ma2.pdf

Full Transcript

denial-of-service attacks, they are
M3.1 | Intrusion Detection and
almost always instigated by
Prevention Systems someone whose purpose is to
harm an organization. Often, the
Key Terms differences among intrusion types
intrusion An adverse event in lie with the attacker—some
which an attacker attempts to gain intruders don’t care which
entry into an information system or organizations they harm and
disrupt its normal operations, prefer to remain anonymous, while
almost always with the intent to do others crave notoriety. While every
harm. intrusion detection and intrusion is an incident, not every
prevention system (IDPS) The incident is an intrusion; examples
general term for a system that can include service outages and
both detect and modify its natural disasters.
configuration and environment to Intrusion prevention consists of
prevent intrusions. An IDPS activities that deter an intrusion.
encompasses the functions of Some important intrusion
both intrusion detection systems prevention activities are writing
and intrusion prevention and implementing good enterprise
technology. intrusion detection information security policy;
system (IDS) A system capable of planning and executing effective
automatically detecting an information security programs;
intrusion into an organization’s installing and testing
networks or host systems and technology-based information
notifying a designated authority. security countermeasures, such
as firewalls and intrusion detection
and prevention systems; and
An intrusion occurs when an conducting and measuring the
attacker attempts to gain entry into effectiveness of employee training
an organization’s information and awareness activities.
systems or disrupt their normal
operations. Even when such Intrusion detection consists of
attacks are self-propagating, as procedures and systems that
with viruses and distributed identify system intrusions.
Intrusion reaction encompasses
the actions an organization takes security service of a “break-in.”
when an intrusion is detected. The configurations that enable
These actions seek to limit the IDSs to provide customized levels
loss from an intrusion and return of detection and response are
operations to a normal state quite complex. A current extension
as rapidly as possible. Intrusion of IDS technology is the
correction activities complete the incorporation of intrusion
restoration of operations to a prevention technology, which can
normal state and seek to identify prevent an intrusion from
the source and method of the successfully attacking the
intrusion to ensure that the same organization by means of an
type of attack cannot occur active response. Because you
again—thus reinitiating intrusion seldom find such technology that
prevention. does not also have detection
capabilities, the term intrusion
Information security intrusion
detection and prevention system
detection systems (IDSs) became
(IDPS) is commonly used.
commercially available in the late
1990s. An IDS works like a burglar According to NIST SP 800-94,
alarm in that it detects a violation Rev. 1, IDPSs use several
and activates an alarm. This alarm response techniques, which can
can be a sound, a light or other be divided into the following
visual signal, or a silent warning, groups:
such as an e-mail message or
An IDPS is capable of
pager alert. With almost all IDSs,
interdicting the attack by
system administrators can choose
itself, without human
the configuration of various alerts
intervention. This could
and the alarm levels associated
be accomplished by:
with each type of alert. Many IDSs
○ Terminating the
enable administrators to configure
user session or
the systems to notify them directly
network
of trouble via e-mail or pagers.
connection over
The systems can also be
which the attack
configured—again like a burglar
is being
alarm—to notify an external
conducted
 ○ Blocking access quarantining a network
to the target packet’s contents.
system or
M3.1.1 | IDPS Terminology
systems from
the source of the
To understand how an IDPS
attack, such as a
works, you must first become
compromised
familiar with some IDPS
user account,
terminology.
inbound IP
address, or Alarm clustering and
other attack compaction: A process
characteristic of grouping almost
○ Blocking all identical alarms that
access to the occur nearly at the same
targeted time into a single
information higher-level alarm. This
asset consolidation reduces the
The IDPS can modify its number of alarms, which
environment by changing reduces administrative
the configuration of other overhead and identifies a
security controls to relationship among
disrupt an attack. This multiple alarms.
could include modifying a Clustering may be based
firewall’s rule set or on combinations of
configuring another frequency, similarity in
network device to shut attack signature, similarity
down the in attack target, or other
communications channel criteria that are defined
to filter the offending by system administrators.
packets. Alarm filtering: The
Some IDPSs are capable process of classifying
of changing an attack’s IDPS alerts so they can
components by replacing be more effectively
malicious content with managed. An IDPS
benign material or by administrator can set up
 alarm filtering by running of attacks. The
the system for a while to confidence value an
track the types of false organization places in the
positives it generates and IDPS is based on
then adjusting the alarm experience and past
classifications. For performance
example, the measurements. The
administrator may set the confidence value, which
IDPS to discard alarms is based on fuzzy logic,
produced by false attack helps an administrator
stimuli or normal network determine the likelihood
operations. Alarm filters that an IDPS alert or
are similar to packet alarm indicates an actual
filters in that they can attack in progress. For
filter items by their source example, if a system
or destination IP deemed 90 percent
addresses, but they can capable of accurately
also filter by operating reporting a
systems, confidence denial-of-service (DoS)
values, alarm type, or attack sends a DoS alert,
alarm severity. there is a high probability
Alert or alarm: An that an actual attack is
indication or notification occurring.
that a system has just Evasion: The process by
been attacked or is under which attackers change
attack. IDPS alerts and the format and/or timing
alarms take the form of of their activities to avoid
audible signals, e-mail being detected by an
messages, pager IDPS.
notifications, or pop-up False attack stimulus:
windows. An event that triggers an
Confidence value: The alarm when no actual
measure of an IDPS’s attack is in progress.
ability to correctly detect Scenarios that test the
and identify certain types configuration of IDPSs
 may use false attack enumeration tools run by
stimuli to determine if the network users without
IDPSs can distinguish harmful intent.
between these stimuli Site policy: The rules
and real attacks. and configuration
False negative: The guidelines governing the
failure of an IDPS to react implementation and
to an actual attack event. operation of IDPSs within
This is the most grievous the organization.
IDPS failure, given that its Site policy awareness:
purpose is to detect and An IDPS’s ability to
respond to attacks. dynamically modify its
False positive: An alert configuration in response
or alarm that occurs in to environmental activity.
the absence of an actual A so-called dynamic
attack. A false positive IDPS can adapt its
can sometimes be reactions in response to
produced when an IDPS administrator guidance
mistakes normal system over time and the local
activity for an attack. environment. A dynamic
False positives tend to IDPS logs events that fit a
make users insensitive to specific profile instead of
alarms and thus reduce minor events, such as file
their reactions to actual modifications or failed
intrusion events. user logins. A smart IDPS
Noise: Alarm events that knows when it does not
are accurate and need to alert the
noteworthy but do not administrator—for
pose significant threats to example, when an attack
information security. is using a known and
Unsuccessful attacks are documented exploit from
the most common source which the system is
of IDPS noise, although protected.
some noise might be True attack stimulus: An
triggered by scanning and event that triggers an
 alarm and causes an discovered, the technology owners
IDPS to react as if a real have zero days to
attack is in progress. The identify, mitigate, and resolve the
event may be an actual vulnerability.
attack, in which an
attacker is attempting a
system compromise, or it There are several compelling
may be a drill, in which reasons to acquire and use an
security personnel are IDPS, beginning with its primary
using hacker tools to test function of intrusion detection.
a network segment. These reasons include
Tuning: The process of documentation, deterrence, and
adjusting an IDPS to other benefits, as described in the
maximize its efficiency in following lessons.
detecting true positives
M3.1.2.1 | Intrusion Detection
while minimizing false
positives and false
The primary purpose of an IDPS is
negatives.
to identify and report an intrusion.
