Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

IPS/IDS

Posted on 2016-08-29
6
Medium Priority
?
182 Views
Last Modified: 2016-09-05
Hi community,

I would like to document a generic set of minimum functional requirements when implementing IPS/IDS and Firewall technologies for network teams to follow. Any design solutions would also take into consideration customer contract obligation's  if they have been specified. The problem often encountered is when customer IPS/IDS contractual obligations are not specified but simply state it is a requirement. As a result I'm often asked what are the minimum baseline requirements?

I've reviewed GPG8, but again didn't really find anything specifically aimed at minimum functional requirements. Some of the premium brands such as FireEye and AlienVault offer solutions available when their products are purchased which is fine but I would like to be able to perform cross platform analysis regardless of the vendor.

Does anyone else have a similar situation or able to offer any minimum IPS/IDS design requirements? Any feedback would be gratefully received.

Many Thanks - Gray
0
Comment
Question by:Gray Millen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41775538
You're dealing with apples, oranges and bananas here

A firewall will block/allow traffic based on network information such as IP address, network port and network protocol.

An IPS (Intrusion Prevention System)  will  analyze whole packets, both header and payload, looking for known event and be able to drop, alert, or potentially clean a malicious network request based on that content. The determination of what is malicious is based either on behavior analysis or through the use of signatures.

An IDS (Intrusion Detection System) A scaled down IPS that only reports events.

An IDS/IPS is only as good as its signatures with hopefully no false positives and no false negatives (wishful thinking)

Is GPG8 this https://www.gov.uk/service-manual/making-software/information-security.html, if not what is  it.
1
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 41775619
FireEye is more of a breach detection device rather than a NIDS or NIPS. Primarily in denotation of payload that is inspected to be suspicious with malware. More than just signature or rule based NIDS/NIPS.

AlienVault is more of the SIEM device which correlate events based on the log collected from Endpoint system and Network device. Rather different objective as compared to NIDS/NIPS. SIEM is more of the central monitoring piece oversees at OPS centre rather than a defensive network device like NIPS and NIDS detection.

For the baseline, you can look at the NSS lab which went through list of provider against a set of benchmark test cases. Most of provider would have shared the report on their results which civers more than just security effectiveness
The report includes valuable information not available anywhere else:

-Total cost of ownership analysis: are you getting the most security for your budget?
-Security effectiveness: how much effort is required to protect all your assets?
-Real-world performance benchmarks: can the device handle your traffic?
-Management and usability insights: how much time is really required to achieve results?

https://www.nsslabs.com/company/news/press-releases/nss-labs-tests-13-leading-intrusion-prevention-systems/

Also another area is Garner Mq.

https://www.nsslabs.com/blog/gartner-lists-nss-labs-certification-as-criteria-for-magic-quadrant/
1
 

Assisted Solution

by:Gray Millen
Gray Millen earned 0 total points
ID: 41776219
Hi guys.

Thanks for the responses. The link referring to gpg8 is correct, this was the first place I looked, I usually find the content quite helpful although high level. I appreciate your notes. Thank you.

Btan- thank you for this, I'll take a look at the nsslabs URLs you have included, this sounds like it may be what I'm looking for. I appreciate my question is a little vauge, but thank you for your assistance.

Many thanks - Gray
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 25

Assisted Solution

by:madunix
madunix earned 1000 total points
ID: 41779670
Check please FORTI https://www.fortinet.com/products-services/products/firewall/fortigate-mid-range-firewall.html, with Forti they combine IDS/IPS + Firewall + other features
IDS determines if attack in progress;
IPS blocks attack;
Firewalls enforce security zones;
1
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 41779749
I do suggest you can check out the Gartner Best Practices for Mitigating Advanced Persistent Threats which highlighted the various network defense appliance so that you can better appreciate how they are employed to defend the threats.

See section "Upgrade Your Perimeter and Network-Based Security" that covers best practices in below - I included some excerpts of their "coverage" of potential threats

- IPsec & SSL VPN Remote Access Connections
Although a VPN connection may be authenticated with a strong two-factor authentication mechanism and access controls may be in place, threats still exist with these connections.
- Firewalls
network-based security approaches must be improved to incorporate more context about the network flows taking place — geolocation awareness, application awareness and identity awareness. Next-generation firewalls (NGFWs) have added extensive capabilities to help mitigate ATAs
- Intrusion Prevention Devices
For best results, use signatures with proven low false-positive rates...For inlineIPS deployments, limit system failure risks by architecting for resilience.
- Advanced Threat Detection/Prevention
They often enhance their detection and prevention capabilities to block network callbacks using a variety of techniques, including reputation-based threat feeds, traffic anomaly detection, malware execution observation and various real-time block lists to enhance prevention capabilities
http://apac.trendmicro.com/cloud-content/apac/pdfs/solutions/enterprise/best_practices_for_mitigating_apts_224682.pdf
1
 

Author Closing Comment

by:Gray Millen
ID: 41784489
Many Thanks for the correspondence in relation to my question, i have found this forum very helpful. Gray
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Read about achieving the basic levels of HRIS security in the workplace.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question