8.IDS & IPS Tuple Deployment
Prior to this section, the paper has discussed fundamentals of deploying an IDS
or IPS. Now we move on to put these tools together, constructing a layered approach
to network monitoring. Connecting these devices appropriately is covered first, we
then move into the main point of this document. From a security perspective this is
by far the ideal deployment, so let's get started.
Setting the stage for connecting both an IDS and an IPS, a router is introduced
between the two sensors as shown in Figure 5. To follow the example, consider the
router as defining a trust zone boundary or a network border separating a local area
network (LAN) from a wide area network (WAN). Figure 5 then shows the IPS on the
external side of the router, with a management link (dashed line) crossing over into
the internal network for administration purposes. The IDS is connected in an inline
fashion but, as previously mentioned, the IDS does not have to be inline and can be
Nicholas Pappas
20
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
connected out-of-band which is illustrated below in Figure 6. The IDS is
strategically placed on the internal side of the router. As before, both figures show
red lines depicting connections used to gather data for analysis and/or filtering.
Figure 5: IPS & IDS connected inline.
With the exception of the management interface connected to make remote
administration of the sensors more convenient, the two network interface cards (NIC)
internal to the IPS and IDS (i.e., those connecting the IDS and IPS to the red links) do
not require IP addresses be assigned to them. In fact not having an IP address
assigned to these sensor NIC's makes those interfaces invisible to other systems on
the network. Conversely the rationale behind the reason why the management
interface must have an IP address assigned. The interfaces responsible for collecting
data to be analyzed then merely listen on the wire and pickup electrical impulses
representing data being transmitted.
Nicholas Pappas
21
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Figure 6: IPS connected inline, IDS connected to spanning port.
Packets are only concerned with transporting data from source to destination.
Therefore, having two invisible NIC's configured as a bridge leaves the data
untouched as packets travel from the first NIC to the second and carry on their merry
way. When unwanted traffic passes over the invisible IPS bridge, the convivial
journey is abruptly interrupted much like an insect innocently flying about before
being smashed against the windshield of a car traveling at high speeds. For packets
the IPS is programmed to drop, the invisible bridge resembles a thick sheet of glass
unable to be seen. The sender of the dropped packet receives no response, and the
internal network never processes the dropped packet. Such a scenario excites
security professionals charged with defending a network from attack.
That is until their joy comes crashing down when the boss is unable to
communicate with external systems he or she needs to conduct legitimate business
with. When an IPS drops a legitimate packet, it resembles a false positive and is the
Nicholas Pappas
22
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
effect of an IPS being too stringent. To correct this, the IPS needs to be tuned more
conservatively adhering to looser rules while analyzing traffic. When the IPS is
configured too conservatively, we witness false negatives as unwanted traffic freely
passes through. Obviously we have a conundrum between protecting the network,
and keeping business flowing – having both live harmoniously ensures the
aforementioned security staff remains employed.
This is where the IDS comes in. Since the IDS is not responsible for dropping
packets, the security administrator can set the IDS to be very aggressive. With this
higher level of sensitivity the IDS alerts when even the slightest abnormality is
present in the traffic being inspected. After spending time going through
extraneous alerts the analyst then tunes the IDS to disregard traffic verified to be
benign. Conversely, as the analyst finds traffic on the IDS posing a threat, a rule or
signature is written and the IPS blocks the threat. This methodology allows analysts
the ability to analyze traffic and become familiar with a normal baseline of traffic
without interrupting legitimate data flow on the network. Overtime, the diligent
analyst will have a sensitive IDS giving very few alerts, as the IPS drops nearly 100%
of the unwanted traffic. Any questionable traffic not blocked by the IPS the IDS then
alerts on, prompting the analyst for further investigation.
Nicholas Pappas
23
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
|
