Solved

IPS/IDS

Posted on 2016-08-29
6
106 Views
Last Modified: 2016-09-05
Hi community,

I would like to document a generic set of minimum functional requirements when implementing IPS/IDS and Firewall technologies for network teams to follow. Any design solutions would also take into consideration customer contract obligation's  if they have been specified. The problem often encountered is when customer IPS/IDS contractual obligations are not specified but simply state it is a requirement. As a result I'm often asked what are the minimum baseline requirements?

I've reviewed GPG8, but again didn't really find anything specifically aimed at minimum functional requirements. Some of the premium brands such as FireEye and AlienVault offer solutions available when their products are purchased which is fine but I would like to be able to perform cross platform analysis regardless of the vendor.

Does anyone else have a similar situation or able to offer any minimum IPS/IDS design requirements? Any feedback would be gratefully received.

Many Thanks - Gray
0
Comment
Question by:Gray Millen
6 Comments
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 41775538
You're dealing with apples, oranges and bananas here

A firewall will block/allow traffic based on network information such as IP address, network port and network protocol.

An IPS (Intrusion Prevention System)  will  analyze whole packets, both header and payload, looking for known event and be able to drop, alert, or potentially clean a malicious network request based on that content. The determination of what is malicious is based either on behavior analysis or through the use of signatures.

An IDS (Intrusion Detection System) A scaled down IPS that only reports events.

An IDS/IPS is only as good as its signatures with hopefully no false positives and no false negatives (wishful thinking)

Is GPG8 this https://www.gov.uk/service-manual/making-software/information-security.html, if not what is  it.
1
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 41775619
FireEye is more of a breach detection device rather than a NIDS or NIPS. Primarily in denotation of payload that is inspected to be suspicious with malware. More than just signature or rule based NIDS/NIPS.

AlienVault is more of the SIEM device which correlate events based on the log collected from Endpoint system and Network device. Rather different objective as compared to NIDS/NIPS. SIEM is more of the central monitoring piece oversees at OPS centre rather than a defensive network device like NIPS and NIDS detection.

For the baseline, you can look at the NSS lab which went through list of provider against a set of benchmark test cases. Most of provider would have shared the report on their results which civers more than just security effectiveness
The report includes valuable information not available anywhere else:

-Total cost of ownership analysis: are you getting the most security for your budget?
-Security effectiveness: how much effort is required to protect all your assets?
-Real-world performance benchmarks: can the device handle your traffic?
-Management and usability insights: how much time is really required to achieve results?

https://www.nsslabs.com/company/news/press-releases/nss-labs-tests-13-leading-intrusion-prevention-systems/

Also another area is Garner Mq.

https://www.nsslabs.com/blog/gartner-lists-nss-labs-certification-as-criteria-for-magic-quadrant/
1
 

Assisted Solution

by:Gray Millen
Gray Millen earned 0 total points
ID: 41776219
Hi guys.

Thanks for the responses. The link referring to gpg8 is correct, this was the first place I looked, I usually find the content quite helpful although high level. I appreciate your notes. Thank you.

Btan- thank you for this, I'll take a look at the nsslabs URLs you have included, this sounds like it may be what I'm looking for. I appreciate my question is a little vauge, but thank you for your assistance.

Many thanks - Gray
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 25

Assisted Solution

by:madunix
madunix earned 250 total points
ID: 41779670
Check please FORTI https://www.fortinet.com/products-services/products/firewall/fortigate-mid-range-firewall.html, with Forti they combine IDS/IPS + Firewall + other features
IDS determines if attack in progress;
IPS blocks attack;
Firewalls enforce security zones;
1
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 41779749
I do suggest you can check out the Gartner Best Practices for Mitigating Advanced Persistent Threats which highlighted the various network defense appliance so that you can better appreciate how they are employed to defend the threats.

See section "Upgrade Your Perimeter and Network-Based Security" that covers best practices in below - I included some excerpts of their "coverage" of potential threats

- IPsec & SSL VPN Remote Access Connections
Although a VPN connection may be authenticated with a strong two-factor authentication mechanism and access controls may be in place, threats still exist with these connections.
- Firewalls
network-based security approaches must be improved to incorporate more context about the network flows taking place — geolocation awareness, application awareness and identity awareness. Next-generation firewalls (NGFWs) have added extensive capabilities to help mitigate ATAs
- Intrusion Prevention Devices
For best results, use signatures with proven low false-positive rates...For inlineIPS deployments, limit system failure risks by architecting for resilience.
- Advanced Threat Detection/Prevention
They often enhance their detection and prevention capabilities to block network callbacks using a variety of techniques, including reputation-based threat feeds, traffic anomaly detection, malware execution observation and various real-time block lists to enhance prevention capabilities
http://apac.trendmicro.com/cloud-content/apac/pdfs/solutions/enterprise/best_practices_for_mitigating_apts_224682.pdf
1
 

Author Closing Comment

by:Gray Millen
ID: 41784489
Many Thanks for the correspondence in relation to my question, i have found this forum very helpful. Gray
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question