Intrusion Defense: A Layered Plan (Page 3 of 4)

 A NIPS device combines deep packet inspection technology with firewall traffic control. Like a firewall, a NIPS is placed inline with the data. In the example depicted in Figure 1, all packets that pass to and from sources outside the perimeter are evaluated. All packets passing to and from Segment B, the home of the organization's most critical systems, are also checked.

Through deep packet inspection, each packet is checked to see if it contains information that is indicative of an attack. Packets can also be evaluated in terms of open sessions. Any traffic that displays unusual behavior, or behavior that is clearly malicious, is immediately blocked by the NIPS.

When planning the purchase and implementation of a NIPS solution, you should consider the following:

• Inline Operation - Inline operation provides for the discard of suspect packets. It also allows for blocking the remaining packet flow associated with the potential attack. Since it's inline, the NIPS is capable of stopping attacks without reconfiguring firewalls or routers. Inline operation of NIPS devices has been made possible by significant improvements in processing power.

• Reliability and Availability - In order to provide continuous protection, the device you choose should function at a high level of performance with an acceptable mean time between failures (MTBF). You might also want to consider redundant devices so that if one fails, traffic will still flow through the other. In any case, if your inline device does fail, you want to ensure that the data continues to flow through the affected network segment. For example, if the NIPS protecting Segment B in Figure 1 fails closed, Segment B is effectively removed from the network. If the data on a segment is highly sensitive, you may want it isolated when no NIPS protection is available. In most cases, however, you'll want the capability of configuring the NIPS environment to allow the continuation of traffic.

• Accuracy - Ensure that the vendor from whom you purchase your solution provides regular detection updates. Their application should be accomplished quickly with no interruption of information flow or protection. You should also check reliable third party sources to verify the vendor's claims about the rates at which false positives and false negatives occur. Finally, the device should be intelligent enough to thwart attempts by criminals to use its blocking capability to create a DoS attack.

• Alerting and Analysis Capabilities - All information collected by the various NIPS placed around your network should be sent to a central console for evaluation. From this console, you should be able to run reports that provide information relative to investigations. The console application should also send alerts when an attack, or a potential attack condition, is recognized by one or more NIPS. Consider outsourcing to a MSSP the aggregation and correlation of collected activity information

• Highly Granular Configuration and Control Capabilities - When configuring and tuning your IPS devices, you should have the capability to define what attacks to detect and what policy violations to look for on specific network segments or on specific servers and workstations.

• Adequate Level of Performance - Each NIPS should be powerful enough to assess network activity without hindering the flow of information across your network. In other words, they shouldn't create any bottlenecks. There should also be enough spare processing power in the devices to allow for growth during their life expectancy.

Proper placement of a NIPS can provide protection to a large number of network devices. In addition to servers and workstations, NIPS can protect firewalls, routers, VPN concentrators, etc. It isn't platform dependent.