ma2.pdf
Document Details
Uploaded by StimulatingPennywhistle
De La Salle University
Tags
Full Transcript
denial-of-service attacks, they are M3.1 | Intrusion Detection and almost always instigated by Prevention Systems someone whose purpose is to harm an organization....
denial-of-service attacks, they are M3.1 | Intrusion Detection and almost always instigated by Prevention Systems someone whose purpose is to harm an organization. Often, the Key Terms differences among intrusion types intrusion An adverse event in lie with the attacker—some which an attacker attempts to gain intruders don’t care which entry into an information system or organizations they harm and disrupt its normal operations, prefer to remain anonymous, while almost always with the intent to do others crave notoriety. While every harm. intrusion detection and intrusion is an incident, not every prevention system (IDPS) The incident is an intrusion; examples general term for a system that can include service outages and both detect and modify its natural disasters. configuration and environment to Intrusion prevention consists of prevent intrusions. An IDPS activities that deter an intrusion. encompasses the functions of Some important intrusion both intrusion detection systems prevention activities are writing and intrusion prevention and implementing good enterprise technology. intrusion detection information security policy; system (IDS) A system capable of planning and executing effective automatically detecting an information security programs; intrusion into an organization’s installing and testing networks or host systems and technology-based information notifying a designated authority. security countermeasures, such as firewalls and intrusion detection and prevention systems; and An intrusion occurs when an conducting and measuring the attacker attempts to gain entry into effectiveness of employee training an organization’s information and awareness activities. systems or disrupt their normal operations. Even when such Intrusion detection consists of attacks are self-propagating, as procedures and systems that with viruses and distributed identify system intrusions. Intrusion reaction encompasses the actions an organization takes security service of a “break-in.” when an intrusion is detected. The configurations that enable These actions seek to limit the IDSs to provide customized levels loss from an intrusion and return of detection and response are operations to a normal state quite complex. A current extension as rapidly as possible. Intrusion of IDS technology is the correction activities complete the incorporation of intrusion restoration of operations to a prevention technology, which can normal state and seek to identify prevent an intrusion from the source and method of the successfully attacking the intrusion to ensure that the same organization by means of an type of attack cannot occur active response. Because you again—thus reinitiating intrusion seldom find such technology that prevention. does not also have detection capabilities, the term intrusion Information security intrusion detection and prevention system detection systems (IDSs) became (IDPS) is commonly used. commercially available in the late 1990s. An IDS works like a burglar According to NIST SP 800-94, alarm in that it detects a violation Rev. 1, IDPSs use several and activates an alarm. This alarm response techniques, which can can be a sound, a light or other be divided into the following visual signal, or a silent warning, groups: such as an e-mail message or An IDPS is capable of pager alert. With almost all IDSs, interdicting the attack by system administrators can choose itself, without human the configuration of various alerts intervention. This could and the alarm levels associated be accomplished by: with each type of alert. Many IDSs ○ Terminating the enable administrators to configure user session or the systems to notify them directly network of trouble via e-mail or pagers. connection over The systems can also be which the attack configured—again like a burglar is being alarm—to notify an external conducted ○ Blocking access quarantining a network to the target packet’s contents. system or M3.1.1 | IDPS Terminology systems from the source of the To understand how an IDPS attack, such as a works, you must first become compromised familiar with some IDPS user account, terminology. inbound IP address, or Alarm clustering and other attack compaction: A process characteristic of grouping almost ○ Blocking all identical alarms that access to the occur nearly at the same targeted time into a single information higher-level alarm. This asset consolidation reduces the The IDPS can modify its number of alarms, which environment by changing reduces administrative the configuration of other overhead and identifies a security controls to relationship among disrupt an attack. This multiple alarms. could include modifying a Clustering may be based firewall’s rule set or on combinations of configuring another frequency, similarity in network device to shut attack signature, similarity down the in attack target, or other communications channel criteria that are defined to filter the offending by system administrators. packets. Alarm filtering: The Some IDPSs are capable process of classifying of changing an attack’s IDPS alerts so they can components by replacing be more effectively malicious content with managed. An IDPS benign material or by administrator can set up alarm filtering by running of attacks. The the system for a while to confidence value an track the types of false organization places in the positives it generates and IDPS is based on then adjusting the alarm experience and past classifications. For performance example, the measurements. The administrator may set the confidence value, which IDPS to discard alarms is based on fuzzy logic, produced by false attack helps an administrator stimuli or normal network determine the likelihood operations. Alarm filters that an IDPS alert or are similar to packet alarm indicates an actual filters in that they can attack in progress. For filter items by their source example, if a system or destination IP deemed 90 percent addresses, but they can capable of accurately also filter by operating reporting a systems, confidence denial-of-service (DoS) values, alarm type, or attack sends a DoS alert, alarm severity. there is a high probability Alert or alarm: An that an actual attack is indication or notification occurring. that a system has just Evasion: The process by been attacked or is under which attackers change attack. IDPS alerts and the format and/or timing alarms take the form of of their activities to avoid audible signals, e-mail being detected by an messages, pager IDPS. notifications, or pop-up False attack stimulus: windows. An event that triggers an Confidence value: The alarm when no actual measure of an IDPS’s attack is in progress. ability to correctly detect Scenarios that test the and identify certain types configuration of IDPSs may use false attack enumeration tools run by stimuli to determine if the network users without IDPSs can distinguish harmful intent. between these stimuli Site policy: The rules and real attacks. and configuration False negative: The guidelines governing the failure of an IDPS to react implementation and to an actual attack event. operation of IDPSs within This is the most grievous the organization. IDPS failure, given that its Site policy awareness: purpose is to detect and An IDPS’s ability to respond to attacks. dynamically modify its False positive: An alert configuration in response or alarm that occurs in to environmental activity. the absence of an actual A so-called dynamic attack. A false positive IDPS can adapt its can sometimes be reactions in response to produced when an IDPS administrator guidance mistakes normal system over time and the local activity for an attack. environment. A dynamic False positives tend to IDPS logs events that fit a make users insensitive to specific profile instead of alarms and thus reduce minor events, such as file their reactions to actual modifications or failed intrusion events. user logins. A smart IDPS Noise: Alarm events that knows when it does not are accurate and need to alert the noteworthy but do not administrator—for pose significant threats to example, when an attack information security. is using a known and Unsuccessful attacks are documented exploit from the most common source which the system is of IDPS noise, although protected. some noise might be True attack stimulus: An triggered by scanning and event that triggers an alarm and causes an discovered, the technology owners IDPS to react as if a real have zero days to attack is in progress. The identify, mitigate, and resolve the event may be an actual vulnerability. attack, in which an attacker is