M3.1.2 | Why Use an IDPS? By detecting the early signs of an
intrusion, the organization can
Key Terms quickly contain the attack and
prevent or at least substantially
known vulnerability A published
mitigate loss or damage to
weakness or fault in an
information assets. The
information asset or its protective
notification process is critical; if the
systems that may be exploited and
organization is not notified that an
result in loss.
intrusion is under way, the IDPS
zero day vulnerability An
serves no real purpose. Once
unknown or undisclosed
notified, the organization’s IR team
vulnerability in an information
can activate the IR plan and
asset or its protection systems that
contain the intrusion.
may be exploited and result in
loss. This vulnerability is also IDPSs can also help
referred to as zero day (or zero administrators detect the
hour) because once it is preambles to attacks, which are
known as attack reconnaissance. can delay or undermine an
Most attacks begin with an organization’s ability to secure its
organized and thorough probing of systems from attack and
the organization’s network subsequent loss. For example,
environment and its defenses. even though popular information
This initial probing is called security technologies such as
doorknob rattling and is scanning tools allow security
accomplished through two general administrators to evaluate the
activities. Footprinting refers to readiness of their systems, they
activities that gather information may still fail to detect or correct a
about the organization and its known deficiency or check for
network activities and assets, vulnerabilities too infrequently. In
while fingerprinting refers to addition, even when a vulnerability
activities that scan network locales is detected in a timely manner, it
for active systems and then cannot always be corrected
identify the network services quickly. Also, because such
offered by the host systems. A corrective measures usually
system that can detect the early require that the administrator
warning signs of footprinting and install patches and upgrades, they
fingerprinting functions like a are subject to fluctuations in the
neighborhood watch that spots administrator’s workload.
would-be burglars as they case
Note that vulnerabilities might be
the community. This early
known to vulnerability-tracking
detection enables administrators
groups without being known to the
to prepare for a potential attack or
organization. The number and
to minimize potential losses from
complexity of reported
an attack.
vulnerabilities continue to
IDPSs can also help the increase, so it is extremely difficult
organization protect its assets to stay on top of them. Instead,
when its networks and systems organizations rely on developers
are still exposed to known to identify problems and patch
vulnerabilities or are unable to systems, yet there is inevitably a
respond to a rapidly changing delay between detection and
threat environment. Many factors distribution of a patch or update to
resolve the vulnerability. Similarly, “known” only when they are used
substantial delays are common in an attack. Therefore, it is critical
between the detection of a new for the organization to diligently
virus or worm and the distribution monitor online trade press and
of a signature that allows industry user groups to stay
antimalware applications to detect abreast of such issues.
and contain the threat.
Organizations continue to expand
To further complicate the matter, the number of items on networks
services that are known to be they manage and where those
vulnerable sometimes cannot be items are operated. The Internet of
disabled or otherwise protected Things finds more and different
because they are essential to devices being connected and
ongoing operations. When a used, while cloud service use
system has a known vulnerability results in valuable assets housed
or deficiency, an IDPS can be set in places where defenses are
up to detect attacks or attempts to established with software-defined
exploit existing weaknesses, an perimeters in place of the
important part of the strategy of old-school hardware-enforced
defense in depth. perimeter. These changes in how
networks
While a diligent organization may
are used and what can be found
be well prepared against known
on them make the need for IDPS
vulnerabilities, it’s the unknown
technologies even more
that still causes the organization
pronounced.
concern. Zero day vulnerabilities
(or zero day attacks) are unknown M3.1.2.2 | Data Collection
or undisclosed vulnerabilities that
can’t be predicted or prepared for. In the process of analyzing data
They are called zero day (or zero and network activity, IDPSs can be
hour) because once they are configured to log data for later
discovered, the technology owners analysis. This logging function
have zero days to identify, allows the organization to examine
mitigate, and resolve the what happened after an intrusion
vulnerability. Unfortunately, most occurred and why. As an
of these vulnerabilities become accountability function, logging
may even provide the who if the compromised security measures.
individual responsible for the This process can also provide
intrusion works within the insight for management into
organization. Even when intruders threats the organization faces and
are not internal, some information can help justify current and future
may be expenditures to support and
available, such as where they are improve incident detection
connecting from (IP address) and controls. When asked for funding
how they connected (browser to implement additional security
details). Logging also allows technology, upper management
improvement in incident response; usually requires documentation of
evaluation by specialized log the threat from which the
monitors and assessment of the organization must be protected.
effectiveness of the IDPS itself.
M3.1.2.3 | Attack Deterrence
Even if an IDPS fails to prevent an
intrusion, it can still contribute to Another reason to install an IDPS
the after-attack review by assisting is that it serves as a deterrent by
investigators in determining how increasing the fear of detection
the attack occurred, what the among would-be attackers. If
intruder accomplished, and which internal and external users know
methods the attacker employed. that an organization has an IDPS,
This information can be used to they are less likely to probe the
remedy system or attempt to compromise
deficiencies and to prepare the it, just as criminals are much less
organization’s network likely to break into a house that
environment for future attacks. appears to have a burglar alarm.
The IDPS can also provide
M3.1.2.4 | Other Reasons to
forensic information that may be
useful if the attacker is caught and Deploy an IDPS
then prosecuted or sued.
Data collected by an IDPS can
Examining this information to also help management with quality
understand attack frequencies and assurance and continuous
attributes can help identify improvement; IDPSs consistently
insufficient, inappropriate, or
pick up information about attacks large file transfers, either from a
that have successfully host-based or network-based
compromised the outer layers of IDPS. Similarly, certain protected
information security controls, such files may be specified to flag or
as a firewall. This information can notify administrators if they are
be used to identify and repair accessed, copied, or modified.
flaws in the security and network This is one of the primary
architectures, which helps the functions of a host-based IDPS.
organization expedite its
Another use of the intrusion
incident response and make other
awareness that an IDPS provides,
continuous improvements.
even when alerts are given after
An IDPS can provide a level of the actual intrusion, is part of the
quality control for security policy process known as the kill chain.
implementation. This can be This concept, an adaptation of
accomplished when the IDPS is combat tactics brought to the
used to detect incomplete firewall world of information security by
configuration when inappropriate Lockheed Martin, is that the
network traffic is allowed that success of an attack can be
should have been filtered at the disrupted at several points in the
firewall. This detection could alert sequence. By disrupting the attack
administrators to a poorly at any point up to the final
configured or compromised exfiltration of its proceeds,
firewall. IDPSs may also be used potential losses can be stopped.
to identify security policy Figure 7-1 shows the various
violations. steps in the attack sequence and
the associated opportunities to
Certain IDPSs can monitor
interrupt using the kill chain.
