Solved

IPS/IDS

Posted on 2016-08-29
6
75 Views
Last Modified: 2016-09-05
Hi community,

I would like to document a generic set of minimum functional requirements when implementing IPS/IDS and Firewall technologies for network teams to follow. Any design solutions would also take into consideration customer contract obligation's  if they have been specified. The problem often encountered is when customer IPS/IDS contractual obligations are not specified but simply state it is a requirement. As a result I'm often asked what are the minimum baseline requirements?

I've reviewed GPG8, but again didn't really find anything specifically aimed at minimum functional requirements. Some of the premium brands such as FireEye and AlienVault offer solutions available when their products are purchased which is fine but I would like to be able to perform cross platform analysis regardless of the vendor.

Does anyone else have a similar situation or able to offer any minimum IPS/IDS design requirements? Any feedback would be gratefully received.

Many Thanks - Gray
0
Comment
Question by:Gray Millen
6 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41775538
You're dealing with apples, oranges and bananas here

A firewall will block/allow traffic based on network information such as IP address, network port and network protocol.

An IPS (Intrusion Prevention System)  will  analyze whole packets, both header and payload, looking for known event and be able to drop, alert, or potentially clean a malicious network request based on that content. The determination of what is malicious is based either on behavior analysis or through the use of signatures.

An IDS (Intrusion Detection System) A scaled down IPS that only reports events.

An IDS/IPS is only as good as its signatures with hopefully no false positives and no false negatives (wishful thinking)

Is GPG8 this https://www.gov.uk/service-manual/making-software/information-security.html, if not what is  it.
1
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41775619
FireEye is more of a breach detection device rather than a NIDS or NIPS. Primarily in denotation of payload that is inspected to be suspicious with malware. More than just signature or rule based NIDS/NIPS.

AlienVault is more of the SIEM device which correlate events based on the log collected from Endpoint system and Network device. Rather different objective as compared to NIDS/NIPS. SIEM is more of the central monitoring piece oversees at OPS centre rather than a defensive network device like NIPS and NIDS detection.

For the baseline, you can look at the NSS lab which went through list of provider against a set of benchmark test cases. Most of provider would have shared the report on their results which civers more than just security effectiveness
The report includes valuable information not available anywhere else:

-Total cost of ownership analysis: are you getting the most security for your budget?
-Security effectiveness: how much effort is required to protect all your assets?
-Real-world performance benchmarks: can the device handle your traffic?
-Management and usability insights: how much time is really required to achieve results?

https://www.nsslabs.com/company/news/press-releases/nss-labs-tests-13-leading-intrusion-prevention-systems/

Also another area is Garner Mq.

https://www.nsslabs.com/blog/gartner-lists-nss-labs-certification-as-criteria-for-magic-quadrant/
1
 

Assisted Solution

by:Gray Millen
Gray Millen earned 0 total points
ID: 41776219
Hi guys.

Thanks for the responses. The link referring to gpg8 is correct, this was the first place I looked, I usually find the content quite helpful although high level. I appreciate your notes. Thank you.

Btan- thank you for this, I'll take a look at the nsslabs URLs you have included, this sounds like it may be what I'm looking for. I appreciate my question is a little vauge, but thank you for your assistance.

Many thanks - Gray
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 25

Assisted Solution

by:madunix
madunix earned 250 total points
ID: 41779670
Check please FORTI https://www.fortinet.com/products-services/products/firewall/fortigate-mid-range-firewall.html, with Forti they combine IDS/IPS + Firewall + other features
IDS determines if attack in progress;
IPS blocks attack;
Firewalls enforce security zones;
1
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41779749
I do suggest you can check out the Gartner Best Practices for Mitigating Advanced Persistent Threats which highlighted the various network defense appliance so that you can better appreciate how they are employed to defend the threats.

See section "Upgrade Your Perimeter and Network-Based Security" that covers best practices in below - I included some excerpts of their "coverage" of potential threats

- IPsec & SSL VPN Remote Access Connections
Although a VPN connection may be authenticated with a strong two-factor authentication mechanism and access controls may be in place, threats still exist with these connections.
- Firewalls
network-based security approaches must be improved to incorporate more context about the network flows taking place — geolocation awareness, application awareness and identity awareness. Next-generation firewalls (NGFWs) have added extensive capabilities to help mitigate ATAs
- Intrusion Prevention Devices
For best results, use signatures with proven low false-positive rates...For inlineIPS deployments, limit system failure risks by architecting for resilience.
- Advanced Threat Detection/Prevention
They often enhance their detection and prevention capabilities to block network callbacks using a variety of techniques, including reputation-based threat feeds, traffic anomaly detection, malware execution observation and various real-time block lists to enhance prevention capabilities
http://apac.trendmicro.com/cloud-content/apac/pdfs/solutions/enterprise/best_practices_for_mitigating_apts_224682.pdf
1
 

Author Closing Comment

by:Gray Millen
ID: 41784489
Many Thanks for the correspondence in relation to my question, i have found this forum very helpful. Gray
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now