attempting a system compromise, or it There are several compelling may be a drill, in which reasons to acquire and use an security personnel are IDPS, beginning with its primary using hacker tools to test function of intrusion detection. a network segment. These reasons include Tuning: The process of documentation, deterrence, and adjusting an IDPS to other benefits, as described in the maximize its efficiency in following lessons. detecting true positives M3.1.2.1 | Intrusion Detection while minimizing false positives and false The primary purpose of an IDPS is negatives. to identify and report an intrusion. M3.1.2 | Why Use an IDPS? By detecting the early signs of an intrusion, the organization can Key Terms quickly contain the attack and prevent or at least substantially known vulnerability A published mitigate loss or damage to weakness or fault in an information assets. The information asset or its protective notification process is critical; if the systems that may be exploited and organization is not notified that an result in loss. intrusion is under way, the IDPS zero day vulnerability An serves no real purpose. Once unknown or undisclosed notified, the organization’s IR team vulnerability in an information can activate the IR plan and asset or its protection systems that contain the intrusion. may be exploited and result in loss. This vulnerability is also IDPSs can also help referred to as zero day (or zero administrators detect the hour) because once it is preambles to attacks, which are known as attack reconnaissance. can delay or undermine an Most attacks begin with an organization’s ability to secure its organized and thorough probing of systems from attack and the organization’s network subsequent loss. For example, environment and its defenses. even though popular information This initial probing is called security technologies such as doorknob rattling and is scanning tools allow security accomplished through two general administrators to evaluate the activities. Footprinting refers to readiness of their systems, they activities that gather information may still fail to detect or correct a about the organization and its known deficiency or check for network activities and assets, vulnerabilities too infrequently. In while fingerprinting refers to addition, even when a vulnerability activities that scan network locales is detected in a timely manner, it for active systems and then cannot always be corrected identify the network services quickly. Also, because such offered by the host systems. A corrective measures usually system that can detect the early require that the administrator warning signs of footprinting and install patches and upgrades, they fingerprinting functions like a are subject to fluctuations in the neighborhood watch that spots administrator’s workload. would-be burglars as they case Note that vulnerabilities might be the community. This early known to vulnerability-tracking detection enables administrators groups without being known to the to prepare for a potential attack or organization. The number and to minimize potential losses from complexity of reported an attack. vulnerabilities continue to IDPSs can also help the increase, so it is extremely difficult organization protect its assets to stay on top of them. Instead, when its networks and systems organizations rely on developers are still exposed to known to identify problems and patch vulnerabilities or are unable to systems, yet there is inevitably a respond to a rapidly changing delay between detection and threat environment. Many factors distribution of a patch or update to resolve the vulnerability. Similarly, “known” only when they are used substantial delays are common in an attack. Therefore, it is critical between the detection of a new for the organization to diligently virus or worm and the distribution monitor online trade press and of a signature that allows industry user groups to stay antimalware applications to detect abreast of such issues. and contain the threat. Organizations continue to expand To further complicate the matter, the number of items on networks services that are known to be they manage and where those vulnerable sometimes cannot be items are operated. The Internet of disabled or otherwise protected Things finds more and different because they are essential to devices being connected and ongoing operations. When a used, while cloud service use system has a known vulnerability results in valuable assets housed or deficiency, an IDPS can be set in places where defenses are up to detect attacks or attempts to established with software-defined exploit existing weaknesses, an perimeters in place of the important part of the strategy of old-school hardware-enforced defense in depth. perimeter. These changes in how networks While a diligent organization may are used and what can be found be well prepared against known on them make the need for IDPS vulnerabilities, it’s the unknown technologies even more that still causes the organization pronounced. concern. Zero day vulnerabilities (or zero day attacks) are unknown M3.1.2.2 | Data Collection or undisclosed vulnerabilities that can’t be predicted or prepared for. In the process of analyzing data They are called zero day (or zero and network activity, IDPSs can be hour) because once they are configured to log data for later discovered, the technology owners analysis. This logging function have zero days to identify, allows the organization to examine mitigate, and resolve the what happened after an intrusion vulnerability. Unfortunately, most occurred and why. As an of these vulnerabilities become accountability function, logging may even provide the who if the compromised security measures. individual responsible for the This process can also provide intrusion works within the insight for management into organization. Even when intruders threats the organization faces and are not internal, some information can help justify current and future may be expenditures to support and available, such as where they are improve incident detection connecting from (IP address) and controls. When asked for funding how they connected (browser to implement additional security details). Logging also allows technology, upper management improvement in incident response; usually requires documentation of evaluation by specialized log the threat from which the monitors and assessment of the organization must be protected. effectiveness of the IDPS itself. M3.1.2.3 | Attack Deterrence Even if an IDPS fails to prevent an intrusion, it can still contribute to Another reason to install an IDPS the after-attack review by assisting is that it serves as a deterrent by investigators in determining how increasing the fear of detection the attack occurred, what the among would-be attackers. If intruder accomplished, and which internal and external users know methods the attacker employed. that an organization has an IDPS, This information can be used to they are less likely to probe the remedy system or attempt to compromise deficiencies and to prepare the it, just as criminals are much less organization’s network likely to break into a house that environment for future attacks. appears to have a burglar alarm. The IDPS can also provide M3.1.2.4 | Other Reasons to forensic information that may be useful if the attacker is caught and Deploy an IDPS then prosecuted or sued. Data collected by an IDPS can Examining this information to also help management with quality understand attack frequencies and assurance and continuous attributes can help identify improvement; IDPSs consistently insufficient, inappropriate, or pick up information about attacks large file transfers, either from a that have successfully host-based or network-based compromised the outer layers of IDPS. Similarly, certain protected information security controls, such files may be specified to flag or as a firewall. This information can notify administrators if they are be used to identify and repair accessed, copied, or modified. flaws in the security and network This is one of the primary architectures, which helps the functions of a host-based IDPS. organization expedite its Another use of the intrusion incident response and make other awareness that an IDPS provides, continuous improvements. even when alerts are given after An IDPS can provide a level of the actual intrusion, is part of the quality control for security policy process known as the kill chain. implementation. This can be This concept, an adaptation of accomplished when the IDPS is combat tactics brought to the used to detect incomplete firewall world of information security by configuration when inappropriate Lockheed Martin, is that the network traffic is allowed that success of an attack can be should have been filtered at the disrupted at several points in the firewall. This