Intrusion Protection Best Practices

I currently have a Fortigate 100D firewall with the ability to use IPS and I also have Symantec Endpoint Protection 12.1 that also has IPS protection.  Is it recommended to use a combination of IPS technologies or should you only use one?  My infrastructure consists of one SBS 2011 server, a web server, a file server, and roughly 60-70 Windows 7 workstations.  The workstations are all using the default SEP 12.1 Intrusion Protection policy, but the servers are not.  I have not enabled IPS within the Fortigate 100D but I am debating on enabling it for added security.  Would it be recommended to do so, or should I use the SEP 12.1 Intrusion Protection on the servers as well as the workstations and call it a day?

Any information is appreciated.  

Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
1- NIPS (FG) is for network anomaly and inspection while HIPS (SEP) is doing the same except it doing in the machine context. They serve different aspect on coverage of the network/infra vs the application/OS. Definitely a need to have as Host AV and FW are baseline but not able to keep up with bad behaviour detection, likewise when applied into network, you need more than FW.

2 - HIPS as mention in (1) covers the machine context, and if the server will to be security scan by any security s/w, the vulnerability can surface unnecessary services, accounts and interface open. These are channel of penetration, so w/o even a layer of protection using HIPS, the servers are naked and defenseless.

Also since it is running Web services, it is more sensible to up its security posture with safeguards beyond machine using HIPS, hardened base on CIS or NIST guides, but also placement of web applicaton FW or proxy to filter and  inspect the HTTP traffic. NIPS does not have that HTTP aware (or level 7) capability to read and interpret the nuances of the fields in the GET and POST of the HTTP header/body. Likewise, the guidance for web checks should refer to covering OWASP top 10 vulnerability.

Overall, having HIPS in server is "need to" and not a "want to". But do ascertain if SEP can impact the performance and ensure the schedule scan period is during off (or low) peak hour. Whitelist the scan on system and SEP recommended file should be done esp on database service...monitor the health of them using perfmon, better still use and send SNMP trap  to NOC (using Solarwind etc)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
If you own SEP then by all means, go ahead and install it on the servers.  What you should do is also use tools such as Nessus for scanning your network for vulnerabilities as well as MetaSploit which is penetration testing software.  This way you could be sure that there are no issues on your network.
ColumbiaMarketingAuthor Commented:
Currently I do have SEP installed on the servers, but it's the basic protection so IPS is not utilized.  It seems that I would need to install the Symantec Network Threat Protection service in order to use IPS.  Are there any known drawbacks in doing this on an SBS server that is running Exchange?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

btanExec ConsultantCommented:
Server may hang if running with Advanced Download Protection feature (aka Download Insight), but just need to reinstall the SEP 12.1, it would then create exceptions for Exchange 2010 required.
The more TCP/UDP streams, the more IDS engine memory usage and CPU processing time will affect the performance of the network connection(s). Utilizing IPS is not recommended on servers consuming more than 35% average CPU load, or processing more than 300 Mbps of sustained TCP/UDP bandwidth.
But do take reference to practices as stated above and you need to measure it for a period 2 or 3 days (depending on your traffic for testing) such that you first test out on group of staging (preferably) server before going into big bang rollout and left the critical ones to be upgraded once till the others are running fine after 1-2 week:
-Average total CPU usage of greater than 35%
-Average sustained TCP and UDP network throughput of 300 Mbps or more
-Teamed/Bonded Network Interface Cards (NICs)
ColumbiaMarketingAuthor Commented:
My SBS 2011 server with Exchange should meet those requirements.  It is resourced fairly well and usually stays under 35% CPU usage at any given time.  It is on a gigabit connection but the throughput is usually under 300 Mbps as well and no NIC's are bonded.
ColumbiaMarketingAuthor Commented:
In regards to enabling IPS on the Fortigate firewall, would it be best to enable the policy on inbound as well as outbound traffic, or would inbound be sufficient?
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Inbound wou;d be sufficient for the Exchange server
ColumbiaMarketingAuthor Commented:
What about IPS policies on all workstations and other servers, like a web server?  Is inbound really all that's needed on the Fortigate for them?
btanExec ConsultantCommented:
think of the threat in context.
> inbound - remote site trying to execute code without user knowledge or action taken stealthily.
> outbound - caused by event triggered on machine at network level e.g. RPC, WMI, JS, VB or any other active content that may have been triggered.

I will not be so bothered on choice of either one as the important thing is that IPS raised a red flag when it encountered traffic that matches attack signature associated with that vulnerability. Outbound tends to be the case that "compromise" action may already have taken placed and inbound is supposed to be triggered alert but not done so maybe due to other mean the machine is infected and SEP is not savvy on (via external internal interface, no attack signature, etc).

I see it similarly for web or exchange, the key is what sort of services is running in that server are also the one we should protect as well by SEP IPS. Note the latter differs as it inspect payload, unlike other scheme of just blacklisted URL filter checks solely. So it is still recommended if poss have it both direction, it will not be as bad if the server is dedicated and monitored well before wide deployment. also it is just HIPS and there are tier of defences to delegate to block if necessary, but defence in depth is advocate and to deter the attack coming from any  gap (esp unknown ones or via our oversight)
ColumbiaMarketingAuthor Commented:
Thank you for all the information btan.  One thing I failed to mention is that I am using an SMTP Symantec smart host gateway that handles all the filtering for inbound and outbound email.  Would it be advisable to enable inbound and outbound IPS on the Fortigate for it?
btanExec ConsultantCommented:
In security principle, aligning defense in depth, then it is a Yes for FG to do inbound and outbound. It add on not just email filter checks but the other attack signature that is beyond Symantec GW and the latter also check differently for SMTP context (including checking the destination against a sanctioned protected DNS domain). FG is not doing those (unless it is a FortiMail instead) though it may cehcks against some blacklist callback anomalous if it is in its signature bank. Furthermore, if necessary, FG can do  SSL offloading for MS Exchange Server serving OWA and ActiveSync via HTTPS.

But we do want to note that FG is not possible to track inbound and outbound connection and get them in correlation. Overall, FG enabled with AV, URL Filtering, IPS, SSL Inspection, DLP, Application Control. Proxy Authentication (NTLM) is integrated with AD, far more exceed beyond smarthost
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.