Modern day networks are no longer static, they are continuously morphing with a mobile workforce and presence of data everywhere. How can organizations monitor the environment for onslaught of threats and endless attack vectors. Provide some comments and insights on where you would start with your IDS implementation strategy?
Ruslan Yakush says
Given the endless growth of the attack vectors, Big Data and IoT mobile devices, an organization may find it difficult to manage and control the security of the environment especially information that is flowing throughout all these devices and networks. While it may sounds as impossible mission, an organization can take certain security monitoring and detection strategies that would improve visibility of network security and reduce potential attacks. Some of those strategies are network segregation and distributed IDS deployment, also known as dIDS.
Every device connects to a network, which means there is always an entry point via wireless or wired. If it is a wireless device, then network entry point would be AP -> Wireless Controller, then switches and routers. If it is wired device , then entry point is a switch. Usually, organizations have segregated wireless and wired networks either physically and/or logically, where logical separation would involve VLANs that would route traffic through firewalls followed by packet inspection and filtering.
So, in this case, as far as IDS implementation strategy, it would include setting up multiple IDS systems in distributed way with sensors configured (e.g. using SPAN/RSPAN, etc.) for monitoring and detecting suspicious traffic at each or at least most critical network segments (Entry Points). This way, all threats that would be entering the network infrastructure from various devices would be caught by IDS sensors, Another advantage of dIDS is the ability to detect attack patterns across an entire corporate network even if IDS systems are located in different geographic locations. Also, all IDS systems would aggregate captured data to a centralized syslog server.
Joseph Nguyen says
Monitoring and Intrusion Detection Strategy can complement each other for a maximum of efficiency in providing organization protection from threats. The dIDS is excellent, but certainly, more can be done to reduce the high false positive threat rate alerts from IDPS devices. An organization can detect, identify and analyze threats more rapidly by increasing the visibility and/or order of events in the context, such as log events that can be correlating and centralizing in a more structured way from every device in the network.
A current example of such application tool is SELKS, a free and open source Debian-based IDS/IPS platform. SELKS uses open sources and pre-configured tool applications that can aggregate and correlate between different log sources build around IDPS. It’s a security dashboard monitoring that includes:
– Firewall, VPN servers, Web proxy, Endpoint logs (hostname, username/file/processes)
– Infrastructure (Routes, Switches, Wireless Access Points, Application servers)
– Non-logs infrastructure (Configuration, locations, network maps, software inventory)
SELKS4 is composing of five subsystems to pass information sequentially into each other allowing an analyst to identify events of interest.
– Logstash parses from IDPS logs and other log sources, structure them and placing into Elasticsearch.
– Elasticsearch that performs indexing on network traffic that can feed it to Kibana.
– Kibana is a customizable visualization platform dashboards to explore data that feed Scirius.
– Scirius is a Web Interface which maps back to signatures and links to Kibana that feed EveBox.
– Evebox allows a user to generate reports and analyze workflow on alerts and escalate tickets.
https://github.com/StamusNetworks/SELKS
https://www.sans.org/reading-room/whitepapers/critical/continuous-monitoring-build-world-class-monitoring-system-enterprise-small-office-home-37477
Mengxue Ni says
Great Post, Joseph,
I like your security dashboard monitoring examples best. Also, thanks for explaining the SELKS. I believe IDS is the most needed tool for every company that use internet to protect themselves from endless attacks. Once it properly deployed, it will identify intruder and provide alert when threat happens.
Anthony Clayton Fecondo says
The first step in planning the implementation of IDPS technology is mapping out the network architecture. Despite the more dynamic nature of networks, it is still possible to identify the various parts of the network and segregate it accordingly. For example, most company assets/network segments will be static. On the other hand, mobile devices will be moving in and out of the network, Using this information, the company assets can still be effectively segregated. Then the mobile devices can be all placed on their own segment and authentication systems can be used to determine individuals privileges, etc.
At the edge of the network, an IPS should be placed just outside the network and an IDS should be placed just within it.
Once the segments are identified, an IDS and IPS pair should be placed between each segment and a centralized data storage server. By doing this, analysts will only have to focus on one central basin of information and each IDS IPS pair will have a lighter load. All IDS should be implemented out-of-band and configured aggressively (to flag any questionable traffic allowed by the more lenient IPS) while IPS systems will be in-band and configured conservatively (to avoid dropping legitimate traffic).
Also, if the network utilizes VPN concentrators for connections with vendors, etc., an IDS IPS pair should be placed before each concentrator (the IPS must be inside the network in this instance because the VPN concentrator encrypts traffic rendering the IPS ineffective).
Finally, in order to ensure the effectiveness of the IDS, there should be analysts monitoring the alerts and clearly defined policy on how to follow up on the alerts. These analysts should tune the IDS and IPS as necessary and remain diligent (it would be tempting to rely totally on the IDS, IPS, Firewalls, etc. for detection, but analysts must remember that there will still be false negatives).
Josh Zenker says
I agree, Anthony. You always want to consider your network architecture first. In particular, you want to understand where on the network your IT assets are located.
When you have identified the network segments containing your most critical applications, servers, and data stores, you can deploy the appropriate IDPS for each, as we discussed in week 4. As your network monitoring infrastructure matures, you can expand your coverage to other network segments.
A gradual rollout will give your security analysts the opportunity to properly tune the systems’ rules and alerts. If you try to deploy to too many segments at once, you’re likely to overwhelm your staff with false positives, which in turn can sour them on the idea of IDPS altogether.
Ruslan Yakush says
Anthony, great point on IDPS placement in case of VPN Concentrators. Since traffic gets decrypted at firewall, IDPS would be able to analyze traffic that is leaving the firewall; that is, once unencrypted traffic is behind the firewall entering LAN. Also, another situation is when IDPS still cannot read traffic even when traffic is outside of VPN tunnel when entering LAN. An example would be, SSL/TLS traffic flowing between servers/clients over regular non-VPN connection. In this case, firewall and/or IDPS systems need to be able to do SSL Inspection for any malicious activities.
Mengxue Ni says
Great Post Anthony,
I like your idea that we should start with mapping out the network architecture. It is great that you add how we going to use IDS and IPS together. For the policy, I think it needs to be very detailed based on different hours of the business day.
Ryan P Boyce says
In a modern enterprise, my IDS implementation strategy would begin with identifying the pieces of the network that are most vulnerable and/or most valuable to an attacker. In every organization, legacy pieces of infrastructure still exist. Systems of the past that provided critical capabilities to a company could not afford to be taken down for fear of a disruption to business needs. An example of this would be the operating system vulnerabilities that were exploited in the WannCry virus. Hospitals in the UK were running legacy version of Windows-Windows XP and Server 2003. A patch was supplied by Microsoft following the incident but IT personnel running those systems should have been aware that older operating systems pose a higher threat level than newer operating systems. An effective IDS plan should have identified where on the network those systems resided. In the case of WannCry or any encryption software, it is more difficult to detect since once it lands on a system, it does not need to make a remote call to execute. It simply encrypts the data on disk and once it does this, it is too late. Preventative measures would have been more helpful here than detective measures but this is still a great example of how legacy systems are highly vulnerable.
Next, however, I would identify where attackers might be looking to gain access to. This would be the equivalent of a house thief identifying which room has the most valuable items to steal. In a Windows environment, it would be highly beneficial to steal a domain administrator’s credentials. Having such credentials would give the attacker access to almost any resource in Active Directory-servers, workstations, and user accounts themselves. Here, again, it would be beneficial to identify how the domain admin is operating and where and when they are use their credentials in the environment. With both examples, the IDS implementation begins with identifying weak or valuable points in the network and building defenses around these points.
Vaibhav Shukla says
Yeah very well mention of identifying weak or vulnerable points in the network and this could be best strategy for identifying locations to place sensors and alerts generated of a certain priority are sent directly to the admin for data from such locations.There can be also difficulty in correlating data from all these sources so a log and alert correlation product should be used in conjunction with your IDS and those logs generated should be reviewed periodically
Mengxue Ni says
In order to monitor the information system environment and protect organizations from endless attacks, IDS is a key tool that monitor system behavior and alert on potentially malicious network traffic. Before we start with the IDS implementation strategy, here are some questions that we must answer:
1. How can I use an IDS to benefit my security strategy?
An IDS is used to detect internal and external intruders to your network. When properly deployed, this tool will identify intruders’ methods and provide an intelligent alert to the threat. Some IDS programs will even respond to stop the intrusion. A good IDS should support analysis to find out how the intruder got in and deny any similar exploitation in the future.
2. What technologies are available to me?
These three are main groups of IDS: host based, network based, hybrid. Choose the one that fit your organization’s system.
3. Where do I deploy the technology?
First considering where is the most vulnerable part of the system, those are places that you must deploy IDS.
Depending on your security practices and topology, you’ll typically consider four areas for monitoring. These are as follows: network perimeter, WAN backbone, server farms, LAN backbones.
4. How do I manage the information an IDS will provide?
Develop policies and procedures for events that occur during different hours of your business day. Some of the more robust intrusion detection systems will take actions for you to terminate access and change rules on other security devices to prevent future intrusions. If you have people physically monitoring your network 24 hours a day, you may not want automatic denial of services to potential customers or users based on a false intrusion event. As with any network security device, you will have to evaluate its effectiveness and level of responsibility for your network defense.
http://www.techrepublic.com/article/lock-it-down-implementing-an-intrusion-detection-system-on-your-network/
Zhengshu Wu says
Mengxue, good post!
In case there is an 7*24 SOC, we can select a manageable subset of signatures for IDS blocking. This should represent the most dangerous attacks that are also unlikely to be false positives and will not cause unnecessary DoS.
Sachin Shah says
great job Mengxue. You nailed this topic. Those 4 questions also cover the topics as the architecture of network and what technology is available also goes forward and touches on budgets etc. Obviously buying more IDS means more money and many companies can not afford that. Companies need to prioritize and that is where your 4th point was made.
Joseph Nguyen says
Excellent Mengxue, I would assume that wireless AP entry point is a vulnerable part of the system and it should be separated physically (switch) or logically (VLAN) from the rest of the wired network with a SPAN port for monitoring.
Ruslan Yakush says
Mengxue and Joseph, agree that it is important to know where to deploy IDS, especially in various points within LAN. Since wireless network is part of wired network in terms of being LAN and interconnecting with physical switches, usually vlan-based separation is adequate as long as aggregated trunk port from wireless controller is monitored by IDS for all traversing vlans for all separate wireless SSIDs, So, basically, if company has 100 APs connected via floor switches, instead of monitoring ports where each AP is connected, the best way of monitoring wireless traffic would be monitoring just one trunk port; that is, the one that interconnects between wireless controller and core switch and carrying all SSID vlans. Additional protection can be achieved by having all SSID vlans get routed and inspected by a firewall to prevent from malicious attacks. .
Shain R. Amzovski says
Most organizations today push the concept of BYOD and must also have the flexibility to allow their employees to access company data, anytime, anywhere, and from any device. Prior to developing an IDS strategy for a mobile workforce it is more important to first build an IT infrastructure to support this model. Also, it is important to create policies and controls. Some crucial pieces of security required for building an IT infrastructure based on mobility include:
• Access control – based on user, device, location etc.
• Firewall rules, policies, and application filters.
• Virtual security appliances specifically designed for mobility security
• Two-factor authentication incorporated with secure certificates
• Log and create reports on mobility use and data access
• Creating policies to lock-down mobile applications
When implementing an IDS strategy, it is also important to look into IPS as well. The two should be used in conjunction as a defense-in-depth strategy to actively monitor for threats, and block packets that are ruled as not authorized. “Using both technologies in harmony will provide the needed perimeter and core defenses to combat zero day and existing threats while also having the visibility into internal networks with the ability to provide forensic data and trend analysis.” (https://www.sans.org/reading-room/whitepapers/detection/understanding-ips-ids-ips-ids-defense-in-depth-1381). IDS/IPS should be placed in between firewalls and servers. The goal of IDS is to look for suspicious patterns that the firewall may allow to pass through the network. In mobile networks, IDS is a crucial tool for network security as you need a more defense-in-depth strategy.
Kevin Blankenship says
I would start analyzing my network at a architectural level to understand the various zones, entry points, and critical areas. Included in this analysis would be an Access controls, looking at firewall rules, looking at any external WAFs, and what kind of devices are used within the network. And IDS should be placed at the entrance to each DMZ to internal network connection. IDSs should also be placed between each zone. If customers or employees are bringing their personal devices into the network, a separate network should be created outside of the production or internal networks. Since this network may not be as important, IDS should still be used, however the types and policies may be more lenient.
Internally, we must look at the purpose of each zone and the types of devices connected to establish a clear plan. Generally one type of IDS will not cover each zone fully, so a combination of IDS technology helps to fully cover the network.
Sachin Shah says
I agree Kevin. The placement and the amount of IDS starts with the structure of the network. You may have your DMZ which should have its own IDS\IPS. I agree that one IDS would be way too much to manage so many different zones also. Unfortunately most people VPN to the main network itself, but yes mobile devices and IOT should be a separtate network or zone with its own IDS.
Mengqi He says
IDS is a key tool to systematically monitor network and system activities and detect suspicious and unexpected activities. When developing IDS implement strategy, a great concern is where to locate IDSs that should be based on the organization’s information security requirements and how IDSs can integrated with the existing IT infrastructure with minimal impact. Since IDSs often leads to false positives that affect the functionality of systems and networks, an organization should consider network segregation to balance security and functionality. An organization’s network can be segregated into several sub network or network segments by functional groups of systems users based on departments or tasks, and each segment can have different security policies and rules. That means the same activity can be considered legitimate in one segment but illegitimate in another segment. IDS should be deployed and integrated with firewalls on each segment to ensure users can only access to what they need to complete their work and what they are authorized, and thus also help implement the Principle of Least Privilege. In addition, the network segregation can also limit the affect of false positives on network functionality. For example, accountants in accounting department can only access to accounting information, and if an accountant is trying to modify the IT information that he/she should not access, the IDS will send an alarm to the administrator. The IDS of IT department may shut off the network segment of IT department, while other network segments are still functional. In addition, even a false positive occurs and IDS only shut off one network segment and thus limits the affect of the incident.
Zhengshu Wu says
Mobile computing has added to the complexity of nowadays’ network architecture and security. IDS and IPS are important tools to identify, classify, and stop malicious traffic, including worms, spyware / adware, network viruses, and application abuse before they affect business continuity.
In order to implement security strategy, the first step is always to know your network architecture. With identified network architecture, next step is to define network segregation, trust zones, which include organization’s critical systems or facilities. Followed is to deploy security devices or applications such as IDS and IPS. With network architecture and segregation in place, we can recognize critical systems and facilities such as VPN tunnels, data centers and remote sites and deploy them with IDS and IPS.
Vaibhav Shukla says
IDS implementation strategy usually start with analysis of industry the organization is operating and regulations under which it is governed.A formal risk assessment needs to be done which includes monitoring of traffic and judging out what kind of threats are being received in past .There are chances where company gets more zero day attacks and deployment of IPS could be a better idea than IDS.
The company should also consider cost-benefit analysis whether to take a free source IDS or a licensed IDS.A NGO where assets are not that worth in case of getting compromised during a risk cannot put a costly licensed IDS. As an organization selects an IDS and prepares for implementation, planners must select a deployment strategy that is based on a careful analysis of the organization’s information security requirements and that integrates with the organization’s existing IT infrastructure but, at the same.
time, causes minimal impact for this organization should monitor and tune one IDS sensor at a time.If a company has policy to allow BYOD and has integration of many iOT devices than the best way to deploy ids sensor at network tap points.The organizational also deals with servers then the Host IDS could be a good solution which logs configured to directly monitor activities.A sector like defence where confidentiality is highly required the organization can tune its IDS to close down network on any false positives too but where availability is more of a concern the organization cannot let network to shut down due to false positives
Sachin Shah says
I agree Vaibhav. It is the industry of organization and also the network architecture that determine whether to use IDS or IPS and where to place them. I feel that its always better to buy licenced versions of anything in case of support and accountability. But you are right in places I have worked with so many movbile devices there needs to be sensors at ALL network accessible points.
Loi Van Tran says
Before implementing any IDS/IPS strategy, the organization must understand it’s network architecture and how information flows from system to system. In addition, it must undergo data classification and designate impact or criticality level to the information stored within its system and network segments.
The emergence of complex mobile technology; IOT, mobile devices, sensors, etc, has made increasingly difficult for an organization to protect its environment. Another issue is IDS and switches don’t get along, so implementing virtual switch like VirtualBox or VMWare, Inc. must also be considered. Deploying too many IDS/IPS is both costly and hard to maintain, let alone the sheer volume of data that is being collected. They should be deployed in both hosts and network segments where the loss or corruption of data would be a great loss to the organization. Examples of IDPS placement would be after a firewall to protect your internal network and ideally all of your public facing servers.
Many IDS systems today come with some sort of IPS capability. In order to mitigate the loss of legitimate traffic, an organization should run the device in pure IDS mode without blocking any traffic. After evaluating and analyzing the type of traffic that are received, the organization should slowly change rules from IDS to IPS.
Sachin Shah says
IDS\IPS implementation should begin with understanding the structure of the network. It is to costly to overhaul the entire network. Several years ago our hospital moved all the servers to a facility hosted by CSC. All the proper infrastructure was in place: Routers, Swithes, Cabling, inventory, and VPN was in place for the servers to be housed in Newark, Delaware. Yet we had way to many legacy systems on out dated hardware that needed to be on site or in Philadelphia as they were on the Hospital clinical monitoring network.
In a scenerio like this: there were less attacks on the top of the line CSC server farm so that is where the IPS was. The IDS was on the local server farm with combination of IDS\IPS for the mobile servers and vendor VPN servers accounts. Our servers hosted by CSC were mostly VMware so that had a lot to do with using the IPS there. In terms of VPN and firewall configurations our network department usually sets up “knatted” IP addresses.