detection could alert sequence. By disrupting the attack administrators to a poorly at any point up to the final configured or compromised exfiltration of its proceeds, firewall. IDPSs may also be used potential losses can be stopped. to identify security policy Figure 7-1 shows the various violations. steps in the attack sequence and the associated opportunities to Certain IDPSs can monitor interrupt using the kill chain. network traffic and systems data in an effort to flag suspicious data transfers and detect unusual activities that could indicate data theft. If the organization’s employees have no reason to copy data files over a certain size, an IDPS may be able to detect switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device. network-based IDPS (NIDPS) An IDPS that resides on a computer or appliance connected to a M3.1.3 | Types of IDPSs segment of an organization’s network and monitors traffic on Key Terms that segment, looking for indications of ongoing or agent See sensor. successful attacks. application protocol verification passive mode An IDPS sensor The process of examining and setting in which the device simply verifying the higher-order monitors and analyzes observed protocols (HTTP, FTP, and Telnet) network or system traffic. in network traffic for unexpected protocol stack verification The packet behavior or improper use. process of examining and verifying host-based IDPS (HIDPS) An network traffic for invalid data IDPS that resides on a particular packets—that is, packets that are computer or server, known as the malformed under the rules of the host, and monitors activity only on TCP/IP protocol. that system. Also known as a sensor A hardware and/or system integrity verifier. software component deployed on inline sensor An IDPS sensor a remote computer or network intended for network perimeter segment and designed to monitor use and deployed in close network or system traffic for proximity to a perimeter firewall to suspicious activities and report detect incoming attacks that could back to the host application. For overwhelm the firewall. example, IDPS sensors report to mirror port See monitoring port. an IDPS application. monitoring port Also known as a switched port analysis (SPAN) defends that application from port See monitoring port. special forms of attack. IDPSs generally operate as network- or host-based systems. A network-based IDPS is focused on protecting network information assets by examining network communications traffic. Two specialized subtypes of M3.1.3.1 | Network-Based IDPS network-based IDPSs are the A network-based IDPS (NIDPS) wireless IDPS and the network consists of a specialized hardware behavior analysis (NBA) IDPS. appliance and/or software The wireless IDPS focuses on designed to monitor network wireless networks, as the name traffic. The NIDPS may include indicates, while the NBA IDPS separate management software, examines traffic flow on a network referred to as a console, and a in an attempt to recognize number of specialized hardware abnormal patterns like DDoS, and/or software components malware, and policy violations. referred to as agents or sensors. A host-based IDPS protects the These agents can be installed on server or host’s information other network segments and/or assets, usually by monitoring the network technologies to remotely files stored on the system and monitor network traffic at multiple sometimes by monitoring the locations for a potential intrusion, actions of connected users; the reporting back to the central example shown in Figure 7-2 NIDPS application. When the monitors both network connection NIDPS identifies activity that it is activity and current information programmed to recognize as an states on host servers. The attack, it responds by sending application-based model works on notifications to administrators. one or more host systems that When examining incoming support a single application and packets, an NIDPS looks for patterns within network traffic such moves through the entire device. as large collections of related In the early 1990s, before items of a certain type, which switches became standard for could indicate that a DoS attack is connecting networks in a under way. An NIDPS also shared-collision domain, hubs examines the exchange of a were used. Hubs receive traffic series of related packets in a from one node and retransmit it to certain pattern, which could all other nodes. This configuration indicate that a port scan is in allows any device connected to progress. An NIDPS can detect the hub to monitor all traffic many more types of attacks than a passing through the hub. host-based IDPS, but it requires a Unfortunately, it also represents a much more complex configuration security risk because anyone and maintenance program. connected to the hub can monitor all the traffic that moves through An NIDPS or an NIDPS sensor is the network segment. Switches, installed at a specific place in the on the other hand, create network, such as inside an edge dedicated point-to-point links router, where it is possible to between their ports. These links monitor traffic into and out of a create a higher level of particular network segment. The transmission security and privacy NIDPS can be deployed to monitor to effectively prevent anyone from a specific grouping of host capturing and thus eavesdropping computers on a specific network on the traffic passing through the segment, or it may be installed to switch. Unfortunately, the ability to monitor all traffic between the capture the traffic is necessary for systems that make up an entire the use of an IDPS. Thus, network. When placed next to a monitoring ports are required. hub, switch, or other key These connections enable networking device, the NIDPS network administrators to collect may use that device’s monitoring traffic from across the network for port. A monitoring port, also analysis by the IDPS, as well as known as a switched port analysis for occasional use in diagnosing (SPAN) port or mirror port, is network faults and measuring capable of viewing all traffic that network performance. Figure 7-3 shows data from the verification and comparison Snort Network IDPS Engine. In techniques. this case, the display is a sample In the process of protocol stack screen from Snorby, a client that verification, NIDPSs look for can manage Snort as well as invalid data packets—that is, display generated alerts. packets that are malformed under the rules of the TCP/IP protocol. A data packet is verified when its configuration matches one that is defined by the various Internet protocols. The elements of these protocols (IP, TCP, UDP, and application layers such as HTTP) are combined in a complete set called the protocol stack when the software is implemented in an operating system or application. Many types of intrusions, especially DoS and DDoS attacks, rely on the creation of improperly formed packets to take advantage of weaknesses in the protocol stack in certain operating systems or applications. To determine whether an attack has occurred or is under way, In application protocol verification, NIDPSs compare measured the higher-order protocols (HTTP, activity to known signatures in SMTP, and FTP) are examined for their knowledge base. The unexpected packet behavior or comparisons are made through a improper use. Sometimes an special implementation of the attack uses valid protocol packets TCP/IP stack that reassembles the but in excessive quantities; in the packets and applies protocol case of the tiny fragment attack, stack verification, application the packets are also excessively protocol verification, or other fragmented. While protocol stack verification looks for violations in disruption to normal the protocol packet structure, network operations. application protocol verification NIDPSs are not usually looks for violations in the protocol susceptible to direct packet’s use. One example of this attack and may not be kind of attack is DNS cache detectable by attackers. poisoning, in which valid packets The disadvantages of NIDPSs exploit poorly configured DNS include the following: servers to inject false information and corrupt the servers’ answers An NIDPS can become to routine DNS queries from other overwhelmed by network systems on the network. volume and fail to Unfortunately, this higher-order recognize attacks it might examination of traffic can have the otherwise have detected. same effect on an IDPS as it can Some IDPS vendors are on a firewall—that is, it slows the accommodating the need throughput of the system. It may for ever faster network be necessary to have more than performance by one NIDPS installed, with one of improving the processing them performing protocol stack of detection algorithms in verification and one performing dedicated hardware application protocol verification. circuits. Additional efforts to optimize rule set The advantages of NIDPSs processing may also include the following: reduce the overall Good network design and effectiveness of detecting placement of NIDPS attacks. devices can enable an NIDPSs require access to organization to monitor a all traffic to be monitored. large network using only The broad use of a few devices. switched Ethernet NIDPSs are usually networks has replaced passive devices and can the ubiquity of be deployed into existing shared-collision domain networks with little or no hubs. Because many switches have limited or those involving no monitoring port fragmented packets. In capability, some networks fact, some NIDPSs are so are not capable of vulnerable to malformed providing aggregate data packets that they may for analysis by an NIDPS. become unstable and Even when switches do stop functioning. provide monitoring ports, M3.1.3.2 | Wireless NIDPS they may not be able to mirror all activity with a A wireless IDPS monitors and consistent and reliable analyzes wireless network traffic, time sequence. looking for potential problems with NIDPSs cannot analyze the wireless protocols (Layers 2 encrypted packets, and 3 of the OSI model). making some network Unfortunately, wireless IDPSs traffic invisible to the cannot evaluate and diagnose process. The increasing issues with higher-layer protocols use of encryption that like TCP and UDP. Wireless IDPS hides the contents of capability can be built into a some or all packets by device that provides a wireless some network services access point (AP). (such as SSL, SSH, and VPN) limits the Sensors for wireless networks can effectiveness of NIDPSs. be located at the access points, on NIDPSs cannot reliably specialized sensor components, or ascertain whether an incorporated into selected mobile attack was successful, stations. Centralized management which requires ongoing stations collect information from effort by the network these sensors, much as other administrator to evaluate network-based IDPSs do, and logs of suspicious aggregate network activity. the information into a Some forms of attack are comprehensive assessment of not easily discerned by wireless network intrusions. The NIDPSs, specifically implementation of wireless IDPSs modeling the wireless includes the following issues: footprint based on signal strength. Sensors are Physical security: Unlike most effective when their wired network sensors, footprints overlap. which can be physically Access point and wireless secured, many wireless switch locations: Wireless sensors are located in components with bundled public areas like IDPS capabilities must be conference rooms, carefully deployed to assembly areas, and optimize the IDPS sensor hallways to obtain the detection grid. The widest possible network minimum range is just range. Some of these that; you must guard locations may even be against the possibility of outdoors; more and more an attacker connecting to organizations are a wireless access point deploying networks in from a range far beyond external locations. Thus, the minimum. the physical security of Wired network these devices may connections: Wireless require additional network components configuration and work independently of the monitoring. wired network when Sensor range: A wireless sending and receiving device’s range can be traffic between stations affected by atmospheric and access points. conditions, building However, a network construction, and the connection eventually quality of the wireless integrates wireless traffic network card and access with the organization’s point. Some IDPS tools wired network. In places allow an organization to where no wired network identify the optimal connection is available, it location for sensors by may be impossible to The use of wireless deploy a sensor. network scanners Cost: The more sensors DoS attacks and you deploy, the more conditions expensive the Impersonation and configuration. Wireless man-in-the-middle attacks components typically cost Wireless IDPSs are generally more than their wired more accurate than other types of counterparts, so the total IDPSs, mainly because of the cost of ownership of reduced set of protocols and IDPSs for both wired and packets they have to examine. wireless varieties should However, they are unable to be carefully considered. detect certain passive wireless AP and wireless switch protocol attacks, in which the locations: The locations attacker monitors network traffic of APs and wireless without active scanning and switches are important for probing. They are also susceptible organizations buying to evasion techniques. By simply bundled solutions (APs looking at wireless devices, which with preinstalled IDPS are often visible in public areas, applications). attackers can design customized In addition to the traditional types evasion methods to exploit the of intrusions detected by other system’s channel scanning IDPSs, the wireless IDPS can also scheme. Wireless IDPSs can detect existing WLANs and WLAN protect their associated WLANs, devices for inventory purposes as but they may be susceptible to well as detect the following types logical and physical attacks on the of events: wireless access point or the IDPS devices themselves. Unauthorized WLANs and WLAN devices Network Behavior Analysis Poorly secured WLAN System NBA systems identify devices problems related to the flow of Unusual usage patterns network traffic. They use a version of the anomaly detection method described later in this section to between networks, and key identify excessive packet flows network segments, such as that might occur in the case of demilitarized zone (DMZ) subnets. equipment malfunction, DoS Inline sensors are typically attacks, virus and worm attacks, intended for network perimeter and some forms of network policy use, so they would be deployed in violations. NBA IDPSs typically close proximity to the perimeter monitor internal networks but firewalls, often between the occasionally monitor connections firewall and the Internet border between internal and external router to limit incoming attacks networks. Intrusion detection and that could overwhelm the firewall. prevention typically includes the NBA sensors can most commonly following relevant flow data: detect: Source and destination IP DoS attacks (including addresses DDoS attacks) Source and destination Scanning TCP or UDP ports or Worms ICMP types and codes Unexpected application Number of packets and services, such as bytes transmitted in the tunneled protocols, back session doors, and use of Starting and ending forbidden application timestamps for the protocols session Policy violations Most NBA sensors can be NBA sensors offer the following deployed in passive mode only, intrusion prevention capabilities, using the same connection which are grouped by sensor type: methods (e.g., network tap, switch spanning port) as network-based Passive only: Ending the IDPSs. Passive sensors that are current TCP session. A performing direct network passive NBA sensor can monitoring should be placed so attempt to end an existing that they can monitor key network TCP session by sending locations, such as the divisions TCP reset packets to administrator-sp both endpoints. ecified script or Inline only: Performing program when inline firewalling. Most certain malicious inline NBA sensors offer activity is firewall capabilities that detected. can be used to drop or M3.1.3.3 | Host-Based IDPS reject suspicious network activity. While a network-based IDPS Both passive and inline: resides on a network segment and ○ Reconfiguring monitors activities across that other network segment, a host-based IDPS security devices. (HIDPS) or an HIDPS sensor Many NBA resides on a particular computer sensors can or server, known as the host, and instruct network monitors activity only on that security devices system. HIDPSs are also known such as firewalls as system integrity verifiers and routers to because they benchmark and reconfigure monitor the status of key system themselves to files and detect when an intruder block certain creates, modifies, or types of activity deletes monitored files. An HIDPS or route it has an advantage over an NIDPS elsewhere, such in that it can access encrypted as to a information traveling over the quarantined network and use it to make virtual local area decisions about potential or actual network (VLAN). attacks. Also, because the HIDPS ○ Running a works on only one computer third-party system, all the traffic it examines program or traverses that system. The packet script. Some delivery mode, whether switched NBA sensors can run an or in a shared-collision domain, is action can be quickly reviewed by not a factor. an administrator, who may choose to disregard subsequent changes An HIDPS is also capable of to the same set of files. If properly monitoring system configuration configured, an HIDPS can also databases, such as Windows detect when users attempt to registries, in addition to stored modify or exceed their access configuration files like.ini,.cfg, authorization level. and.dat files. Most HIDPSs work on the principle of configuration or An HIDPS classifies files into change management, which various categories and then sends means that they record the sizes, notifications when changes occur. locations, and other attributes of Most HIDPSs provide only a few system files. The HIDPS triggers general levels of alert notification. an alert when file attributes For example, an administrator can change, new files are created, or configure an HIDPS to report existing files are deleted. An changes in a system folder, such HIDPS can also monitor systems as C:\Windows, and configure logs for predefined events. The changes to a security-related HIDPS examines these files and application, such as C:\TripWire. logs to determine if an attack is The configuration rules may under way or has occurred; it also classify changes to a specific examines whether the attack is application folder (for example, succeeding or was successful. C:\Program Files\Microsoft Office) The HIDPS maintains its own log as normal and hence file so that an audit trail is unreportable. Administrators can available even when hackers configure the system to log all modify files on the target system activity but to send them a page or to cover their tracks. Once e-mail only if a reportable security properly configured, an HIDPS is event occurs. Because frequent very reliable. The only time an modifications occur to data files HIDPS produces a false positive and to internal application files alert is when an authorized such as dictionaries and change occurs for a monitored file. configuration files, a poorly This configured HIDPS can generate a kernel, and application software. large volume of false alarms. Critically important data should also be included in the red Managed HIDPSs can monitor category. Support components, multiple computers simultaneously such as device drivers and other by creating a configuration file on relatively important files, are each monitored host and by generally coded yellow. User data making each HIDPS report back to is usually coded green, not a master console system, which is because it is unimportant, but usually located on the system because monitoring changes to administrator’s computer. This user data is practically difficult and master console monitors the strategically less urgent. User data information provided by the files are frequently modified, but managed hosts and notifies the systems kernel files, for example, administrator when it senses should only be modified during recognizable attack conditions. upgrades or installations. If the Figure 7-4 shows a sample screen preceding three-tier system is too from Tripwire, a popular HIDPS. simplistic, an organization can use a scale of 0–100, as long as the scale doesn’t become excessively granular. For example, an organization could easily create confusion for itself by classifying level 67 and 68 intrusions. Sometimes simpler is better. The advantages of HIDPSs include: An HIDPS or one of its One of the most common methods sensors can detect local of categorizing folders and files is events on host systems by color coding. Critical systems and detect attacks that components are coded red and may elude a usually include the system registry, network-based IDPS. any folders containing the OS An HIDPS functions on host operating system. the host system, where Either attack can result in encrypted traffic will have the compromise or loss of been decrypted and is HIDPS functionality. available for processing. An HIDPS is not The use of switched optimized to detect network protocols does multi-host scanning, nor not affect an HIDPS. is it able to detect An HIDPS can detect scanning from network inconsistencies in how devices that are not applications and systems hosts, such as routers or programs were used by switches. Unless complex examining the records correlation analysis is stored in audit logs. This provided, the HIDPS will can enable the HIDPS to not be aware of attacks detect some types of that span multiple devices attacks, including Trojan in the network. horse programs. An HIDPS is susceptible to some DoS attacks. The disadvantages of HIDPSs An HIDPS can use large include: amounts of disk space to HIDPSs pose more retain the host OS audit management issues logs; for the HIDPS to because they are function properly, it may configured and managed be necessary to add disk on each monitored host. capacity to the system. An HIDPS requires more An HIDPS can inflict a management effort to performance overhead on install, configure, and its host systems, and in operate than a some cases may reduce comparably sized NIDPS system performance solution. below acceptable levels. An HIDPS is vulnerable M3.1.4 | IDPS Detection Methods both to direct attacks and to attacks against the Key Terms anomaly-based detection Also IDPSs use a variety of detection known as behavior-based methods to monitor and evaluate detection, an IDPS detection network traffic. Three methods method that compares current dominate: signature-based data and traffic patterns to an detection, anomaly-based established baseline of normalcy. detection, and stateful protocol behavior-based detection See analysis. anomaly-based detection. M3.1.4.1 | Signature-Based clipping level A predefined Detection assessment level that triggers a predetermined response when An IDPS that uses surpassed. Typically, the response signature-based detection is to write the event to a log file (sometimes called and/or notify an administrator. knowledge-based detection or knowledge-based detection See misuse detection) examines signature-based detection. network traffic in search of misuse detection See patterns that match known signature-based detection. signatures—that is, preconfigured, signature-based detection Also predetermined attack patterns. known as knowledge-based Signature-based technology is detection or misuse detection, the widely used because many examination of system or network attacks have clear and distinct data in search of patterns that signatures: match known attack signatures. signatures Patterns that Footprinting and correspond to a known attack. fingerprinting activities stateful protocol analysis (SPA) use ICMP, DNS querying, The comparison of and e-mail routing vendor-supplied profiles of analysis. protocol use and behavior against Exploits use a specific observed data and network attack sequence patterns in an effort to detect designed to take misuse and attacks. advantage of a vulnerability to gain Similarly, using signature-based access to a system. detection to compare observed DoS and DDoS attacks, events with known patterns is during which the attacker relatively simplistic; the tries to prevent the technologies that deploy it typically normal usage of a cannot analyze some application system, overload the or network protocols, nor can they system with requests so understand complex that its ability to process communications. them efficiently is M3.1.4.2 | Anomaly-Based compromised or disrupted. Detection A potential problem with the Anomaly-based detection (or signature-based approach is that behavior-based detection) collects new attack patterns must statistical summaries by observing continually be added to the IDPS’s traffic that is known to be normal. database of signatures; otherwise, This normal period of evaluation attacks that use new strategies will establishes a performance not be recognized and might baseline over a period of time succeed. Another weakness of the known as the training period. signature-based Once the baseline is established, method is that a slow, methodical the IDPS periodically samples attack involving multiple events network activity and uses might escape detection. The only statistical methods to compare the way signature-based detection sampled activity to the baseline. can resolve this vulnerability is to When the measured activity is collect and analyze data over outside the baseline longer periods of time, a process parameters—exceeding the that requires substantially greater clipping level—the IDPS sends an data storage capability and alert to the administrator. The additional processing capacity. baseline data can include However, detection in real time variables such as host memory or becomes extremely unlikely. CPU usage, network packet types, and packet quantities. The profiles compiled by an of low activity interspersed with anomaly-based detection IDPS periods of heavy packet traffic, this are generally either static or type of IDPS may not be suitable dynamic. Static profiles do not because the dramatic swings will change until