network traffic and systems data in
an effort to flag suspicious data
transfers and detect unusual
activities that could indicate data
theft. If the organization’s
employees have no reason to
copy data files over a certain size,
an IDPS may be able to detect
 switched port analysis (SPAN) port
or mirror port, a specially
configured connection on a
network device that can view all
the traffic that moves through the
device.
network-based IDPS (NIDPS) An
IDPS that resides on a computer
or appliance connected to a
M3.1.3 | Types of IDPSs segment of an organization’s
network and monitors traffic on
Key Terms that segment, looking for
indications of ongoing or
agent See sensor. successful attacks.
application protocol verification passive mode An IDPS sensor
The process of examining and setting in which the device simply
verifying the higher-order monitors and analyzes observed
protocols (HTTP, FTP, and Telnet) network or system traffic.
in network traffic for unexpected protocol stack verification The
packet behavior or improper use. process of examining and verifying
host-based IDPS (HIDPS) An network traffic for invalid data
IDPS that resides on a particular packets—that is, packets that are
computer or server, known as the malformed under the rules of the
host, and monitors activity only on TCP/IP protocol.
that system. Also known as a sensor A hardware and/or
system integrity verifier. software component deployed on
inline sensor An IDPS sensor a remote computer or network
intended for network perimeter segment and designed to monitor
use and deployed in close network or system traffic for
proximity to a perimeter firewall to suspicious activities and report
detect incoming attacks that could back to the host application. For
overwhelm the firewall. example, IDPS sensors report to
mirror port See monitoring port. an IDPS application.
monitoring port Also known as a
switched port analysis (SPAN) defends that application from
port See monitoring port. special forms of attack.

IDPSs generally operate as
network- or host-based systems. A
network-based IDPS is focused on
protecting network information
assets by examining network
communications traffic. Two
specialized subtypes of M3.1.3.1 | Network-Based IDPS
network-based IDPSs are the A network-based IDPS (NIDPS)
wireless IDPS and the network consists of a specialized hardware
behavior analysis (NBA) IDPS. appliance and/or software
The wireless IDPS focuses on designed to monitor network
wireless networks, as the name traffic. The NIDPS may include
indicates, while the NBA IDPS separate management software,
examines traffic flow on a network referred to as a console, and a
in an attempt to recognize number of specialized hardware
abnormal patterns like DDoS, and/or software components
malware, and policy violations. referred to as agents or sensors.
A host-based IDPS protects the These agents can be installed on
server or host’s information other network segments and/or
assets, usually by monitoring the network technologies to remotely
files stored on the system and monitor network traffic at multiple
sometimes by monitoring the locations for a potential intrusion,
actions of connected users; the reporting back to the central
example shown in Figure 7-2 NIDPS application. When the
monitors both network connection NIDPS identifies activity that it is
activity and current information programmed to recognize as an
states on host servers. The attack, it responds by sending
application-based model works on notifications to administrators.
one or more host systems that When examining incoming
support a single application and packets, an NIDPS looks for
patterns within network traffic such moves through the entire device.
as large collections of related In the early 1990s, before
items of a certain type, which switches became standard for
could indicate that a DoS attack is connecting networks in a
under way. An NIDPS also shared-collision domain, hubs
examines the exchange of a were used. Hubs receive traffic
series of related packets in a from one node and retransmit it to
certain pattern, which could all other nodes. This configuration
indicate that a port scan is in allows any device connected to
progress. An NIDPS can detect the hub to monitor all traffic
many more types of attacks than a passing through the hub.
host-based IDPS, but it requires a Unfortunately, it also represents a
much more complex configuration security risk because anyone
and maintenance program. connected to the hub can monitor
all the traffic that moves through
An NIDPS or an NIDPS sensor is
the network segment. Switches,
installed at a specific place in the
on the other hand, create
network, such as inside an edge
dedicated point-to-point links
router, where it is possible to
between their ports. These links
monitor traffic into and out of a
create a higher level of
particular network segment. The
transmission security and privacy
NIDPS can be deployed to monitor
to effectively prevent anyone from
a specific grouping of host
capturing and thus eavesdropping
computers on a specific network
on the traffic passing through the
segment, or it may be installed to
switch. Unfortunately, the ability to
monitor all traffic between the
capture the traffic is necessary for
systems that make up an entire
the use of an IDPS. Thus,
network. When placed next to a
monitoring ports are required.
hub, switch, or other key
These connections enable
networking device, the NIDPS
network administrators to collect
may use that device’s monitoring
traffic from across the network for
port. A monitoring port, also
analysis by the IDPS, as well as
known as a switched port analysis
for occasional use in diagnosing
(SPAN) port or mirror port, is
network faults and measuring
capable of viewing all traffic that
network performance.
Figure 7-3 shows data from the verification and comparison
Snort Network IDPS Engine. In techniques.
this case, the display is a sample
In the process of protocol stack
screen from Snorby, a client that
verification, NIDPSs look for
can manage Snort as well as
invalid data packets—that is,
display generated alerts.
packets that are malformed under
the rules of the TCP/IP protocol. A
data packet is verified when its
configuration matches one that is
defined by the various Internet
protocols. The elements of these
protocols (IP, TCP, UDP, and
application layers such as HTTP)
are combined in a complete set
called the protocol stack when the
software is implemented in an
operating system or application.
Many types of intrusions,
especially DoS and DDoS attacks,
rely on the creation of improperly
formed packets to take advantage
of weaknesses in the protocol
stack in certain operating systems
or applications.
To determine whether an attack
has occurred or is under way, In application protocol verification,
NIDPSs compare measured the higher-order protocols (HTTP,
activity to known signatures in SMTP, and FTP) are examined for
their knowledge base. The unexpected packet behavior or
comparisons are made through a improper use. Sometimes an
special implementation of the attack uses valid protocol packets
TCP/IP stack that reassembles the but in excessive quantities; in the
packets and applies protocol case of the tiny fragment attack,
stack verification, application the packets are also excessively
protocol verification, or other fragmented. While protocol stack
verification looks for violations in disruption to normal
the protocol packet structure, network operations.
application protocol verification NIDPSs are not usually
looks for violations in the protocol susceptible to direct
packet’s use. One example of this attack and may not be
kind of attack is DNS cache detectable by attackers.
poisoning, in which valid packets
The disadvantages of NIDPSs
exploit poorly configured DNS
include the following:
servers to inject false information
and corrupt the servers’ answers An NIDPS can become
to routine DNS queries from other overwhelmed by network
systems on the network. volume and fail to
Unfortunately, this higher-order recognize attacks it might
examination of traffic can have the otherwise have detected.
same effect on an IDPS as it can Some IDPS vendors are
on a firewall—that is, it slows the accommodating the need
throughput of the system. It may for ever faster network
be necessary to have more than performance by
one NIDPS installed, with one of improving the processing
them performing protocol stack of detection algorithms in
verification and one performing dedicated hardware
application protocol verification. circuits. Additional efforts
to optimize rule set
The advantages of NIDPSs
processing may also
include the following:
reduce the overall
Good network design and effectiveness of detecting
placement of NIDPS attacks.
