Best practices in NIPS - Brighttalk - January 2010

411 views
345 views

Published on

Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
411
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Best practices in NIPS - Brighttalk - January 2010

  1. 1. Best practices in Intrusion Prevention Marco Ermini Vodafone ICT Security 12 January 20101 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
  2. 2. W this is about hat …and what is not about! This presentation is not about… > …explaining what NIPS are – but let’s be clear about what you can expect > …choosing a vendor/brand – even if we may mention something briefly – heard about Gartner? > …discussing if you need a NIPS or not, or which technology do you need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - it will do the job! > I assume you need and want NIPS, or you already have NIPS – You want to use them effectively – Maybe you are just sticking to “default” “vendor suggested” rule-sets – You want to avoid headaches managing them day by day – You want to have a metric to compare your performances What you are looking for, are best practices to make your investment worth2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  3. 3. W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort. It’s not about that > I have a realistic view about this technology > Yes, I have been under a real attack. And not just once! > I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view You are not drinking from the fountain of truth 3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  4. 4. W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security or network engineer, and need to… – have an added value from the investment – are thinking/need to deploy NIPS into your networks > You are a security or network manager, and need to… – understand the true value of NIPS > You are just curious – graduate student getting into the network and/or security job World – experienced security or network personnel trying to understand NIPS You are welcome to share your expectation, doubts, questions!4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  5. 5. W I am doing today with my NIPS? hat Let’s assume you have NIPS already, or are going to install them What are the common mistakes with NIPS? > They are deployed in the wrong place in the network > Are deployed and then forget > Are running the “suggested” rule sets from the supplier > It is assumed they are invincible and protect against all 0-days attacks > Are confused with NIDS (detection) > There is no measurable improvement on the overall security > No one is there around that can access and use them when you are under attacks > They are not really enabled for fear of false positives > You are subject to (vendors-diffused?) urban legends (“behavioural based”? “auto- learn”?) > Use them because they are cool, or my boss told me, or “for compliance” (sic!!!) – They add latency and false positives Behold the common mistakes of NIPS!! 5 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  6. 6. W to really expect from NIPS? hat …or, “avoid being ripped of my money” How can NIPS help me? > Do not test to bypass them. That’s futile. You can do it. Save your time. – Ever heard of “SSL”, “event horizon” and “inspect the first 512 bytes only”? > You need to use them in conjunction with other instruments – Coordination between different departments of your organisation > You need to update, patch the NIPS > You need to continually follow and profile the design of your network, applications, business > They will not protect you against 0days (despite what vendors say) > You cannot treat them as NIDS – they are a specific tool (cannot afford false positives) > You need to establish a metric and evaluate the real improvements over the overall security > You need to have operational procedures to use NIPS on the network > You need to enable useful signatures and test them in production If you don’t do those steps, you better save your money!6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  7. 7. W you want to do with your NIPS? hat What does my company need? I can use NIPS for… > Mitigate specific attacks. For the rest, I need to integrate with other tools – Will not protect against all of web application attacks, DDoS, malware… – Will protect against many – but if you want a locked down environment, you need to complement – 100% protection is not realistic, 0-days protection is marketing > As an effective tool for immediate reaction to threats – They are in-line > Enforce company policies – Security is a process. NIPS must be part of the processes – Many can do traffic shaping/policing – Some can communicate with NAC/NAP or firewalls > Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic, detect scans… They can be an effective tool if used wisely7 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  8. 8. Basic evaluation/ purchasing recommendations This is not a shopping guide!!! Some very quick and rough tips and guidelines > They will not sustain the bandwidth they claim to > The real cost is by network interface – NIPS may need from one to four network interfaces to protect a single network segment! > Asymmetric traffic path – state table synchronisation – May use one or two network interfaces! – May confuse your NIPS – layer 4/7 reassembling-synchronisation > VRRP may be problematic > Evaluate that the capabilities are what you need > Evaluate how effective is the vendor itself – Customer satisfaction track record – will it just sell and then forget you? > RTFM – do your research Use your brain!8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  9. 9. Border deployment Don’t leave them alone Some tips and guidelines > Border edges of the Data Centre/border routers > They can apply traffic policing/shaping > Can be the first barrier against malware and attacks against publically-exposed services – Cannot do miracles, generally do not inspect TLS/SSL/encrypted protocols – Often cannot scan inside emails – mail servers today use SMTP over TLS – Will only detect what is in the their event horizon > Better have them working in conjunction with other tools that work on the border routers/firewalls – Before or after routers/firewalls? Depends on your policies > You need to pre-emptively discuss with your ISP and establish a network security policy > Evaluate the impact on the performances > Remain realistic: they will add latency and will be bypassed Remain focused on making them an useful tool!9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  10. 10. Inner deployment Protection of the service Some tips and guidelines > They can be deployed strategically in front of an important service – Achieving compliance? PCI-DSS? SOX? > They can sit around in the network – Enterprise Office network – connected with NAC/NAP and block the rogue clients on the switch – Inside a DMZ/production segment – need to create a profile > What is your policy? – I want to detect everything that is attempted against me – deploy wide rule set – I want only to protect against attacks that can hit me – deploy specific rule set > What is the default fall-back scenario? – Pass-through or drop? Again: remain focused on making them an useful tool!10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  11. 11. Baseline rule set tuning and deployment Tune your rule set Some tips and guidelines > Establish your baseline for a specific environment – As described before > Test in a test environment – If it is possible! > Agree on a deployment window – Verify if important things are going to happen… don’t deploy before a new release gets into production! – Monitor for a couple of hours and a couple of days thereafter > Create a report over the differences with the baseline > If you prefer: a report about attacks mitigated Something changes in the service/ network? Repeat the process!11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  12. 12. Monitoring Don’t forget them! Some tips and guidelines > You need to create profiles/deploy rule sets that are useful – Many outsourced managed SOC uses statistical tools on which I strongly doubt – You need to have a network diagram/maps of your networks and services! – You need to profile – the services you are protecting – the traffic of your networks – You need then to tailor your rule sets – There is no magic wand, or bayesian-behavioural-self adapting etc. – this is marketing – You need correlation with other tools – anti viruses, NIDS, network scanners… – You need to have personnel monitoring 24X7X365 that can also access and know how to use the NIPS! Again: remain focused on making them an useful tool!12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  13. 13. Measure effectiveness Because you have to renew your contracts sooner or later  Some tips and guidelines > How they did behave under attack? – Have they detected it at all? – Have they been useful in mitigating it? – Were they manageable under attack? > Peer with other NIPS customers – Different companies, also from different market segments > Do not believe the vendors. Use basic math. > Be paranoid > Finally: create reports that are readable – Your management doesn’t understand a bunch of IP addresses and the signature names Again: remain focused on making them an useful tool!13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  14. 14. Correlation and SOC Effective security 24X7X365 Some tips and guidelines > Do not import all of your events in your SEM/SIM tool – Often you just overwhelm it, even with NIPS – Do not work “statistically” and blindly about your architecture > The rule set you deployed have an impact on what you get! – Often you pay the SEM/SIM or the outsourced SOC by number of events! > Does the SOC (either out-sourced or in-sourced) have access to the NIPS? – Have you defined a user management for the NIPS? – What about operational procedures? – What about technical skills of the personnel? Again and again: remain focused on making them an useful tool!14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  15. 15. Thank you15 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master

×