Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Best practices in NIPS - Brighttalk - January 2010
1. Best practices in Intrusion Prevention
Marco Ermini
Vodafone ICT Security
12 January 2010
1 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master
2. W this is about
hat
…and what is not about!
This presentation is not about…
> …explaining what NIPS are – but let’s be clear about what you can expect
> …choosing a vendor/brand – even if we may mention something briefly – heard
about Gartner?
> …discussing if you need a NIPS or not, or which technology do you need (maybe a
short note…)
> … “off the shelves” or “vendor provided” best practices
– you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - it will do the job!
> I assume you need and want NIPS, or you already have NIPS
– You want to use them effectively
– Maybe you are just sticking to “default” “vendor suggested” rule-sets
– You want to avoid headaches managing them day by day
– You want to have a metric to compare your performances
What you are looking for, are best practices to make your investment worth
2 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
3. W is speaking?
ho
This is not a bio…
W are you listening to me? – 1
hy
> I am supposed to know what I am talking about
> Yes, that’s my daily job. No, I am not a trainer or something like that
> No, this is not academia or pure science. There is hardly here!
> I know what the market offers. Everyone can download Snort. It’s not about that
> I have a realistic view about this technology
> Yes, I have been under a real attack. And not just once!
> I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you
anything
> Yes, this will be my personal, partial, questionable, but realistic point of view
You are not drinking from the fountain of truth
3 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
4. W is this for?
ho
Why do you care?
W are you listening to me? – 2
hy
> You are a security or network engineer, and need to…
– have an added value from the investment
– are thinking/need to deploy NIPS into your networks
> You are a security or network manager, and need to…
– understand the true value of NIPS
> You are just curious
– graduate student getting into the network and/or security job World
– experienced security or network personnel trying to understand NIPS
You are welcome to share your expectation, doubts, questions!
4 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
5. W I am doing today with my NIPS?
hat
Let’s assume you have NIPS already, or are going to install them
What are the common mistakes with NIPS?
> They are deployed in the wrong place in the network
> Are deployed and then forget
> Are running the “suggested” rule sets from the supplier
> It is assumed they are invincible and protect against all 0-days attacks
> Are confused with NIDS (detection)
> There is no measurable improvement on the overall security
> No one is there around that can access and use them when you are under attacks
> They are not really enabled for fear of false positives
> You are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto-
learn”?)
> Use them because they are cool, or my boss told me, or “for compliance” (sic!!!)
– They add latency and false positives
Behold the common mistakes of NIPS!!
5 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
6. W to really expect from NIPS?
hat
…or, “avoid being ripped of my money”
How can NIPS help me?
> Do not test to bypass them. That’s futile. You can do it. Save your time.
– Ever heard of “SSL”, “event horizon” and “inspect the first 512 bytes only”?
> You need to use them in conjunction with other instruments
– Coordination between different departments of your organisation
> You need to update, patch the NIPS
> You need to continually follow and profile the design of your network, applications,
business
> They will not protect you against 0days (despite what vendors say)
> You cannot treat them as NIDS – they are a specific tool (cannot afford false
positives)
> You need to establish a metric and evaluate the real improvements over the overall
security
> You need to have operational procedures to use NIPS on the network
> You need to enable useful signatures and test them in production
If you don’t do those steps, you better save your money!
6 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
7. W you want to do with your NIPS?
hat
What does my company need?
I can use NIPS for…
> Mitigate specific attacks. For the rest, I need to integrate with other tools
– Will not protect against all of web application attacks, DDoS, malware…
– Will protect against many – but if you want a locked down environment, you need
to complement
– 100% protection is not realistic, 0-days protection is marketing
> As an effective tool for immediate reaction to threats
– They are in-line
> Enforce company policies
– Security is a process. NIPS must be part of the processes
– Many can do traffic shaping/policing
– Some can communicate with NAC/NAP or firewalls
> Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic,
detect scans…
They can be an effective tool if used wisely
7 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
8. Basic evaluation/
purchasing recommendations
This is not a shopping guide!!!
