1. Thwart attacks on your network.

Transcription

1 An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money. 10 Reasons to Deploy an Intrusion Detection and Prevention System Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are relatively new technologies and, like most network-security methods, are constantly evolving to keep up with the ever-changing nature of computer threats. It was predicted that part of that evolution would be that the proactive intelligence of IPS, which actively stops security threats, would naturally supplant the passive monitoring of IDS, which simply watches for threats. Instead, companies have begun deploying the two technologies in sync, creating a more complete network security environment. In fact, you d be hardpressed to purchase a device that doesn t integrate IDS and IPS technologies most vendors now offer appliances that do both, and they are often called IDPS (Intrusion Detection and Prevention Systems). IDS and IPS become much more affordable when the technologies are integrated into a single appliance. A box that does both IDS and IPS can act almost as a virtual device, allowing you to enable IDS internally and IPS at the network perimeter. Deployed in this fashion, an IDPS offers functionality beyond stopping attacks and detecting suspiciously odd network behavior. 1. Thwart attacks on your network. First and foremost, an IDPS is a complex security device that uses a variety of detection technologies to ferret out incoming malicious traffic and stop it before worms, Trojans, viruses and other threats can damage the health of your enterprise. If the device is set to intrusion detection only, the appliance will sound the alarm, and your network administrator can further investigate the suspicious code. If the device is set perform intrusion prevention, then it will stop the malicious traffic the instant it recognizes it. An IDPS can do this in a variety of ways: It can terminate the network connection or the user session that is attacking your enterprise. It can block the dangerous user account, IP address or other attacker attribute from accessing your targeted servers or other network assets. Or it can completely shut down all access to the host, service, application or whatever network asset under siege. Copyright

2 Many IPDS devices are sophisticated enough to take increasingly intelligent actions against dangerous security events. Some can stop an attack by reconfiguring onthe-fly the security controls on another network device, such as a router or a firewall, to block the attacker s access. Some can apply a patch to a host if the IPDS discovers vulnerabilities. Additionally, some can even wipe out the malicious code to unman an attack, such as deleting an infected file attachment before forwarding an to the user. 2. Alert a network administrator of possible security events. When the IDPS is set to perform intrusion detection, it will notify a network administrator of any threats or security policy violations it detects. Because IDS is a passive technology, the potentially malicious traffic is allowed to continue onto the network, and it s up to the network administrator to decide if a breach has occurred. The alert can be sent as an , a page, a message on the IDPS user interface, an SNMP( Simple Network Management Protocol) trap, a syslog message or through a user-defined program and script. In general, an alert contains just the basic data to describe the event, and the IDPS collects more specific information in reports. Depending on how carefully tuned the IDS device is, it may send hundreds of alerts - many of which inevitably turn out to be false positives - to the administrator every day. Thorough training of the device on the network activity can vastly decrease the number of alerts it sends. 3. Meet compliance regulations. Key to meeting and maintaining compliance with regulations such as the Sarbanes- Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) is flawless security management - and that s one of the driving forces behind the deployment of an IDPS in many organizations, particularly in heavily regulated industries such as financial institutions and health-care companies. An IDPS appliance can help a company show which applications and network resources are being accessed by malicious code, which is a key requirement to complying with SOX or HIPAA. With an IDPS in place, a company can show accountability, making it clear that appropriate user-access rights are in place and that an infrastructure enforces those access rights. An IDPS device s logs can be useful, too, when showing the measurability of internal processes. 2

3 4. Enforce network security policies. An IDPS device can be used to protect your enterprise not only from intruders bad intentions, but also from your users mistakes - or from a disgruntled employee s attempts at revenge. According to CSO magazine s 2006 E-Crime Watch survey of 434 security executives and law personnel, the threat posed by users is getting worse; of the organizations that experienced security events in the previous year (76 percent of total respondents), 55 percent of them reported at least one insider event (up from 39 percent in the 2005 survey). You can configure most IDPS appliances to identify violations of security policies with settings similar to a firewall ruleset. Also, some devices can watch file transfers for ones that might indicate nefarious use, such as a user transferring a database onto a laptop. You don t necessarily need to do this in secret, though. If your users know that their systems are being watched for security-policy violations, they ll be less likely to knowingly commit them. Additionally, you can use an IDPS to help shape and maintain security policies; the insight into network traffic patterns it gives can be invaluable when determining which sites users are allowed access to, for example. An IDPS may also notify an administrator of duplicate firewall rulesets and catch dangerous traffic that was allowed in by the firewall. 5. Limit nonbusiness IM (instant messaging) and video streaming. Most organizations don t want to ban their users from accessing video streaming and download sites such as YouTube, but having even a few streams running simultaneously can devour bandwidth that s still precious to many companies. And even though IM can be a valuable communications tool in some environments, employees are just as likely to send personal messages as work-related messages. Instead of banning these uses of the Internet, you can use an IDPS device to guarantee a certain level of quality of service for business processes. With intrusion prevention technology, you can achieve this through rate limiting, to limit perhaps 10 percent of the WAN pipe for nonbusiness traffic. Suddenly, the IDPS becomes a proactive business policy-setting device - a function unique to IDPS. More dangerous than eating up bandwidth is the new avenue of attack opened up by IM. Most IM programs will send attachments, which could contain malware such as a worm. Once a worm has secretly downloaded itself, the attacker can use it to control the host computer and gain access to your network. Some IPDS devices can detect and shut down such unauthorized interactive traffic. 3

4 6. Better understand network activity. An IDPS logs information about network traffic, including which threats successfully breached your network security (and how) and those that were foiled (and how). Many organizations first use the device just in IDS mode to get a baseline of network activity. This can serve two purposes. First, the IT staff can better understand the IDPS device s capabilities before it s an active part of the enterprise. Second, it lends insight into the kind of data that s coming in and going out of the network every day, which is useful when creating an accurate set of rules for the device to operate under. With the knowledge imparted by an IDPS s reports, a network administrator can better protect specific enterprise resources, such as finding those that lack adequate security measures, and better resolve the problems that inevitably crop up. It can also be a very tangible way to educate an organization s executive staff about the very real threats knocking on the door. 7. Save time. It may take some time up front to fine-tune the intrusion-detection technology so that it sounds an acceptable number of alarms - the false positives along with the legitimately malicious code - but it s nothing compared to the amount of time it would take IT personnel to comb through firewall activity logs every day. And what about the time it saves everyone - IT personnel as well as all the users in your company - when an attack forces the network to be shut down? 8. Learn what applications users have installed on the network. An IDPS device can help you discover the random applications the types and versions users have downloaded that deviate from the approved list of programs. When you know that IM and peer-to-peer software lives on your enterprise, you can better secure those applications as well as create and enforce security policies for them. 9. Build trust with partners. Intrusion prevention isn t just about reducing the risk your enterprise faces, it s also about making sure that a security breach to your network, such as a worm or virus, doesn t propagate out across your partners networks. This becomes a particularly crucial business practice when your company works with government agencies and financial groups. 4

5 10. Save money. Like any worthwhile technology, an IDPS device can save your organization money in myriad ways. Immediately, you can reassign an IT staffer to a task more productive than spending hours daily poring over firewall logs to pinpoint dangerous activity on the network. More difficult to quantify is the money saved from the fallout of a security incident; for example, how much revenue would your company s Web store lose if it goes dark? If an attack resulted in stolen personal information, you may lose customers, and finding new ones is a costly endeavor. Each organization has an individual worst-case scenario to the bottom line, which an IDPS can help avoid. 5