Search in ISMS Guides

Google
 

Wednesday, August 1, 2007

Choosing the Right Intrusion Prevention System (2)

PUBLISHED BY THE INSTITUTE OF INTERNAL AUDITORS

ACQUIRING AN IPS: WHAT TO LOOK FOR

Most network and security vendors offer a variety of IPS software solutions. As a result, choosing the right IPS software can become a daunting task. To help organizations choose the right IPS software program, auditors may recommend that organizations invest in a solution that:

1. Installs with ease. Global business operations and Internet connectivity demand year-round network availability. Therefore, few companies will be willing to take the network offline for a painful IPS implementation. To support and protect "round-the-clock" business requirements, IPS devices must be easy to install, remain transparent to normal network traffic, and provide immediate protection against malicious code propagation, denial-of-service attacks, and hacking exploits.

2. Provides flexible configurations for different networking needs. Every IT department will have different requirements for adding an internal security device. Some will want the device to remain passive, while others will want maximum protection immediately. The IPS must have the ability to be configured for specific protection needs so users can choose the configuration that best meets business security demands.

3. Protects against a wide range of attacks. Because IPS devices monitor Internet protocol packets, they should have the ability to block different attacks over time. At a minimum, an IPS must provide protection against protocol anomalies; known attacks, such as probes, scans, and backdoors; malicious code, including worms, viruses, and Trojans; peer-to-peer traffic; and denial-of-service attacks. Advanced IPS applications also must be able to enforce compliance with network flow policies and watch for suspicious tunneling using Internet protocol version 6, also known as IPv6 tunneling. Finally, to protect against zero-day and customized attacks, IPS devices must use a combination of signatures and behavioral heuristics to detect security threats.

4. Offers a range of performance options. Years ago, many companies connected to the Internet with minimal performance requirements, ranging from 1.5 to 45 megabytes per second. However, as intrusion prevention becomes an enterprise network service, IPS devices must support larger bandwidth requirements, ranging from 100 megabyte local area networks to 1 gigabyte wide area networks. IT departments must also have ample choices in terms of port density, so they can match security protection with network configurations and budget restrictions.

5. Meets enterprise architecture and management needs. A companywide IPS requires dozens of geographically distributed devices. IT security managers must have the ability to deploy, configure, and administer these systems through centralized management and policy tools. In addition, the IPS application must have a centralized functionality that includes detailed reporting and audit capabilities, so organizations can monitor events and controls that support regulatory compliance requirements.

Once an IPS system is purchased and installed, auditors need to review the system's configuration controls. First, auditors need to determine that only authorized employees have administrative access rights to the system and that their access capabilities are independent from operational responsibilities. Second, IT auditors need to assess the rationale for configuration changes that alter the IPS's activities or functionality. For example, is the system blocking attacks in a way that protects the entire network or just certain network segments? Finally, auditors should review IPS log files to understand their role in overall security. When combined with log files from firewalls, networking equipment, servers, and applications, IPS logs can help to provide a more comprehensive picture of normal — versus anomalous — network use patterns.

Choosing the Right Intrusion Prevention System (1)
Choosing the Right Intrusion Prevention System (2)
Choosing the Right Intrusion Prevention System (3)

No comments: