Five Mistakes while managing an IPS

You have the most advanced intrusion prevention system in the market, capable of deep packet inspection and seamless attack detection and prevention. What is next? How do you avoid many of the common problems that affects mismanaged IPS systems while keeping your network as safe as possible?

1. Lack of a sensible update schedule
IPS is very often treated as a “set and forget it” service by many firewall administrators, but that’s not the correct approach if we want to maintain an effective strategy for keeping up with the emerging threat landscape.

 New vulnerabilities and exploits are discovered on a daily basis, so it is important to have a game plan to ensure that you can stay up-to-date with the newest IPS signatures released by your IPS manufacture.

 The recommendation is to schedule monthly updates. On the other hand, you also want to be as flexible as possible for high-profile protections that may require an out-of-band update.

2. Failure to backup before updates
As with any production updates, there is always a risk involved. Some of us security professionals probably have seen bad signature updates released that have stopped production traffic, and even brought down entire networks. The best way to avoid this problem is to simply take a full backup before updating any IPS signature. In most platforms it can easily be done via WebGUI or Command line. This will assist you to completely separate a copy of your policy in case that a disaster happens, which should allow you to completely restore your policy and get backup and running within 5-10 minutes.

3. Improper object definition
Even though we all know, that best practices say that we should restrict our security policies to allow only the protocols that a specific server supports, it still very common to see open policies with no granular control implemented in some environments.

For example:
CheckPoint Firewall
In the CheckPoint platform, you can actually define if an object is running a Web Server, Mail Server, or DNS Server. Since signatures are tailored towards specific services and protocols, it is best practice to set this up so that the IPS engine can best protect the services that a specific host is running.

 Palo Alto Networks
On the Palo Alto platform, you must ensure that only HTTP traffic is allowed to a web server. If you have defined an override policy for a custom application, make sure to restrict access to specific source zone or set of IP addresses. Additionally, attach the following security profiles to your security policies to provide signature-based protection:

• Create a Vulnerability Protection profile to block all vulnerabilities with severity low and higher
• Create an Anti-Spyware profile to block all spyware
• Create an Anti-Virus profile to block all content that matches an antivirus signature

Note: Notice, that I am referring to CheckPoint or Palo Alto Networks platforms; however, these best practices apply to any other manufactures.

4. Using IPS Exceptions “Any”
Imagine that there is a problem with traffic, which has to be resolved quickly to restore production. The easiest way out is to create a blank exception to get back up and running. Tempting isn’t it? However, this can easily destroy the ability of your IPS to protect your environment against future attacks. It is worth the effort to set up exceptions with only the specific hosts or networks that are presenting problems, instead of a fully open IPS policy with no control.

5. Too far behind on Software Upgrades
This also falls under best practices, especially when maintaining a distributed environment. If you let versions of your management server or firewalls fall too far behind, you may no longer be able to take advantages of the newest IPS signatures or enhanced features created by your manufacture.

For example:
CheckPoint Firewall
CheckPoint stops releasing certain IPS protections for older version before they actually go out of support, so it is one more incentive to maintain a reasonable upgrade schedule.

Palo Alto Networks
Palo Alto has added some incredible new features on its platform, especially on the 6.1 releases. Believe it or not, I have found customers still running PAN-OS 4.1.x. Many features that could potentially enhance security and bring enormous benefits to the environment are being missed.

It is also important to highlight, that as far behind on upgrades your environment is, more work you will be adding to a potential upgrade in future. The reason is that it will be necessary to download and install all previous base image releases including the required content release versions.

 In addition to the items I have listed here, it is also worth to notice that manufactures allow you to sign up for a mailing list so that you can stay up-to-date with all the latest IPS updates. If your environment is managed by a MSSP, they will typically contact you with security bulletins regarding critical signature updates so that you can stay ahead of the game.

 Stay safe out there.