Best practices for deploying network intrusion prevention
By Joel Snyder
Planning, education and high available can ensure success
Bringing network intrusion-prevention systems (IPS) into your network is straightforward, if you keep to a simple six-step plan.
1.) Put the IPS in the right place. Two main constraints govern where should put your IPS device. The first is performance: The IPS has to be able to handle the load you throw at it with an acceptable level of latency. The second is coverage: The IPS needs to see the traffic it is protecting - and shouldn't be in the way of traffic it isn't protecting.
Your IPS will generally be placed at an edge of the network, such as immediately inside an Internet firewall, or in front of a server farm. Position the IPS where it will see the bare minimum of traffic it needs to, in order to keep performance issues under tight control.
2.) Teach the IPS what you know. You know much more about your network than any out-of-the-box IPS will. You know your server operating systems, IP addresses and subnets, application protocols and ports. The more knowledge you push into the IPS configuration, the more likely the IPS will be able to catch attacks (especially on unusual protocols or ports) and the less likely it will yield false positives.
Enterprise-class IPSs have considerable configuration flexibility, for a reason: Comprehensive configuration makes the IPS better at what it does. Plan to take advantage of the power of your IPS by teaching it as much as possible about your network.
3) Think about high availability. When you put an IPS in the critical path for traffic, you've got to have a plan for what to do when the hardware or software stops working. Many IPS deployments make use of fail-open interfaces that pass traffic transparently if the IPS itself stops working. They're expensive but can save you even more expensive downtime. IPSs are difficult to monitor because they want to be invisible. Unlike a switch or a router, you can't easily see if an IPS is operating correctly by watching it pass traffic.
Before going for full deployment, make sure your normal monitoring tools will be able to figure out if the IPS stops working, and isolate that failure from the components on either side of the IPS. Also, get your written plan in place for what to do if the IPS does stop operating. You don't want to be winging it if there's a problem.
4.) Don't block - at first, anyway. When you first drop your IPS into place, don't put it into block mode. Enterprise-class IPSs have an easy way to take the entire system into and out of blocking mode with a single click - sometimes called "the big red button." When you first put the IPS inline, you want to watch what it would have blocked until you are satisfied that it's acting properly and not generating false positives. If you have the tools, you can also send attacks through the IPS and see that it catches them, in effect checking for false negatives.
Take your time to be sure that you're not getting false positives. You've gone for all these years without IPS -- a few weeks more won't kill you. With IPS, a longer and more rigorous test period than you might have with other infrastructure devices is called for.
5.) Get trained. Enterprise IPSs and their management consoles are usually pretty complicated. Some time spent in training or with intensive self-led learning will let you get the most out of the product you've picked. With many IPS deployments, either the vendor or a VAR probably comes on site to help get the product installed and "train you." That half-day of 90-mile-an-hour zooming through the user interface isn't enough to let you get really good working with most of these products.
If you can afford it, get some training or work with a consultant to get one-on-one instruction. For the budget-bound, make sure to set aside at least a week from your calendar to do nothing but get good at the IPS management console.
6.) Plan to tune. An IPS requires less care and feeding than an IDS because you're focusing on known malicious traffic, which means fewer alerts overall. However, any IPS will require periodic adjustment and tuning to optimize it to your ever-changing network dynamics. You may also have to manually install new signatures and patches from the IPS vendor.
Few IPS users evaluate and investigate every single alert. If you do, that's great, but make sure you add a few minutes to each session for tuning signatures, network parameters, and network topology information. If you consider the IPS to be a silent protection partner, you still should budget time each week or each month to run reports and make sure that you're getting the protection you want, need and paid for from your IPS.