devices can enable an NIDPSs require access to
organization to monitor a all traffic to be monitored.
large network using only The broad use of
a few devices. switched Ethernet
NIDPSs are usually networks has replaced
passive devices and can the ubiquity of
be deployed into existing shared-collision domain
networks with little or no hubs. Because many
 switches have limited or those involving
no monitoring port fragmented packets. In
capability, some networks fact, some NIDPSs are so
are not capable of vulnerable to malformed
providing aggregate data packets that they may
for analysis by an NIDPS. become unstable and
Even when switches do stop functioning.
provide monitoring ports,
M3.1.3.2 | Wireless NIDPS
they may not be able to
mirror all activity with a
A wireless IDPS monitors and
consistent and reliable
analyzes wireless network traffic,
time sequence.
looking for potential problems with
NIDPSs cannot analyze
the wireless protocols (Layers 2
encrypted packets,
and 3 of the OSI model).
making some network
Unfortunately, wireless IDPSs
traffic invisible to the
cannot evaluate and diagnose
process. The increasing
issues with higher-layer protocols
use of encryption that
like TCP and UDP. Wireless IDPS
hides the contents of
capability can be built into a
some or all packets by
device that provides a wireless
some network services
access point (AP).
(such as SSL, SSH, and
VPN) limits the Sensors for wireless networks can
effectiveness of NIDPSs. be located at the access points, on
NIDPSs cannot reliably specialized sensor components, or
ascertain whether an incorporated into selected mobile
attack was successful, stations. Centralized management
which requires ongoing stations collect information from
effort by the network these sensors, much as other
administrator to evaluate network-based IDPSs do, and
logs of suspicious aggregate
network activity. the information into a
Some forms of attack are comprehensive assessment of
not easily discerned by wireless network intrusions. The
NIDPSs, specifically
implementation of wireless IDPSs modeling the wireless
includes the following issues: footprint based on signal
strength. Sensors are
Physical security: Unlike
most effective when their
wired network sensors,
footprints overlap.
which can be physically
Access point and wireless
secured, many wireless
switch locations: Wireless
sensors are located in
components with bundled
public areas like
IDPS capabilities must be
conference rooms,
carefully deployed to
assembly areas, and
optimize the IDPS sensor
hallways to obtain the
detection grid. The
widest possible network
minimum range is just
range. Some of these
that; you must guard
locations may even be
against the possibility of
outdoors; more and more
an attacker connecting to
organizations are
a wireless access point
deploying networks in
from a range far beyond
external locations. Thus,
the minimum.
the physical security of
Wired network
these devices may
connections: Wireless
require additional
network components
configuration and
work independently of the
monitoring.
wired network when
Sensor range: A wireless
sending and receiving
device’s range can be
traffic between stations
affected by atmospheric
and access points.
conditions, building
However, a network
construction, and the
connection eventually
quality of the wireless
integrates wireless traffic
network card and access
with the organization’s
point. Some IDPS tools
wired network. In places
allow an organization to
where no wired network
identify the optimal
connection is available, it
location for sensors by
 may be impossible to The use of wireless
deploy a sensor. network scanners
Cost: The more sensors DoS attacks and
you deploy, the more conditions
expensive the Impersonation and
configuration. Wireless man-in-the-middle attacks
components typically cost
Wireless IDPSs are generally
more than their wired
more accurate than other types of
counterparts, so the total
IDPSs, mainly because of the
cost of ownership of
reduced set of protocols and
IDPSs for both wired and
packets they have to examine.
wireless varieties should
However, they are unable to
be carefully considered.
detect certain passive wireless
AP and wireless switch
protocol attacks, in which the
locations: The locations
attacker monitors network traffic
of APs and wireless
without active scanning and
switches are important for
probing. They are also susceptible
organizations buying
to evasion techniques. By simply
bundled solutions (APs
looking at wireless devices, which
with preinstalled IDPS
are often visible in public areas,
applications).
attackers can design customized
In addition to the traditional types evasion methods to exploit the
of intrusions detected by other system’s channel scanning
IDPSs, the wireless IDPS can also scheme. Wireless IDPSs can
detect existing WLANs and WLAN protect their associated WLANs,
devices for inventory purposes as but they may be susceptible to
well as detect the following types logical and physical attacks on the
of events: wireless access point or the IDPS
devices themselves.
Unauthorized WLANs
and WLAN devices Network Behavior Analysis
Poorly secured WLAN System NBA systems identify
devices problems related to the flow of
Unusual usage patterns network traffic. They use a version
of the anomaly detection method
described later in this section to between networks, and key
identify excessive packet flows network segments, such as
that might occur in the case of demilitarized zone (DMZ) subnets.
equipment malfunction, DoS Inline sensors are typically
attacks, virus and worm attacks, intended for network perimeter
and some forms of network policy use, so they would be deployed in
violations. NBA IDPSs typically close proximity to the perimeter
monitor internal networks but firewalls, often between the
occasionally monitor connections firewall and the Internet border
between internal and external router to limit incoming attacks
networks. Intrusion detection and that could overwhelm the firewall.
prevention typically includes the
NBA sensors can most commonly
following relevant flow data:
detect:
Source and destination IP
DoS attacks (including
addresses
DDoS attacks)
Source and destination
Scanning
TCP or UDP ports or
Worms
ICMP types and codes
Unexpected application
Number of packets and
services, such as
bytes transmitted in the
tunneled protocols, back
session
doors, and use of
Starting and ending
forbidden application
timestamps for the
protocols
session
Policy violations
Most NBA sensors can be
NBA sensors offer the following
deployed in passive mode only,
intrusion prevention capabilities,
using the same connection
which are grouped by sensor type:
methods (e.g., network tap, switch
spanning port) as network-based Passive only: Ending the
IDPSs. Passive sensors that are current TCP session. A
performing direct network passive NBA sensor can
monitoring should be placed so attempt to end an existing
that they can monitor key network TCP session by sending
locations, such as the divisions
 TCP reset packets to administrator-sp
both endpoints. ecified script or
Inline only: Performing program when
inline firewalling. Most certain malicious
inline NBA sensors offer activity is
firewall capabilities that detected.
can be used to drop or
M3.1.3.3 | Host-Based IDPS
reject suspicious network
activity.
While a network-based IDPS
Both passive and inline:
resides on a network segment and
○ Reconfiguring
monitors activities across that
other network
segment, a host-based IDPS
security devices.
(HIDPS) or an HIDPS sensor
Many NBA
resides on a particular computer
sensors can
or server, known as the host, and
instruct network
monitors activity only on that
security devices
system. HIDPSs are also known
such as firewalls
as system integrity verifiers
and routers to
because they benchmark and
reconfigure
monitor the status of key system
themselves to
files and detect when an intruder
block certain
creates, modifies, or
types of activity
deletes monitored files. An HIDPS
or route it
has an advantage over an NIDPS
elsewhere, such
in that it can access encrypted
as to a
information traveling over the
quarantined
network and use it to make
virtual local area
decisions about potential or actual
network (VLAN).
attacks. Also, because the HIDPS
○ Running a
works on only one computer
third-party
system, all the traffic it examines
program or
traverses that system. The packet
script. Some
delivery mode, whether switched
NBA sensors
can run an
or in a shared-collision domain, is action can be quickly reviewed by
not a factor. an administrator, who may choose
to disregard subsequent changes
An HIDPS is also capable of
to the same set of files. If properly
monitoring system configuration
configured, an HIDPS can also
databases, such as Windows
detect when users attempt to
registries, in addition to stored
modify or exceed their access
configuration files like.ini,.cfg,
authorization level.
and.dat files. Most HIDPSs work
on the principle of configuration or An HIDPS classifies files into
change management, which various categories and then sends
means that they record the sizes, notifications when changes occur.
locations, and other attributes of Most HIDPSs provide only a few
system files. The HIDPS triggers general levels of alert notification.
an alert when file attributes For example, an administrator can
change, new files are created, or configure an HIDPS to report
existing files are deleted. An changes in a system folder, such
HIDPS can also monitor systems as C:\Windows, and configure
logs for predefined events. The changes to a security-related
HIDPS examines these files and application, such as C:\TripWire.
logs to determine if an attack is The configuration rules may
under way or has occurred; it also classify changes to a specific
examines whether the attack is application folder (for example,
succeeding or was successful. C:\Program Files\Microsoft Office)
The HIDPS maintains its own log as normal and hence
file so that an audit trail is unreportable. Administrators can
available even when hackers configure the system to log all
modify files on the target system activity but to send them a page or
to cover their tracks. Once e-mail only if a reportable security
properly configured, an HIDPS is event occurs. Because frequent
very reliable. The only time an modifications occur to data files
HIDPS produces a false positive and to internal application files
alert is when an authorized such as dictionaries and
change occurs for a monitored file. configuration files, a poorly
This
configured HIDPS can generate a kernel, and application software.
large volume of false alarms. Critically important data should
also be included in the red
Managed HIDPSs can monitor
category. Support components,
multiple computers simultaneously
such as device drivers and other
by creating a configuration file on
relatively important files, are
each monitored host and by
generally coded yellow. User data
making each HIDPS report back to
is usually coded green, not
a master console system, which is
because it is unimportant, but
usually located on the system
because monitoring changes to
administrator’s computer. This
user data is practically difficult and
master console monitors the
strategically less urgent. User data
information provided by the
files are frequently modified, but
managed hosts and notifies the
systems kernel files, for example,
administrator when it senses
should only be modified during
recognizable attack conditions.
upgrades or installations. If the
Figure 7-4 shows a sample screen
preceding three-tier system is too
from Tripwire, a popular HIDPS.
simplistic, an organization can use
a scale of 0–100, as long as the
scale doesn’t become excessively
granular. For example, an
organization could easily create
confusion for itself by classifying
level 67 and 68 intrusions.
Sometimes simpler is better.
The advantages of HIDPSs
include:
An HIDPS or one of its
One of the most common methods sensors can detect local
of categorizing folders and files is events on host systems
by color coding. Critical systems and detect attacks that
components are coded red and may elude a
usually include the system registry, network-based IDPS.
any folders containing the OS
 An HIDPS functions on host operating system.
the host system, where Either attack can result in
encrypted traffic will have the compromise or loss of
been decrypted and is HIDPS functionality.
available for processing. An HIDPS is not
The use of switched optimized to detect
network protocols does multi-host scanning, nor
not affect an HIDPS. is it able to detect
An HIDPS can detect scanning from network
inconsistencies in how devices that are not
applications and systems hosts, such as routers or
programs were used by switches. Unless complex
examining the records correlation analysis is
stored in audit logs. This provided, the HIDPS will
can enable the HIDPS to not be aware of attacks
detect some types of that span multiple devices
attacks, including Trojan in the network.
horse programs. An HIDPS is susceptible
to some DoS attacks.
The disadvantages of HIDPSs
An HIDPS can use large
include:
amounts of disk space to
HIDPSs pose more retain the host OS audit
management issues logs; for the HIDPS to
because they are function properly, it may
configured and managed be necessary to add disk
on each monitored host. capacity to the system.
An HIDPS requires more An HIDPS can inflict a
management effort to performance overhead on
install, configure, and its host systems, and in
operate than a some cases may reduce
comparably sized NIDPS system performance
solution. below acceptable levels.
An HIDPS is vulnerable
M3.1.4 | IDPS Detection Methods
both to direct attacks and
to attacks against the
Key Terms
anomaly-based detection Also IDPSs use a variety of detection
known as behavior-based methods to monitor and evaluate
detection, an IDPS detection network traffic. Three methods
method that compares current dominate: signature-based
data and traffic patterns to an detection, anomaly-based
established baseline of normalcy. detection, and stateful protocol
behavior-based detection See analysis.
anomaly-based detection.
M3.1.4.1 | Signature-Based
clipping level A predefined
Detection
assessment level that triggers a
predetermined response when An IDPS that uses
surpassed. Typically, the response signature-based detection
is to write the event to a log file (sometimes called
and/or notify an administrator. knowledge-based detection or
knowledge-based detection See misuse detection) examines
signature-based detection. network traffic in search of
misuse detection See patterns that match known
signature-based detection. signatures—that is, preconfigured,
signature-based detection Also predetermined attack patterns.
known as knowledge-based Signature-based technology is
detection or misuse detection, the widely used because many
examination of system or network attacks have clear and distinct
data in search of patterns that signatures:
match known attack signatures.
signatures Patterns that Footprinting and
correspond to a known attack. fingerprinting activities
stateful protocol analysis (SPA) use ICMP, DNS querying,
The comparison of and e-mail routing
vendor-supplied profiles of analysis.
protocol use and behavior against Exploits use a specific
observed data and network attack sequence
patterns in an effort to detect designed to take
misuse and attacks. advantage of a
 vulnerability to gain Similarly, using signature-based
access to a system. detection to compare observed
DoS and DDoS attacks, events with known patterns is
during which the attacker relatively simplistic; the
tries to prevent the technologies that deploy it typically
normal usage of a cannot analyze some application
system, overload the or network protocols, nor can they
system with requests so understand complex
that its ability to process communications.
them efficiently is
M3.1.4.2 | Anomaly-Based
compromised or
disrupted. Detection

A potential problem with the Anomaly-based detection (or
signature-based approach is that behavior-based detection) collects
new attack patterns must statistical summaries by observing
continually be added to the IDPS’s traffic that is known to be normal.
database of signatures; otherwise, This normal period of evaluation
attacks that use new strategies will establishes a performance
not be recognized and might baseline over a period of time
succeed. Another weakness of the known as the training period.
signature-based Once the baseline is established,
method is that a slow, methodical the IDPS periodically samples
attack involving multiple events network activity and uses
might escape detection. The only statistical methods to compare the
way signature-based detection sampled activity to the baseline.
can resolve this vulnerability is to When the measured activity is
collect and analyze data over outside the baseline
longer periods of time, a process parameters—exceeding the
that requires substantially greater clipping level—the IDPS sends an
data storage capability and alert to the administrator. The
additional processing capacity. baseline data can include
However, detection in real time variables such as host memory or
becomes extremely unlikely. CPU usage, network packet types,
and packet quantities.
