IPS – What IPS? – Week 10

IPS – What IPS?
We at ITC have a lot of time for Intrusion Protection System (IPS) devices, those reliable workhorses of most perimeter security solutions that sit inside or alongside your firewalls and get the chance to look at and evaluate each and every packet as it moves across your network edge.
These devices (be they hardware or software) are full of functionality and all the big vendors are constantly updating their features in an attempt to stay ahead. The problem is, an awful lot of organisations seem to plug these things in and then promptly forget about them, never even exploring any of the rich functionality hidden away on tabs two and three of the GUI.
Over the years, we’ve variously come across IPS modules left disconnected (simply because they came with the firewall and nobody thought to connect the management interface) or perhaps setup to alert to a location that no longer exists. Sure, that expensive new Web Application Firewall looks great on paper, but your existing firewall’s IPS module may well have given you a heads up on the successful SQL injection on your company website last week too – apart from the fact that nobody remembered to migrate the [email protected] onto your new email system.
The vast majority of IPS systems work based on signatures (and we’ll leave the discussion of signatures v heuristics v cloudy big data for another post). Often RegEx based, these signatures essentially look out for packets with specific known malicious characteristics and then trigger the IPS module to react accordingly – be that log, alert or drop the traffic depending on the level of threat detected. Sounds great, but downloading those updated signatures automatically will typically require internet access from either the IPS or its management console; it also means you have to keep an eye on the licensing status of your kit.
So, if this post has jogged your memory and you suspect you may be responsible for a neglected IPS module, here’s a very brief (by no means comprehensive) checklist for getting it online and making sure it’s doing something useful.

  • Is it patched in properly?
  • Is it up to date? Check the Vendors website for new software and check your licensing details too.
  • Does it have a secure method of updating signatures?
  • Is it set to alert? If so, where?
  • Does it have support for an ‘asset model’ of some kind? If so, tell it where your servers and where your desktops live so you get the right kind of alerts
  • Delve into the signatures, review what’s enabled and what the actions are currently set to. You’ll probably find vendors are conservative with their default setups – if you can deal with the potential false positives, enable some relevant signatures and see what’s really going on in your network.

Alternatively, get some professional help and contact ITC, the experts in secure networking. Going far beyond IPS modules, our Netsure360° service can monitor your whole network infrastructure – correlating suspicious activity across all your devices and proactively alerting you to threats long before they get a chance to become exploits.