IDS/IPS implementation phase 1. Network topology points

Correct infrastructure segment and network topology level finding for IDS/IPS network sensors are critical for their efficiency. Users’ and datacenter segments are analyzed for intrusion detection and prevention systems implementation practicability. Network topology points of IDS/IPS integration are defined with technical requirements description.

Large enterprises data networks are logically divided into three levels. Access level switches usually connect end systems to the infrastructure. Routing between edge subnets, first hop reservation, firewalling and load balancing of end systems traffic are performed on distribution level. High-speed switching and routing, reservation and efficient channels usage proceed on core level. Access and distribution levels are present in users segments where end hosts are users’ PCs and in data-center ones where edge systems are virtual or physical servers.

It is useful to analyze necessity of IDS/IPS implementation in each network fragment. If we try to analyze traffic in the users’ segment we must think about situations where workstations may be attacked and vice versa, where user PC is a potential attacker.

End user workstation may be attacked because it:

• Contains confidential business information;
• Contains private users’ information;
• Has network access to some specific resources;
• Has specific business software installed;
• Belongs to some user whom somebody wants to compromise.

Users’ PC may be attacked by means of:

• Malicious software installation;
• System/software vulnerabilities usage;
• Unauthorized access from other workstations;
• Information interception/modification attacks.

Why workstations may be a source of attack or confidential information leakage:

• Users’ intention;
• Malicious software infection;
• Outdated system/software vulnerabilities successful usage;
• Credentials usage for other resource attack perform.

The highest-priority infrastructure fragment which must be protected is datacenter contains business-critical servers especially DMZ-located ones. These server farms may be at risk of:

• Access by unauthorized users and servers;
• Resources usage for non-business purposes;
• Corporate security policy bypass;
• Attacks from the Internet (DMZ-located services).

Successfully hacked, infected or improperly configured servers may pose a threat for:

• Possible hacking of other servers;
• Users and other hosts malicious software infection;
• Confidential data leak;
• Financial property damage and brand name loss for company.

After the decision making for infrastructure segment protection by IDS/IPS it is necessary to specify the network sensor mode for deployment:

• Promiscuous mode (IDS mode) – sensor doesn’t affect the network traffic. It only monitors data copy from mirroring ports by SPAN/VACL-capture session or it uses NetFlow information for analysis. Network sensor in promiscuous mode may generate security events and capture packets.
• IPS shun mode – sensor analyzes network traffic and generate security events but some events may be set to cause attacker hosts/connections temporary blocking on router or firewall.
• IPS RST mode – network sensor monitors traffic but it may additionally interrupt TCP connections injecting into TCP sessions and sending TCP packets with RST flag to session peers.
• IPS inline mode – network traffic is passing through sensor and it analyzes data for security threats. Depending on the settings it may generate events, drop packets, reset TCP-sessions, block attacker hosts and connections on the sensor.

Each mode has its’ own advantages and disadvantages described in Table 1.

	Advantages	Disadvantages
IDS	- No traffic affect; - No point of network failure; - Minimal network configuration for implementation; - Maintenance window free implementation;	- No attacks prevention
IPS shun	- No point of network failure; - All protocols intrusion prevention; - Maintenance window free implementation;	- Reactive attack repulse; - Needs integration with network equipment terminating edge subnets
IPS RST	- No point of network failure; - Maintenance window free implementation;	- Reactive attack repulse; - TCP-only intrusion prevention; - May need network anti-spoofing protection disabling for some routed interfaces on edge VLAN termination devices
IPS inline	- Proactive defense; - All protocols intrusion prevention	- Potential point of network failure; - Implementation may need maintenance window

Table 1. Benefits and risks of different IDS/IPS modes.

The next question is the architectural place to install IDS/IPS network sensor. For example, corporate network fragment has architecture described on Picture 1.

 

Picture 1. Corporate network topology.

 

If we use IDS, IPS shun or IPS RST, it is necessary to monitor and analyze almost all network traffic on the site. This task is possible to realize by SPAN/VACL-capture sessions configuration on every access level switch sw1-sw8 and distribution switches Dsw1-Dsw2, but it will affect on network sensor load, its’ needed interfaces quantity requirements, throughput and price. Another minus of such traffic monitoring solution is a large amount of duplicated packets mirrored by every device between peers. So, the most effective way to prevent packets duplication is to monitor traffic in each segment configuring SPAN/VACL-capture session on distribution layer switches with such characteristics set:

• Spanning-tree root, secondary root for local site VLANs;
• Connected directly to routing devices (router, firewall) or contains appropriate module in chassis;
• Located closer to HSRP/VRRP master or active firewall cluster node; another sensor must be closer to secondary/standby node.

There are two appropriate switches on described architecture: Dsw1 and Dsw2. It is necessary to inspect traffic on these devices. If we use network sensor in IDS mode it is possible to connect each sensor to one device or it may aggregate SPAN-sessions from both switches depending on network sensor vendor and model (Pic. 2). It is the best solution for traffic monitoring because it is possible to mirror any VLAN or interface present on distribution layer switch.

Pic. 2. Corporate infrastructure fragment protected by IDS.

 

If we use IPS RST the architecture will be the same but it may be needed some reconfiguration of SPAN-session and anti-spoofing protection disabling on some routed interfaces. Configuration changes may vary depending on network design and TCP RST sending realization in the network sensor.

If the infrastructure protection is performed using inline IPS there are two possible points of its’ implementation in the scheme (Pic. 1) Dswx-Rx segment and Dswx-FWx one.

The path Dswx-Rx is used for inline IPS implementation when it is necessary to inspect outgoing traffic from network fragment or incoming to it without necessity to protect intra-site connections.

If we deploy inline IPS on the Dswx-FWx link it is the best solution for the complete intra- and inter-segment traffic control. Depending on the network sensor characteristics and network design it is possible to analyze internal and external traffic flows together or independently. But this point of implementation is the most vulnerable to IPS resources overload attacks from the users in the corporate network if the internal subnets are going through IPS.

Network security engineer must realize that the inline IPS deployment adds potential bottleneck and a point of failure. There are two network policy trends affecting inline IPS implementation: business continuity and the highest security.

In the highest security trend the network traffic must be secured or dropped. So, the most important tasks in this case are the network sensor settings:

• Traffic inspection for appropriate actions on security events;
• Tuning for resources overload attacks prevention.

The business continuity policy trend determines such network sensor requirements as:

• Clustering;
• Hardware bypass in case of software failure.

One more blocking factor for IPS inline deployment is the specific business applications usage. Their network interactions may be identified as suspicious traffic or malicious activity and it may be blocked. Another minus of IPS is increasing delay and it may interrupt some business applications functioning through the network. But everybody can see that the best feature of inline IPS is online proactive attacks prevention.

Conclusion

The right architectural point selection for IDS/IPS network sensors implementation allows expenses minimization for information security. The correct solution may allow to inspect needed traffic only and decrease false positive events. In spite of IDS/IPS mode these devices must be installed closer to distribution layer switches. If we implement inline IPS we must realize that it is one more point of failure and bottleneck in the network and it is necessary to define network security policy trend (business continuity or the most secure trend) to form IPS technical requirements.

To be continued... The next part is described in Throughput Metering article