IDS/IPS – Good or Bad?

“Which is the best IPS to prevent intrusions on to my network?”

This question was asked by an individual with primary responsibility for a company’s network. I believe the person thought that they were going to receive a short answer. The extensive list of questions asked of them in return was the only logical reply.

The short answer would have been that no such device exists and that like firewalls and anti virus products these solution can, when configured properly (more on that to follow), provide the organisation with more information to enable them to act as they see fit.

Different organisations have different risk appetites and as such they will react to exactly the same ‘alert’ in a different manner. It is important that this appetite to risk is studied and at the least draft policies and procedures for such events are ready. There is little benefit in the implementation of an IDS or IPS if basic system operating procedures and incident procedures are not in place. This will lead to lots of staff time being wasted chasing around trying to make policy and procedure on the fly while the IDS/IPS produces a stream of ‘we are under attack’ events.

So once you have an idea of what appetite for risk the organisation has and some intitial policies and procedures are in place you should ensure that you have a good understanding of the assets that you are trying to protect. For example, there is little point in putting an alarm system on the ground floor of your property leaving your first floor bedroom with big windows and all of your jewelery unsecured.

Can we dive into the Tech bit now? Almost. A check to review the ‘insider threat’ is wise. Should you be monitoring for events associated with inside activity as well as external intrusions on your network? Well using the house example once more, if you have a cleaner or gardener would you trust them to move unattended around your property? What use is your house alarm if it is just protecting the external entry points and not zoned to enable selective protection? This maybe true of your network too.

Once you have made your choice of technology the challenging part starts. Like most administrators when they are starting out in their career and presented with a server that can monitor hundreds or thousands of variables, an IDS/IPS could warn you about everything. This is of no use and yet this is what happens on many installations. Be realistic and expect the process of collecting data, baselining and setting thresholds to take time. Expect false positives. But remember that now you know more about the network activity than you did before.

Here is the problem for many. Not knowing was easier. The expression ‘Not knowing what you did not know’ is often fitting for the ‘before IDS/IPS’ period. With this new information comes the responsibility to investigate and in cases act upon it.

There are examples where relationships between organisations change once an IPS/IDS is in place as a CoCo will mandate activities and standards of the IDS/IPS. These can often be challenging and place additional workload on staff, all of which would not be required if the devices had not been implemented.

So IDS or IPS, Good or Bad? They can be considered both, but in reality they are a good complimentary tool to the network systems provided all of the additional work around them has been completed and resources allocated for the ongoing running and support.

~ by Simon Hancock on May 26, 2008.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: