Downloaded 191 times
Uploaded byHeather Axworthy
IPS Best Practices
Heather Axworthy gives a presentation on intrusion prevention systems (IPS). She discusses what an IPS is and how it works inline to prevent attacks from penetrating networks. She emphasizes the importance of proper capacity planning and tuning when deploying an IPS. Ensuring company buy-in and adequate staffing levels are also key to ensuring the success of an IPS implementation. Several major IPS vendors are listed for reference.
More Related Content
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-phpinaiagethelaravelway-251125012602-ef9d330e-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
IPS Best Practices
- 1. Intrusion PreventionProtecting theInfrastructureIntrusion PreventionProtecting the InfrastructureHeather AxworthyNetwork Security Engineerhaxworthy@gmail.com1© 2010 Heather L. Axworthy
- 2. About MeTen yearsexperience in networks and security.Secured the networks of Fortune 50 companies.IDS Engineer for Verisign MSS – worked on top three IDS/IPS platforms.Blog http://chickbits.blogspot.comLinkedIn: http://www.linkedin.com/in/heatheraxworthyTwitter: haxworthy2© 2010 Heather L. Axworthy
- 3. AgendaWhat Is IPS?ArchitectureAnd DeploymentEvent Monitoring/TuningEnsuring SuccessVendorsQ&A3© 2010 Heather L. Axworthy
- 4. What is IPS?IPS= Intrusion Prevention System/Service.Designed to be deployed inline.Proactive approach to traffic monitoring.Preventing the attack packet from penetrating your network.4© 2010 Heather L. Axworthy
- 5. ArchitectureCapacity Planning –biggest mistake purchasing hardware that is too “small” for your network.Look at the traffic load of the segments you want to monitor. If the segments (vlans) you want to monitor register bandwidth in excess of 100MB each, a small 400MB device is not large enough. Most devices have a maximum throughput which is often an aggregate of all interfaces on the device.5© 2010 Heather L. Axworthy
- 6. Deployment6© 2010 HeatherL. Axworthy
- 7. Event Monitoring/TuningMy deviceis in place, what do I do next?Tuning – the time period when you look at your events and weed out any false positives and modify signatures. Best practice is at least 30 days of looking at traffic on a daily basis.This will enable you to filter out signatures that are “noisy” and see events that show valid attacks.Once tuning period is over, put the device into block “IPS” mode.7© 2010 Heather L. Axworthy
- 8. Ensuring SuccessCompany buy-in,from top executive management to end user. IPS will make “us” more secure.Staffing levels – proper staffing must be in place to support the IPS device(s) and the monitoring of events on a daily basis.If the IPS device stops one botnet outbreak or a SQL injection attack, it has paid for itself!8© 2010 Heather L. Axworthy
- 9. VendorsIBM ISS –http://www.iss.net/ - Proventia seriesTippingPoint - http://www.tippingpoint.com/Cisco – http://www.cisco.comSourcefire - http://www.sourcefire.com/Snort - http://snort-inline.sourceforge.net/Juniper - http://www.juniper.net - IDP series9© 2010 Heather L. Axworthy
- 10. Q&AQ & AQ& A10© 2010 Heather L. Axworthy
Editor's Notes
- #5 IPS is short for Intrusion Prevention, when the specific traffic matches a signature, the device “drops” the traffic immediately and creates an event with details on the traffic. Designed to be deployed inline. IPS takes a proactive approach to traffic monitoring.
- #6 capacity planning – buy the right device – Do your homework: Look at the traffic load of the segments you want to monitor. Every model has a threshold level. If the vlan you want to monitor registers bandwidth in excess of 100MB, and you may want to monitor additional vlan’s, a 400MB limit box will not work for you. Don’t expect to buy just one box. If you have remote sites or several internal vlan’s, you will need additional units. Buy a large enough unit that can be deployed at the perimeter in between the firewall and DMZ/Internal networks. Buy smaller units for remote sites and smaller segments.There are several out there on the market today. ISS, TippingPoint, Cisco, Sourcefire Choose the vendor that has the best reputation for good, sound security intelligence.
- #7 You will probably need more than one device, at least one at the perimeter, and possibly a few smaller throughput devices. All IPS devices have two modes, block aka “IPS” mode, and non-block aka “IDS” mode. When you first deploy your device, it is in non-block mode, you then spend a period of time tuning out any false positives. After that period is complete, then put your device into blocking mode. “IPS” mode should always be your primary end goal!
- #8 Now that my device is in place in non-block mode, what do I do?take a period of at least 30 days and look at the events being generated by the device on a daily basis. This time period is known as the “tuning phase”, this time is when you make adjustments to the signatures on the device. You are filtering out the false positives, so you can look at the events that are showing valid attacks.
- #10 How to choose a vendor? Don’t just select a vendor on price…research, research, research! Find the vendor that has good security intelligence and has well written signatures.