Some very quick and rough tips and guidelines
> They will not sustain the bandwidth they claim to
> The real cost is by network interface
– NIPS may need from one to four network interfaces to protect a single network
segment!
> Asymmetric traffic path – state table synchronisation
– May use one or two network interfaces!
– May confuse your NIPS – layer 4/7 reassembling-synchronisation
> VRRP may be problematic
> Evaluate that the capabilities are what you need
> Evaluate how effective is the vendor itself
– Customer satisfaction track record – will it just sell and then forget you?
> RTFM – do your research
Use your brain!
8 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
9. Border deployment
Don’t leave them alone
Some tips and guidelines
> Border edges of the Data Centre/border routers
> They can apply traffic policing/shaping
> Can be the first barrier against malware and attacks against publically-exposed
services
– Cannot do miracles, generally do not inspect TLS/SSL/encrypted protocols
– Often cannot scan inside emails – mail servers today use SMTP over TLS
– Will only detect what is in the their event horizon
> Better have them working in conjunction with other tools that work on the border
routers/firewalls
– Before or after routers/firewalls? Depends on your policies
> You need to pre-emptively discuss with your ISP and establish a network security
policy
> Evaluate the impact on the performances
> Remain realistic: they will add latency and will be bypassed
Remain focused on making them an useful tool!
9 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
10. Inner deployment
Protection of the service
Some tips and guidelines
> They can be deployed strategically in front of an important service
– Achieving compliance? PCI-DSS? SOX?
> They can sit around in the network
– Enterprise Office network – connected with NAC/NAP and block the rogue clients
on the switch
– Inside a DMZ/production segment – need to create a profile
> What is your policy?
– I want to detect everything that is attempted against me – deploy wide rule set
– I want only to protect against attacks that can hit me – deploy specific rule set
> What is the default fall-back scenario?
– Pass-through or drop?
Again: remain focused on making them an useful tool!
10 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
11. Baseline rule set tuning and deployment
Tune your rule set
Some tips and guidelines
> Establish your baseline for a specific environment
– As described before
> Test in a test environment
– If it is possible!
> Agree on a deployment window
– Verify if important things are going to happen… don’t deploy before a new release
gets into production!
– Monitor for a couple of hours and a couple of days thereafter
> Create a report over the differences with the baseline
> If you prefer: a report about attacks mitigated
Something changes in the service/
network? Repeat the process!
11 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
12. Monitoring
Don’t forget them!
Some tips and guidelines
> You need to create profiles/deploy rule sets that are useful
– Many outsourced managed SOC uses statistical tools on which I strongly doubt
– You need to have a network diagram/maps of your networks and services!
– You need to profile
– the services you are protecting
– the traffic of your networks
– You need then to tailor your rule sets
– There is no magic wand, or bayesian-behavioural-self adapting etc. – this is
marketing
– You need correlation with other tools – anti viruses, NIDS, network scanners…
– You need to have personnel monitoring 24X7X365 that can also access and know
how to use the NIPS!
Again: remain focused on making them an useful tool!
12 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
13. Measure effectiveness
Because you have to renew your contracts sooner or later
Some tips and guidelines
> How they did behave under attack?
– Have they detected it at all?
– Have they been useful in mitigating it?
– Were they manageable under attack?
> Peer with other NIPS customers
– Different companies, also from different market segments
> Do not believe the vendors. Use basic math.
> Be paranoid
> Finally: create reports that are readable
– Your management doesn’t understand a bunch of IP addresses and the signature
names
Again: remain focused on making them an useful tool!
13 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
14. Correlation and SOC
Effective security 24X7X365
Some tips and guidelines
> Do not import all of your events in your SEM/SIM tool
– Often you just overwhelm it, even with NIPS
– Do not work “statistically” and blindly about your architecture
> The rule set you deployed have an impact on what you get!
– Often you pay the SEM/SIM or the outsourced SOC by number of events!
> Does the SOC (either out-sourced or in-sourced) have access to the NIPS?
– Have you defined a user management for the NIPS?
– What about operational procedures?
– What about technical skills of the personnel?
Again and again: remain focused on making them an useful tool!
14 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
15. Thank you
15 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master