White paper network ids and ips deployment Strategies Nicholas Pappas

Download 2,67 Mb. Pdf ko'rish
bet	13/25
Sana	14.05.2024
Hajmi	2,67 Mb.
	#233760

1 ... 9 10 11 12 13 14 15 16 ... 25

10.Conclusions

As with any security product designed to protect information systems and the
data they process, there are limitations. If the intrusion detection or prevention
system lacks rules clever enough to detect traffic of interest the system will neither
send alerts nor drop packets appropriately. Keeping your signatures updated and
maintaining other rules intended to find exactly what you want is an ongoing
endeavor.
Another limitation is related to remediation of issues found with a monitoring
system. This is a task very difficult to automate. If the organization does not have a
viable means of responding to incidents and remediation efforts, being alerted on
such events is useless. Often times being able to respond in a timely fashion will
make the difference between an entire network virus infection and limiting
compromises to the fewest amount of systems. Along those lines, ignorance is bliss.
Without response personnel to resolve findings the monitoring systems shed light
on, the organization becomes increasingly liable for knowing about a problem but
not acting on or resolving it. These systems are not magic, they do require
maintenance and will benefit the organization only when coupled with trusted
analysts and personnel to help with remediation efforts. This remediation may
require modification of system configuration or in-depth investigations into system
compromises.
Nicholas Pappas
30
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Strategic placement of the monitoring systems is crucial. If you are trying to
capture traffic local to your network, you may be missing it if you put it at the
network's border. Likewise if you only have one monitoring system, and more than
one connection linking your local area network to external networks. One important
network device you should be mindful of when selecting the optimal placement of
your IDS or IPS is a Virtual Private Network (VPN) concentrator. As traffic travels
through a VPN tunnel, it is encrypted and the IDS or IPS will not be capable of
conducting adequate analysis.
There are an increasing number of methods to evade intrusion detection.
While network intrusion detection and prevention systems are adapting to an ever
changing environment, the methods of evasion are as well. We must keep this in
mind when making a judgment call with respect to detecting an intrusion. One
should not rely too heavily on IDS or IPS logs. Feeling overly confident an intrusion
was avoided simply because such activity was not logged may be a costly mistake.
On the other hand, assuming the IDS or IPS is correctly classifying “malicious” traffic
when in fact the traffic is legit should be avoided as well. Having an analyst skilled
in decoding packets will help minimize these mistakes (packet decoding is
introduced in the SANS Security Essentials curriculum). In short, having too much
trust in any single security product is a recipe for failure.
In conclusion, deploying systems designed to monitor network activity will
bring about more awareness of the very nature in how the respective network
Nicholas Pappas
31
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
behaves, and what threatens its intended function. There is certainly not a shortage
of malicious traffic being transmitted across the Internet. Having a firewall at the
edge of a network is a nice piece of hardware to have protecting internal networks.
However, in information security there are no silver bullets. Network firewalls not
withstanding. It is crucial to have a layered preventive strategy. Defense in depth is
the only reasonable tactic with such adaptable threats being constantly presented to
information systems.
Nicholas Pappas
32
@ 2021 SANS Institute
Author Retains Full Rights

Download 2,67 Mb.

1 ... 9 10 11 12 13 14 15 16 ... 25

Download 2,67 Mb.

Pdf ko'rish