Manufacturers of intrusion prevention devices offer management packages that work in conjunction with their hardware devices. When choosing among available solutions, evaluation of the management package is as important as evaluation of the hardware.
In addition to device manufacturers' offerings, there is an open source package,
Intrusion prevention management software must contain logic to enable it to recognize false positives, occurrences that appear to be attacks but are not. Otherwise, operators can be overwhelmed and real attacks missed. The software must be easily configurable, so that once an apparent attack is determined to be a false positive, it will no longer be reported.
Similar events must be correlated and reported as multiple occurrences of a single type of attack. When a new attack type is launched, your network may be hit hundreds or even thousands of times within a few hours. Software that reports each occurrence will quickly overwhelm network managers. Software must also detect that a series of events constitutes a single attack and present it as such.
Management software must scale to support the size of the network. Intrusion prevention device manufacturers offer models of varying capacity to deal with a range of network sizes, but large networks require multiple units.
Management software must be capable of collecting information from all devices and presenting a unified picture of attacks on the network. Large multi-site networks are often managed by on-site staff with an additional layer of management staff viewing the entire network from a central site. For these networks, choose a vendor that offers tiered management capability in which local staff has visibility into attacks on their site, but central staff has the ability to view attacks across the network.
Intrusion prevention devices and management software must integrate with other network management products in order to present a unified view of the network. Large vendors offer tight integration with other components in their product line. For example, Cisco's CS-MARS product interfaces with Cisco firewalls, routers, switches and RADIUS servers to provide a comprehensive view of attacks on the network. Smaller vendors that focus only on intrusion prevention provide methods to integrate with products from other vendors and open source products. TopLayer Networks' Network Security Analyzer management product integrates with the NESSUS open source Linux vulnerability scanner and also provides XML outputs so it can be integrated with customer developed utilities.
Most management packages provide a graphical user interface (GUI) to make it quicker and easier for operators to grasp the status of the network. Views may be in the form of charts showing system status or rate of incoming attacks. Some GUIs offer a graphical view of the network with systems marked to show which are infected or which are under attack. Some packages enable operators to configure displays to meet individual preferences. Make sure to choose software that presents the views your operators need.
Compliance requirements such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) include requirements for specific types of reports. Intrusion prevention management software must be able to produce the reports needed for your environment.
In addition to reporting on attempted attacks, management software must take immediate action without operator intervention to stop attacks as they occur. Intrusion prevention devices are positioned along key network paths to block attack packets and prevent them from propagating through the network, but they cannot always stop attacks at source. For example, when intrusion prevention devices detect and report virus-carrying packets, management software can combine the reports to pinpoint their source. If the source is internal to the network, such as an infected laptop, management software can determine the switch to which it is connected and instruct the switch to shut off the appropriate port. Or, if the packets are coming from outside the network, management software can modify the filter configuration on the router connecting to the outside so that all packets from the source of the attack are blocked.
In deciding on an intrusion prevention solution, one must focus on more than the hardware devices. Equally important is management software that can address these requirements: It must present information in a concise manner, not overwhelming operators but at the same time presenting the information required in a way they can understand and act upon. It must be capable of scaling to the size of the network. It must integrate with other network components, including other network management software. It must react quickly and effectively to attacks. And, finally, it must be flexible so it can be adapted and upgraded to deal with the constant evolution of new types of threat.
About the author:
David B. Jacobs has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies, as well as software startups.
This tip originally appeared on SearchNetworking.com.
This was first published in June 2006