modified or almost certainly generate false recalibrated by an administrator. alarms. Because of the complexity Dynamic profiles periodically of anomaly-based detection, its collect additional observations on impact on the overhead computing data and traffic patterns and then load of the host computer, and the use that information to update number of false positives it can their baselines. This can prove to generate, this type of IDPS is less be a vulnerability if the attacker commonly used than the uses a very slow attack, because signature-based type. the system using the dynamic M3.1.4.3 | Stateful Protocol detection method interprets attack activity as normal traffic and Analysis updates its profile accordingly. Stateful inspection firewalls track The advantage of anomaly-based each network connection between detection is that the IDPS can internal and external systems detect new types of attacks using a state table to record which because it looks for abnormal station sent which packet and activity of any type. Unfortunately, when. An IDPS extension of this these systems require much more concept is stateful protocol overhead and processing capacity analysis (SPA). SPA uses the than signature-based IDPSs opposite of a signature approach. because they must constantly Instead of comparing known compare patterns of activity attack patterns against observed against the baseline. Another traffic or data, the system drawback is that these systems compares known normal or benign may not detect minor changes to protocol profiles against observed system variables and may traffic. These profiles are generate many false positives. If developed and provided by the the actions of network users or protocol vendors. Essentially, the systems vary widely, with periods IDPS knows how a protocol such as FTP is supposed to work, and protocols are not published in therefore can detect anomalous sufficient detail to enable an IDPS behavior. By storing relevant data to provide accurate and detected in a session and then comprehensive assessments. using it to identify intrusions that Unfortunately, the analytical involve multiple requests and complexity of session-based responses, the IDPS can better assessments is the principal detect specialized, multisession drawback to this type of IDPS attacks. This process is method. It also requires heavy sometimes called deep packet processing overhead to track inspection because SPA closely multiple simultaneous examines packets at the connections. Additionally, unless a application layer for information protocol violates its fundamental that indicates a possible intrusion. behavior, this IDPS method may SPA can examine authentication completely fail to detect an sessions for suspicious activity as intrusion. One final concern is that well as for attacks that incorporate the IDPS may actually interfere unusual commands, such as with the normal operations of the commands that are out of protocol it is examining. sequence or submitted repeatedly. M3.1.4.4 | Log File Monitors SPA can also detect intentionally malformed commands or Key Terms commands that are outside the expected length parameters. log file monitor (LFM) An attack detection method that reviews the The models used for SPA are log files generated by computer similar to signatures in that they systems, looking for patterns and are provided by vendors. These signatures that may indicate an models are based on industry attack or intrusion is in process or protocol standards established by has already occurred. such entities as the Internet security information and event Engineering Task Force, but they management (SIEM) A vary along with the protocol software-enabled approach to implementations in such aggregating, filtering, and documents. Also, proprietary managing the reaction to events, the use of a security information many of which are collected by and event management (SIEM) logging activities of IDPSs and software-enabled system. Coined network management devices. in 2005 by Mark Nicolett and Amrit Williams of The Gartner Group, SIEM is a combination of software A log file monitor (LFM) IDPS is and procedures implemented similar to an NIDPS. Using an across an organization that LFM, the system reviews the log collects, analyzes, reports, and files generated by servers, sometimes can react to events network devices, and even other determined by patterns of events IDPSs, looking for patterns and found in the aggregated data. signatures that may indicate an Data sources for SIEM systems attack or intrusion is in process or can include IDPS products, has already occurred. This attack identity and access management detection is enhanced by the fact systems, that the LFM can look at multiple network communication devices, log files from different systems. and specific host systems. SIEM The patterns that signify an attack systems often are tasked to can be subtle and difficult to provide alerts and intelligence to distinguish when one system is manage the reaction to many examined in isolation, but they forms of adverse events that might may be more identifiable when the affect the organization. SIEM events recorded for the entire implementation may be a network and each of its requirement for some compliance component systems can be programs that organizations must viewed as a whole. Of course, this follow. SIEM systems are often holistic approach requires used to manage the incident considerable resources because it reaction process once incident involves the collection, movement, response protocols are invoked. storage, and analysis of very large M3.1.5 | IDPS Response Behavior quantities of log data. Log file monitoring is often Each IDPS responds to external implemented in organizations with stimulation in a different way, depending on its configuration and An analogy to this approach is a function. Some respond in active car thief who spots a desirable ways, collecting additional target early in the morning, strikes information about the intrusion, the car with a rolled-up newspaper modifying the network to trigger the alarm, and then environment, or even taking action ducks into the bushes. The car against the intrusion. Others owner wakes up, checks the car, respond in passive ways—for determines there is no danger, example, by setting off alarms or resets the alarm, and goes back to notifications or collecting passive bed. The thief repeats the data through SNMP traps. triggering action every half-hour or so until the owner disables the M3.1.5.1 | IDPS Response alarm, leaving the thief free to Options steal the car without worrying about the alarm. When an IDPS detects a possible intrusion, it has several response IDPS responses can be classified options, depending on the as active or passive. An active organization’s policy, objectives, response is a definitive action that and system capabilities. When is automatically initiated when configuring an IDPS’s responses, certain types of alerts are the system administrator must triggered. These responses can ensure that a response to an include collecting additional attack or potential attack does not information, changing or modifying inadvertently exacerbate the the environment, and taking situation. For example, if an action against the intruders. NIDPS reacts to suspected DoS Passive-response IDPSs simply attacks by severing the network report the information they have connection, collected and wait for the the attack is a success. Similar administrator to act. Generally, the attacks repeated at intervals will administrator chooses a course of thoroughly disrupt an action after analyzing the collected organization’s business data. A passive IDPS is the more operations. common implementation, although most systems include some active options that are disabled by which allow a device to default. send a message to the SNMP management The following list describes some console indicating that a of the responses an IDPS can be certain threshold has configured to produce. Note that been crossed, either some of these responses apply positively or negatively. only to a network-based or The IDPS can execute host-based IDPS, while others are this trap to inform the applicable to both. SNMP console an event Audible/visual alarm: The has occurred. Some IDPS can trigger a sound advantages of this file, beep, whistle, siren, operation include the or other audible or visual relatively standard notification to alert the implementation of SNMP administrator of an attack. in networking devices; the The most common type ability to configure the of notification is the network system to use computer pop-up, which SNMP traps in this can be configured with manner; the ability to use color indicators and systems specifically to specific messages. The handle SNMP traffic, pop-up can also contain including IDPS traps; and specifics