The profiles compiled by an of low activity interspersed with
anomaly-based detection IDPS periods of heavy packet traffic, this
are generally either static or type of IDPS may not be suitable
dynamic. Static profiles do not because the dramatic swings will
change until modified or almost certainly generate false
recalibrated by an administrator. alarms. Because of the complexity
Dynamic profiles periodically of anomaly-based detection, its
collect additional observations on impact on the overhead computing
data and traffic patterns and then load of the host computer, and the
use that information to update number of false positives it can
their baselines. This can prove to generate, this type of IDPS is less
be a vulnerability if the attacker commonly used than the
uses a very slow attack, because signature-based type.
the system using the dynamic
M3.1.4.3 | Stateful Protocol
detection method interprets attack
activity as normal traffic and Analysis
updates its profile accordingly.
Stateful inspection firewalls track
The advantage of anomaly-based each network connection between
detection is that the IDPS can internal and external systems
detect new types of attacks using a state table to record which
because it looks for abnormal station sent which packet and
activity of any type. Unfortunately, when. An IDPS extension of this
these systems require much more concept is stateful protocol
overhead and processing capacity analysis (SPA). SPA uses the
than signature-based IDPSs opposite of a signature approach.
because they must constantly Instead of comparing known
compare patterns of activity attack patterns against observed
against the baseline. Another traffic or data, the system
drawback is that these systems compares known normal or benign
may not detect minor changes to protocol profiles against observed
system variables and may traffic. These profiles are
generate many false positives. If developed and provided by the
the actions of network users or protocol vendors. Essentially, the
systems vary widely, with periods IDPS knows how a protocol such
as FTP is supposed to work, and protocols are not published in
therefore can detect anomalous sufficient detail to enable an IDPS
behavior. By storing relevant data to provide accurate and
detected in a session and then comprehensive assessments.
using it to identify intrusions that
Unfortunately, the analytical
involve multiple requests and
complexity of session-based
responses, the IDPS can better
assessments is the principal
detect specialized, multisession
drawback to this type of IDPS
attacks. This process is
method. It also requires heavy
sometimes called deep packet
processing overhead to track
inspection because SPA closely
multiple simultaneous
examines packets at the
connections. Additionally, unless a
application layer for information
protocol violates its fundamental
that indicates a possible intrusion.
behavior, this IDPS method may
SPA can examine authentication completely fail to detect an
sessions for suspicious activity as intrusion. One final concern is that
well as for attacks that incorporate the IDPS may actually interfere
unusual commands, such as with the normal operations of the
commands that are out of protocol it is examining.
sequence or submitted repeatedly.
M3.1.4.4 | Log File Monitors
SPA can also detect intentionally
malformed commands or
Key Terms
commands that are outside the
expected length parameters. log file monitor (LFM) An attack
detection method that reviews the
The models used for SPA are
log files generated by computer
similar to signatures in that they
systems, looking for patterns and
are provided by vendors. These
signatures that may indicate an
models are based on industry
attack or intrusion is in process or
protocol standards established by
has already occurred.
such entities as the Internet
security information and event
Engineering Task Force, but they
management (SIEM) A
vary along with the protocol
software-enabled approach to
implementations in such
aggregating, filtering, and
documents. Also, proprietary
managing the reaction to events, the use of a security information
many of which are collected by and event management (SIEM)
logging activities of IDPSs and software-enabled system. Coined
network management devices. in 2005 by Mark Nicolett and Amrit
Williams of The Gartner Group,
SIEM is a combination of software
A log file monitor (LFM) IDPS is and procedures implemented
similar to an NIDPS. Using an across an organization that
LFM, the system reviews the log collects, analyzes, reports, and
files generated by servers, sometimes can react to events
network devices, and even other determined by patterns of events
IDPSs, looking for patterns and found in the aggregated data.
signatures that may indicate an Data sources for SIEM systems
attack or intrusion is in process or can include IDPS products,
has already occurred. This attack identity and access management
detection is enhanced by the fact systems,
that the LFM can look at multiple network communication devices,
log files from different systems. and specific host systems. SIEM
The patterns that signify an attack systems often are tasked to
can be subtle and difficult to provide alerts and intelligence to
distinguish when one system is manage the reaction to many
examined in isolation, but they forms of adverse events that might
may be more identifiable when the affect the organization. SIEM
events recorded for the entire implementation may be a
network and each of its requirement for some compliance
component systems can be programs that organizations must
viewed as a whole. Of course, this follow. SIEM systems are often
holistic approach requires used to manage the incident
considerable resources because it reaction process once incident
involves the collection, movement, response protocols are invoked.
storage, and analysis of very large
M3.1.5 | IDPS Response Behavior
quantities of log data.
Log file monitoring is often Each IDPS responds to external
implemented in organizations with stimulation in a different way,
depending on its configuration and An analogy to this approach is a
function. Some respond in active car thief who spots a desirable
ways, collecting additional target early in the morning, strikes
information about the intrusion, the car with a rolled-up newspaper
modifying the network to trigger the alarm, and then
environment, or even taking action ducks into the bushes. The car
against the intrusion. Others owner wakes up, checks the car,
respond in passive ways—for determines there is no danger,
example, by setting off alarms or resets the alarm, and goes back to
notifications or collecting passive bed. The thief repeats the
data through SNMP traps. triggering action every half-hour or
so until the owner disables the
M3.1.5.1 | IDPS Response
alarm, leaving the thief free to
Options steal the car without worrying
about the alarm.
When an IDPS detects a possible
intrusion, it has several response IDPS responses can be classified
options, depending on the as active or passive. An active
organization’s policy, objectives, response is a definitive action that
and system capabilities. When is automatically initiated when
configuring an IDPS’s responses, certain types of alerts are
the system administrator must triggered. These responses can
ensure that a response to an include collecting additional
attack or potential attack does not information, changing or modifying
inadvertently exacerbate the the environment, and taking
situation. For example, if an action against the intruders.
NIDPS reacts to suspected DoS Passive-response IDPSs simply
attacks by severing the network report the information they have
connection, collected and wait for the
the attack is a success. Similar administrator to act. Generally, the
attacks repeated at intervals will administrator chooses a course of
thoroughly disrupt an action after analyzing the collected
organization’s business data. A passive IDPS is the more
operations. common implementation, although
most systems include some active
options that are disabled by which allow a device to
default. send a message to the
SNMP management
The following list describes some
console indicating that a
of the responses an IDPS can be
certain threshold has
configured to produce. Note that
been crossed, either
some of these responses apply
positively or negatively.
only to a network-based or
The IDPS can execute
host-based IDPS, while others are
this trap to inform the
applicable to both.
SNMP console an event
Audible/visual alarm: The has occurred. Some
IDPS can trigger a sound advantages of this
file, beep, whistle, siren, operation include the
or other audible or visual relatively standard
notification to alert the implementation of SNMP
administrator of an attack. in networking devices; the
The most common type ability to configure the
of notification is the network system to use
computer pop-up, which SNMP traps in this
can be configured with manner; the ability to use
color indicators and systems specifically to
specific messages. The handle SNMP traffic,
pop-up can also contain including IDPS traps; and
specifics about the the ability to use standard
suspected attack, the communications
tools used in the attack, networks.
the system’s level of E-mail message: The
confidence in its own IDPS can send e-mail to
determination, and the notify network
addresses and locations administrators of an
of the systems involved. event. Many
SNMP traps and plug-ins: administrators use
The Simple Network smartphones and other
Management Protocol e-mail devices to check
contains trap functions, for alerts and other
 notifications frequently. This method allows the
Organizations should use organization to perform
caution in relying on further analysis on the
e-mail systems as the data and to submit the
primary means of data as evidence in a civil
communication from an or criminal case. Once
IDPS because attacks or the data has been written
even routine performance using a cryptographic
issues can disrupt, delay, hashing algorithm, it
or block such messages. becomes evidentiary
Phone, pager, or SMS documentation—that is,
message: The IDPS can suitable for criminal or
be configured to dial a civil court use. However,
phone number and send this packet logging can
a preconfigured pager or be resource-intensive,
SMS text message. especially in DoS attacks.
Log entry: The IDPS can Take action against the
enter information about intruder: Although it is not
the event into an IDPS advisable, organizations
system log file or can take action against
operating system log file. an intruder using
This information includes trap-and-trace,
addresses, times, back-hacking, or
involved systems, and trace-back methods.
protocol information. The Such responses involve
log files can be stored on configuring intrusion
separate servers to detection systems to
prevent skilled attackers trace the data from the
from deleting entries target system back to the
about their intrusions. attacking system to
Evidentiary packet dump: initiate a counterattack.
Organizations that require While this response may
an audit trail of IDPS data sound tempting, it may
may choose to record all not be legal. An
log data in a special way. organization only owns a
 network to its perimeter, Reconfigure firewall: An
so conducting traces or IDPS can send a
back-hacking to systems command to the firewall
beyond that point may to filter out suspected
make the organization packets by IP address,
just as criminally liable as port, or protocol.
the original attackers. (Unfortunately, it is still
Also, the “attacking possible for a skilled
system” is sometimes a attacker to break into a
compromised network simply by
intermediary system; in spoofing a different
other cases, attackers address, shifting to a
use address spoofing. In different port, or changing
either situation, a the protocols used in the
counterattack would attack.) While it may not
actually harm an innocent be easy, an IDPS can
third party. Any block or deter intrusions
organization that plans to via one of the following
configure retaliation methods:
efforts into an automated ○ Establishing a
IDPS is strongly block for all
encouraged to seek legal traffic from the
counsel. suspected
Launch program: An attacker’s IP
IDPS can be configured address or even
to execute a specific from the entire
program when it detects source network
specific types of attacks. the attacker
Several vendors have appears to be
specialized tracking, using. This
tracing, and response blocking can be
software that can be part set for a specific
of an organization’s period of time
intrusion response and reset to
strategy. normal rules
 after that period Some attacks
has expired. would be
○ Establishing a deterred or
block for specific blocked by
TCP or UDP port session
traffic from the termination, but
suspected others would
attacker’s simply continue
address or when the
source network. attacker issues a
Only services new session
that seem to be request.
under attack are ○ Terminating the
blocked. connection: The
○ Blocking all last resort for an
traffic to or from IDPS under
the attack is to
organization’s terminate the
Internet organization’s
connection or internal or
other network external
interface if the connections.
severity of the Smart switches
suspected attack can cut traffic to
warrants such a or from a
response. specific port if
○ Terminating the the connection is
session: linked to a
Terminating the system that is
session by using malfunctioning
the TCP/IP or otherwise
protocol interfering with
specified packet efficient network
TCP close is a operations. As
simple process. indicated earlier,
 this response response function of an IDPS
should be the breaks this silence by
last attempt to broadcasting alarms and alerts in
protect plaintext over the monitored
information, as network, attackers can detect the
termination may IDPS and directly target it in the
actually be the attack. Encrypted tunnels or other
goal of the cryptographic measures that hide
attacker. and authenticate communications
are excellent ways to ensure the
M3.1.5.2 | Reporting and Archiving
reliability of the IDPS.
Capabilities
M3.1.6 | Selecting IDPS
Many, if not all, commercial IDPSs Approaches and Products
can generate routine reports and
other detailed documents, such as The wide array of available
reports of system events and intrusion detection products
intrusions detected over a addresses a broad range of
particular reporting period. Some security goals and considerations;
systems provide statistics or logs selecting products that represent
in formats that are suitable for the best fit for a particular
inclusion in database systems or organization is challenging. The
for use in report generating following considerations and
packages. questions can help you prepare a
specification for acquiring and
M3.1.5.3 | Failsafe Considerations
deploying an intrusion detection
for IDPS Responses product.

Failsafe features protect an IDPS M3.1.6.1 | Technical and Policy
from being circumvented or Considerations
defeated by an attacker. Several
functions require failsafe To determine which IDPS best
measures; for instance, IDPSs meets an organization’s needs,
need to provide silent, reliable first consider its environment in
monitoring of attackers. If the
technical, physical, and political network management system,
terms. specify it here.
What Is Your Systems What are the technical
Environment? The first specifications of your
requirement for a potential IDPS is current security
that it function in your systems protections?
environment. This is important; if
Describe the security protections
an IDPS is not designed to
you already have in place. Specify
accommodate the information
numbers, types, and locations of
sources on your systems, it will
network firewalls, identification
not be able to see anything—
and authentication servers, data
neither normal activity nor an
and link encryptors, antivirus
attack—on those systems.
packages, access control
What are the technical products, specialized security
specifications of your hardware (such as crypto
systems environment? accelerators for Web servers),
virtual private networks, and any
First, specify the technical
other security mechanisms on
attributes of your systems
your systems.
environment, including network
diagrams and maps that specify What are the goals of
the number and locations of hosts; your enterprise?
operating systems for each host;
Some IDPSs are designed to
the number and types of network
accommodate the special needs
devices, such as routers, bridges,
of certain industries or market
and switches; the number and
niches, such as electronic
types of terminal servers and
commerce, health care, or
dial-up connections; and
financial services. Define the
descriptions of any network
functional goals of your enterprise
servers, including their types,
that are supported by your
configurations, and the application
systems. Several goals can be
software and versions running on
associated with a single
each. If you run an enterprise
organization.
 How formal is the system categorizing your organization’s
environment and threat concerns. Identify its
management culture in concerns regarding external
your organization? threats.
