking about financial damage like that, the cost of an IDPS solution seems like a pittance initial purchase prices range from $4,000 to $10,000 to $60,000 and more. It s important to also budget for maintenance and training costs, as well as a support contract with the vendor of choice. It s important to budget for maintenance and training costs, as well as a support contract with the vendor of choice. For example, Reflex Security s Interceptor 1000, a gigabit IPS appliance, started shipping for $28,000 in May In general, the vendor s IPS platforms range from $2,500 to $32,500. Juniper Networks IDP 50 starts at $9,000 and costs as much as $57,000 for the enterprise-class IDP McAfee s IntruShield line starts at about $11,000, and IBM ISS s Proventia G series starts at about $10,000. Cisco s 4200 series of IPS sensors range from about $5,000 retail to $45,000 retail. Also, TippingPoint s IPS boxes start at $5,000 and go up from there. These are just examples, of course, and vendors tend to ask that the customer contact them for pricing estimates. Note, too, that some vendors will sell multiple units at a discounted price. The things that affect cost of an IDPS solution are typically speed and advanced features. 15

16 IDPS Buyer s Checklist What to ask before you buy. Before you begin evaluating various IDPS offerings, you first should answer several questions about your network environment, as well as any external requirements your organization must meet. r What is the architecture of your network? It can be helpful to create a network diagram that shows all of the connections to other networks, as well as the locations of hosts. r What are the operating systems, network services and applications on each host that need to be protected by an IDPS device? r Are there any nonsecurity systems, such as a networkmanagement system, that need to be integrated with the IDPS device? r What types of threats from insiders and from intruders do you need to the IDPS to protect against? Be as specific as possible. Also, remember that threats from your users include authorized users who overstep their privileges to violate security policies. r Does your organization have clear security policies? What security goals, such as confidentiality and availability, are outlined in those policies? What are the management goals, including privacy and protection of liability? r What is the process for handling a specific security-policy violation? What kinds of violations or attacks warrant automated immediate response (IPS versus IDS)? r Do you need to monitor user behavior and network usage for violations of acceptable-use policies or other nonsecurity reasons? r Do your organization s audit requirements specify any functions that must be provided by an IDPS device? Some offerings include reports designed to meet legislative requirements for health care or financial institutions. 16

17 r Are your systems subject to accreditation? Does the accreditation authority have any requirements specific to an IDPS device? r Must your organization meet any requirements about IDPS functions that relate to law-enforcement investigations and resolution of security incidents? This comes into play particularly with collecting and protecting IDPS logs as evidence. r Must your organization meet any cryptography requirements? For instance, federal agencies must purchase products that use FIPS-approved (Federal Information Processing Standards) encryption algorithms. r Will you have IT personnel available to monitor the IDPS 24/7? Some offerings require constant monitoring and maintenance, so if you do not have staff dedicated to the task, it s important to consider a product that can operate unattended. 17

18 Conclusion When the Internet was young, a firewall was security enough for a computer network. This first generation of network security defined access rules to block many types of attacks. But firewalls were and largely still are unconcerned with traffic once it was allowed through to the network. Next came IDS, which inspected content and context of network traffic. IDS compares traffic s content with a database of known exploits and alerts the network administrator when it gets a whiff of something malicious. The natural evolution of network security technology led to IPS, which provides an efficient, adaptive solution to today s myriad security threats. Unlike previous generations of network security tools, IPS makes a security policy come to life with a proactive response to threats to your enterprise network. Not surprisingly, many organizations are finding that their security environment is not complete without both IDS and IPS technologies. Most IDPS offerings share common features, such as using multiple methods of detection to ferret out malicious code. When evaluating IDPS offerings, it s important to understand what you need the solution to do for your organization and what functionality it offers. Consider each device s security capabilities, performance, management and life cycle costs. At a minimum, an IDPS should be installed at a network s gateway to block incoming traffic with malicious intent. If an attack is successful, then the reports an IDPS generates will help you better understand how the attack broke through your network defenses, which is critical to preventing a similar attack. For more on IDS and IPS products, check out our IDS/IPS Product Comparison Guide. 18

19 Tippit, Inc. 514 Bryant Street, San Francisco, CA Phone: / Fax: publishers@tippit.com 19