Solved

IPS/IDS

Posted on 2016-08-29
6
147 Views
Last Modified: 2016-09-05
Hi community,

I would like to document a generic set of minimum functional requirements when implementing IPS/IDS and Firewall technologies for network teams to follow. Any design solutions would also take into consideration customer contract obligation's  if they have been specified. The problem often encountered is when customer IPS/IDS contractual obligations are not specified but simply state it is a requirement. As a result I'm often asked what are the minimum baseline requirements?

I've reviewed GPG8, but again didn't really find anything specifically aimed at minimum functional requirements. Some of the premium brands such as FireEye and AlienVault offer solutions available when their products are purchased which is fine but I would like to be able to perform cross platform analysis regardless of the vendor.

Does anyone else have a similar situation or able to offer any minimum IPS/IDS design requirements? Any feedback would be gratefully received.

Many Thanks - Gray
0
Comment
Question by:Gray Millen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41775538
You're dealing with apples, oranges and bananas here

A firewall will block/allow traffic based on network information such as IP address, network port and network protocol.

An IPS (Intrusion Prevention System)  will  analyze whole packets, both header and payload, looking for known event and be able to drop, alert, or potentially clean a malicious network request based on that content. The determination of what is malicious is based either on behavior analysis or through the use of signatures.

An IDS (Intrusion Detection System) A scaled down IPS that only reports events.

An IDS/IPS is only as good as its signatures with hopefully no false positives and no false negatives (wishful thinking)

Is GPG8 this https://www.gov.uk/service-manual/making-software/information-security.html, if not what is  it.
1
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 41775619
FireEye is more of a breach detection device rather than a NIDS or NIPS. Primarily in denotation of payload that is inspected to be suspicious with malware. More than just signature or rule based NIDS/NIPS.

AlienVault is more of the SIEM device which correlate events based on the log collected from Endpoint system and Network device. Rather different objective as compared to NIDS/NIPS. SIEM is more of the central monitoring piece oversees at OPS centre rather than a defensive network device like NIPS and NIDS detection.

For the baseline, you can look at the NSS lab which went through list of provider against a set of benchmark test cases. Most of provider would have shared the report on their results which civers more than just security effectiveness
The report includes valuable information not available anywhere else:

-Total cost of ownership analysis: are you getting the most security for your budget?
-Security effectiveness: how much effort is required to protect all your assets?
-Real-world performance benchmarks: can the device handle your traffic?
-Management and usability insights: how much time is really required to achieve results?

https://www.nsslabs.com/company/news/press-releases/nss-labs-tests-13-leading-intrusion-prevention-systems/

Also another area is Garner Mq.

https://www.nsslabs.com/blog/gartner-lists-nss-labs-certification-as-criteria-for-magic-quadrant/
1
 

Assisted Solution

by:Gray Millen
Gray Millen earned 0 total points
ID: 41776219
Hi guys.

Thanks for the responses. The link referring to gpg8 is correct, this was the first place I looked, I usually find the content quite helpful although high level. I appreciate your notes. Thank you.

Btan- thank you for this, I'll take a look at the nsslabs URLs you have included, this sounds like it may be what I'm looking for. I appreciate my question is a little vauge, but thank you for your assistance.

Many thanks - Gray
0
Are Your IoT Devices Out to Get You?

IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.

 
LVL 25

Assisted Solution

by:madunix
madunix earned 250 total points
ID: 41779670
Check please FORTI https://www.fortinet.com/products-services/products/firewall/fortigate-mid-range-firewall.html, with Forti they combine IDS/IPS + Firewall + other features
IDS determines if attack in progress;
IPS blocks attack;
Firewalls enforce security zones;
1
 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 41779749
I do suggest you can check out the Gartner Best Practices for Mitigating Advanced Persistent Threats which highlighted the various network defense appliance so that you can better appreciate how they are employed to defend the threats.

See section "Upgrade Your Perimeter and Network-Based Security" that covers best practices in below - I included some excerpts of their "coverage" of potential threats

- IPsec & SSL VPN Remote Access Connections
Although a VPN connection may be authenticated with a strong two-factor authentication mechanism and access controls may be in place, threats still exist with these connections.
- Firewalls
network-based security approaches must be improved to incorporate more context about the network flows taking place — geolocation awareness, application awareness and identity awareness. Next-generation firewalls (NGFWs) have added extensive capabilities to help mitigate ATAs
- Intrusion Prevention Devices
For best results, use signatures with proven low false-positive rates...For inlineIPS deployments, limit system failure risks by architecting for resilience.
- Advanced Threat Detection/Prevention
They often enhance their detection and prevention capabilities to block network callbacks using a variety of techniques, including reputation-based threat feeds, traffic anomaly detection, malware execution observation and various real-time block lists to enhance prevention capabilities
http://apac.trendmicro.com/cloud-content/apac/pdfs/solutions/enterprise/best_practices_for_mitigating_apts_224682.pdf
1
 

Author Closing Comment

by:Gray Millen
ID: 41784489
Many Thanks for the correspondence in relation to my question, i have found this forum very helpful. Gray
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question