Organizational styles vary Is your organization
depending on their function and concerned about insider
traditional culture. For instance, attacks?
the military and other
Address concerns about threats
organizations that deal with
that originate within your
national security tend to operate
organization. For example, a
with a high degree of formality,
shipping clerk might attempt to
especially when contrasted with
access and alter the payroll
universities or other academic
system, or an authorized user
environments. Some IDPSs
might exceed his privileges and
support enforcement of formal use
violate your organization’s security
policies, with built-in configuration
policy or laws. As another
options that can enforce common
example, a customer service
issue-specific or system-specific
agent might be driven by curiosity
security policies, as well as
to access earnings and payroll
provide a library of reports for
records for company executives.
typical policy violations or routine
matters. Does your organization
want to use the output of
What Are Your Security Goals
your IDPS to determine
and Objectives? The next step is
new needs?
to articulate the goals and
objectives you want to attain by System usage monitoring is
using an IDPS. sometimes a generic system
management tool used to
Is your organization
determine when system assets
primarily concerned with
require upgrading or replacement.
protecting itself from
outside threats? Does your organization
want to use an IDPS to
Perhaps the easiest way to
maintain managerial
identify security goals is by
 control over network What are the general job
usage rather than descriptions of your
security controls? system users?
Some organizations implement List the general job functions of
system use policies that may be system users as well as the data
classified as personnel and network access that each
management rather than system function requires. Several
security. For example, they might functions are often applied to a
prohibit access to pornographic single user.
Web sites or other sites, or prohibit
Does the policy include
the use of organizational systems
reasonable use policies
to send harassing e-mail or other
or other management
messages. Some IDPSs provide
provisions?
features that detect such violations
of management controls. As mentioned above, the security
policies of many organizations
What Is Your Existing Security
include system use policies.
Policy? You should review your
existing organization security Has your organization
policy because it is the template defined processes for
against which your IDPS will be dealing with specific
configured. You may find that you policy violations?
need to augment the policy or
It is helpful to know what the
derive the following items from it.
organization plans to do when the
How is it structured? IDPS detects that a policy has
been violated. If the organization
It is helpful to articulate the goals
doesn’t intend to react to such
outlined in the security policy.
violations, it may not make sense
These goals include standard
to configure the IDPS to detect
security goals, such as integrity,
them. On the other hand, if the
confidentiality, and availability, as
organization wants to respond to
well as more generic management
such violations, the IDPS’s staff
goals, such as privacy, protection
should be informed so it can deal
from liability, and manageability.
with alarms in an appropriate Are any other
manner. security-specific
requirements levied by
M3.1.6.2 | Organizational
law? Are there legal
Requirements and Constraints requirements for
protection of personal
Your organization’s operational information stored on
goals, constraints, and culture will your systems? Such
affect the selection of the IDPS information can include
and other security tools and earnings or medical
technologies to protect your records. Are there legal
systems. Consider the following requirements for
requirements and limitations. investigating security
What Requirements Are Levied violations that divulge or
from Outside the Organization? endanger personal
information?
Is your organization Are there internal audit
subject to oversight or requirements for security
review by another best practices or due
organization? diligence?
If so, does that oversight
authority require IDPSs or Do any of these audit
other specific system requirements specify functions
security resources? that the IDPSs must provide or
Are there requirements support?
for public access to Is the system subject to
information on your accreditation?
organization’s systems?
Do regulations or statutes If so, what is the accreditation
require that information to authority’s requirement for IDPSs
be accessible by the or other security protection?
public during certain Are there requirements
hours of the day or during for law enforcement
certain intervals? investigation and
 resolution of security Is there sufficient staff to
incidents? monitor an intrusion
detection system full
Do they require any IDPS
time?
functions, especially those that
involve collection and protection of Some IDPSs require
IDPS logs as evidence? around-the-clock attendance by
systems personnel. If your
What Are Your Organization’s
organization cannot meet this
Resource Constraints? IDPSs
requirement, you may want to
can protect the systems of an
explore systems that
organization, but at a price. It
accommodate part-time
makes little sense to incur
attendance or unattended use.
additional expenses for IDPS
features if your organization does Does your organization
not have sufficient systems or have authority to instigate
personnel to handle the alerts they changes based on the
will generate. findings of an intrusion
detection system?
What is the budget for
acquisition and life cycle You and your organization must be
support of intrusion clear about how to address
detection hardware, problems uncovered by an IDPS.
software, and If you are not empowered to
infrastructure? handle incidents that arise as a
result of monitoring, you should
Remember that the IDPS software
coordinate your selection and
is not the only element of the total
configuration of the IDPS with the
cost of ownership; you may also
person who is empowered.
have to acquire a system for
running the software, obtain
specialized assistance to install
M3.1.6.3 | IDPS Product Features
and configure the system, and
train your personnel. Ongoing and Quality
operations may also require
additional staff or outside
contractors.
It’s important to evaluate any IDPS Has the product been
product by carefully considering tested to reliably detect
the following questions: attacks?
Is the Product Sufficiently Ask vendors for details about their
Scalable for Your Environment? products’ ability to respond to
Many IDPSs cannot function attacks reliably.
within large or widely distributed
Has the product been
enterprise network environments.
tested against attack?
How Has the Product Been
Ask vendors for details about their
Tested? Simply asserting that an
products’ security testing. If the
IDPS has certain capabilities does
product includes network-based
not demonstrate they are real. You
vulnerability assessment, ask
should request demonstrations of
whether test routines that produce
an IDPS to evaluate its suitability
system crashes or other denials of
for your environment and goals.
service have been identified and
Has the product been flagged in system documentation
tested against functional and interfaces.
requirements?
What User Level of Expertise Is
Ask the vendor about any Targeted by the Product?
assumptions made for the goals Different IDPS vendors target
and constraints of customer users with different levels of
environments. technical and security expertise.
Ask vendors to describe their
Has the product been
assumptions about users of their
tested for performance
products.
against anticipated load?
Is the Product Designed to
Ask vendors for details about their
Evolve as the Organization
products’ ability to perform critical
Grows? An important goal of
functions with high reliability under
product design is the ability to
load conditions similar to those
adapt to your needs over time.
expected in the production
environment. Can the product adapt to
growth in user expertise?
Ask here whether the IDPS’s maintenance and support over
interface can be configured on the time. These needs should be
fly to accommodate shortcut keys, identified in a written report.
customizable alarm features, and
What are the
custom signatures. Ask also
commitments for product
whether these features are
installation and
documented and supported.
configuration support?
Can the product adapt to
Many vendors provide expert
growth and change of the
assistance to customers when
organization’s systems
installing and configuring IDPSs.
infrastructure?
Other vendors expect your own
This question addresses the ability staff to handle such functions, and
of the IDPS to scale to an provide only telephone or e-mail
expanding and increasingly support.
diverse network. Most vendors
What are the
have experience in adapting their
commitments for ongoing
products as target networks grow.
product support?
Ask also about commitments to
support new protocol standards Ask about the vendor’s
and platform types. commitment to supporting your
use of its IDPS product.
Can the product adapt to
growth and change in the Are subscriptions to
security threat signature updates
environment? included?

This question is especially critical Most IDPSs are misuse detectors,
given the current Internet threat so their value is only as good as
environment, in which 30 to 40 the signature database against
ne