about the the ability to use standard suspected attack, the communications tools used in the attack, networks. the system’s level of E-mail message: The confidence in its own IDPS can send e-mail to determination, and the notify network addresses and locations administrators of an of the systems involved. event. Many SNMP traps and plug-ins: administrators use The Simple Network smartphones and other Management Protocol e-mail devices to check contains trap functions, for alerts and other notifications frequently. This method allows the Organizations should use organization to perform caution in relying on further analysis on the e-mail systems as the data and to submit the primary means of data as evidence in a civil communication from an or criminal case. Once IDPS because attacks or the data has been written even routine performance using a cryptographic issues can disrupt, delay, hashing algorithm, it or block such messages. becomes evidentiary Phone, pager, or SMS documentation—that is, message: The IDPS can suitable for criminal or be configured to dial a civil court use. However, phone number and send this packet logging can a preconfigured pager or be resource-intensive, SMS text message. especially in DoS attacks. Log entry: The IDPS can Take action against the enter information about intruder: Although it is not the event into an IDPS advisable, organizations system log file or can take action against operating system log file. an intruder using This information includes trap-and-trace, addresses, times, back-hacking, or involved systems, and trace-back methods. protocol information. The Such responses involve log files can be stored on configuring intrusion separate servers to detection systems to prevent skilled attackers trace the data from the from deleting entries target system back to the about their intrusions. attacking system to Evidentiary packet dump: initiate a counterattack. Organizations that require While this response may an audit trail of IDPS data sound tempting, it may may choose to record all not be legal. An log data in a special way. organization only owns a network to its perimeter, Reconfigure firewall: An so conducting traces or IDPS can send a back-hacking to systems command to the firewall beyond that point may to filter out suspected make the organization packets by IP address, just as criminally liable as port, or protocol. the original attackers. (Unfortunately, it is still Also, the “attacking possible for a skilled system” is sometimes a attacker to break into a compromised network simply by intermediary system; in spoofing a different other cases, attackers address, shifting to a use address spoofing. In different port, or changing either situation, a the protocols used in the counterattack would attack.) While it may not actually harm an innocent be easy, an IDPS can third party. Any block or deter intrusions organization that plans to via one of the following configure retaliation methods: efforts into an automated ○ Establishing a IDPS is strongly block for all encouraged to seek legal traffic from the counsel. suspected Launch program: An attacker’s IP IDPS can be configured address or even to execute a specific from the entire program when it detects source network specific types of attacks. the attacker Several vendors have appears to be specialized tracking, using. This tracing, and response blocking can be software that can be part set for a specific of an organization’s period of time intrusion response and reset to strategy. normal rules after that period Some attacks has expired. would be ○ Establishing a deterred or block for specific blocked by TCP or UDP port session traffic from the termination, but suspected others would attacker’s simply continue address or when the source network. attacker issues a Only services new session that seem to be request. under attack are ○ Terminating the blocked. connection: The ○ Blocking all last resort for an traffic to or from IDPS under the attack is to organization’s terminate the Internet organization’s connection or internal or other network external interface if the connections. severity of the Smart switches suspected attack can cut traffic to warrants such a or from a response. specific port if ○ Terminating the the connection is session: linked to a Terminating the system that is session by using malfunctioning the TCP/IP or otherwise protocol interfering with specified packet efficient network TCP close is a operations. As simple process. indicated earlier, this response response function of an IDPS should be the breaks this silence by last attempt to broadcasting alarms and alerts in protect plaintext over the monitored information, as network, attackers can detect the termination may IDPS and directly target it in the actually be the attack. Encrypted tunnels or other goal of the cryptographic measures that hide attacker. and authenticate communications are excellent ways to ensure the M3.1.5.2 | Reporting and Archiving reliability of the IDPS. Capabilities M3.1.6 | Selecting IDPS Many, if not all, commercial IDPSs Approaches and Products can generate routine reports and other detailed documents, such as The wide array of available reports of system events and intrusion detection products intrusions detected over a addresses a broad range of particular reporting period. Some security goals and considerations; systems provide statistics or logs selecting products that represent in formats that are suitable for the best fit for a particular inclusion in database systems or organization is challenging. The for use in report generating following considerations and packages. questions can help you prepare a specification for acquiring and M3.1.5.3 | Failsafe Considerations deploying an intrusion detection for IDPS Responses product. Failsafe features protect an IDPS M3.1.6.1 | Technical and Policy from being circumvented or Considerations defeated by an attacker. Several functions require failsafe To determine which IDPS best measures; for instance, IDPSs meets an organization’s needs, need to provide silent, reliable first consider its environment in monitoring of attackers. If the technical, physical, and political network management system, terms. specify it here. What Is Your Systems What are the technical Environment? The first specifications of your requirement for a potential IDPS is current security that it function in your systems protections? environment. This is important; if Describe the security protections an IDPS is not designed to you already have in place. Specify accommodate the information numbers, types, and locations of sources on your systems, it will network firewalls, identification not be able to see anything— and authentication servers, data neither normal activity nor an and link encryptors, antivirus attack—on those systems. packages, access control What are the technical products, specialized security specifications of your hardware (such as crypto systems environment? accelerators for Web servers), virtual private networks, and any First, specify the technical other security mechanisms on attributes of your systems your systems. environment, including network diagrams and maps that specify What are the goals of the number and locations of hosts; your enterprise? operating systems for each host; Some IDPSs are designed to the number and types of network accommodate the special needs devices, such as routers, bridges, of certain industries or market and switches; the number and niches, such as electronic types of terminal servers and commerce, health care, or dial-up connections; and financial services. Define the descriptions of any network functional goals of your enterprise servers, including their types, that are supported by your configurations, and the application systems. Several goals can be software and versions running on associated with a single each. If you run an enterprise organization. How formal is the system categorizing your organization’s environment and threat concerns. Identify its management culture in concerns regarding external your organization? threats. Organizational styles vary Is your organization depending on their function and concerned about insider traditional culture. For instance, attacks? the military and other Address concerns about threats organizations that deal with that originate within your national security tend to operate organization. For example, a with a high degree of formality, shipping clerk might attempt to especially when contrasted with access and alter the payroll universities or other academic system, or an authorized user environments. Some IDPSs might exceed his privileges and support enforcement of formal use violate your organization’s security policies, with built-in configuration policy or laws. As another options that can enforce common example, a customer service issue-specific or system-specific agent might be driven by curiosity security policies, as well as to access earnings and payroll provide a library of reports for records for company executives. typical policy violations or routine matters. Does your organization want to use the output of What Are Your Security Goals your IDPS to determine and Objectives? The next step is new needs? to articulate the goals and objectives you want to attain by System usage monitoring is using an IDPS. sometimes a generic system management tool used to Is your organization determine when system assets primarily concerned with require upgrading or replacement. protecting itself from outside threats? Does your organization want to use an IDPS to Perhaps the easiest way to maintain managerial identify security goals is by control over network What are the general job usage rather than descriptions of your security controls? system users? Some organizations implement List the general job functions of system use policies that may be system users as well as the data classified as personnel and network access that each management rather than system function requires. Several security. For example, they might functions are often applied to a prohibit access to pornographic single user. Web sites or other sites, or prohibit Does the policy include the use of organizational systems reasonable use policies to send harassing e-mail or other or other management messages. Some IDPSs provide provisions? features that detect such violations of management controls. As mentioned above, the security policies of many organizations What Is Your Existing Security include system use policies. Policy? You should review your existing organization security Has your organization policy because it is the template defined processes for against which your IDPS will be dealing with specific configured. You may find that you policy violations? need to augment the policy or It is helpful to know what the derive the following items from it. organization plans to do when the How is it structured? IDPS detects that a policy has been violated. If the organization It is helpful to articulate the goals doesn’t intend to react to such outlined in the security policy. violations, it may not make sense These goals include standard to configure the IDPS to detect security goals, such as integrity, them. On the other hand, if the confidentiality, and availability, as organization wants to respond to well as more generic management such violations, the IDPS’s staff goals, such as privacy, protection should be informed so it can deal from liability, and manageability. with alarms in an appropriate Are any other manner. security-specific requirements levied by M3.1.6.2 | Organizational law? Are there legal Requirements and Constraints requirements for protection of personal Your organization’s operational information stored on goals, constraints, and culture will your systems? Such affect the selection of the IDPS information can include and other security tools and earnings or medical technologies to protect your records. Are there legal systems. Consider the following requirements for requirements and limitations. investigating security What Requirements Are Levied violations that divulge or from Outside the Organization? endanger personal information? Is your organization Are there internal audit subject to oversight or requirements for security review by another best practices or due organization? diligence? If so, does that oversight authority require IDPSs or Do any of these audit other specific system requirements specify functions security resources? that the IDPSs must provide or Are there requirements support? for public access to Is the system subject to information on your accreditation? organization’s systems? Do regulations or statutes If so, what is the accreditation require that information to authority’s requirement for IDPSs be accessible by the or other security protection? public during certain Are there requirements hours of the day or during for law enforcement certain intervals? investigation and resolution of security Is there sufficient staff to incidents? monitor an intrusion detection system full Do they require any IDPS time? functions, especially those that involve collection and protection of Some IDPSs require IDPS logs as evidence? around-the-clock attendance by systems personnel. If your What Are Your Organization’s organization cannot meet this Resource Constraints? IDPSs requirement, you may want to can protect the systems of an explore systems that organization, but at a price. It accommodate part-time makes little sense to incur attendance or unattended use. additional expenses for IDPS features if your organization does Does your organization not have sufficient systems or have authority to instigate personnel to handle the alerts they changes based on the will generate. findings of an intrusion detection system? What is the budget for acquisition and life cycle You and your organization must be support of intrusion clear about how to address detection hardware, problems uncovered by an IDPS. software, and If you are not empowered to infrastructure? handle incidents that arise as a result of monitoring, you should Remember that the IDPS software coordinate your selection and is not the only element of the total configuration of the IDPS with the cost of ownership; you may also person who is empowered. have to acquire a system for running the software, obtain specialized assistance to install M3.1.6.3 | IDPS Product Features and configure the system, and train your personnel. Ongoing and Quality operations may also require additional staff or outside contractors. It’s important to evaluate any IDPS Has the product been product by carefully considering tested to reliably detect the following questions: attacks? Is the Product Sufficiently Ask vendors for details about their Scalable for Your Environment? products’ ability to respond to Many IDPSs cannot function attacks reliably. within large or widely distributed Has the product been enterprise network environments. tested against attack? How Has the Product Been Ask vendors for details about their Tested? Simply asserting that an products’ security testing. If the IDPS has certain capabilities does product includes network-based not demonstrate they are real. You vulnerability assessment, ask should request demonstrations of whether test routines that produce an IDPS to evaluate its suitability system crashes or other denials of for your environment and goals. service have been identified and Has the product been flagged in system documentation tested against functional and interfaces. requirements? What User Level of Expertise Is Ask the vendor about any Targeted by the Product? assumptions made for the goals Different IDPS vendors target and constraints of customer users with different levels of environments. technical and security expertise. Ask vendors to describe their Has the product been assumptions about users of their tested for performance products. against anticipated load? Is the Product Designed to Ask vendors for details about their Evolve as the Organization products’ ability to perform critical Grows? An important goal of functions with high reliability under product design is the ability to load conditions similar to those adapt to your needs over time. expected in the production environment. Can the product adapt to growth in user expertise? Ask here whether the IDPS’s maintenance and support over interface can be configured on the time. These needs should be fly to accommodate shortcut keys, identified in a written report. customizable alarm features, and What are the custom signatures. Ask also commitments for product whether these features are installation and documented and supported. configuration support? Can the product adapt to Many vendors provide expert growth and change of the assistance to customers when organization’s systems installing and configuring IDPSs. infrastructure? Other vendors expect your own This question addresses the ability staff to handle such functions, and of the IDPS to scale to an provide only telephone or e-mail expanding and increasingly support. diverse network. Most vendors What are the have experience in adapting their commitments for ongoing products as target networks grow. product support? Ask also about commitments to support new protocol standards Ask about the vendor’s and platform types. commitment to supporting your use of its IDPS product. Can the product adapt to growth and change in the Are subscriptions to security threat signature updates environment? included? This question is especially critical Most IDPSs are misuse detectors, given the current Internet threat so their value is only as good as environment, in which 30 to 40 the signature database against ne