The case for the next-generation ips

Transcription

1 The case for the next-generation ips executive summary: A Next-Generation IPS (NGIPS) offers a logical and essential progression of capabilities needed to protect networks from emerging threats. Pioneered by Sourcefire, and now endorsed by Gartner, the NGIPS builds on typical IPS solutions by providing contextual awareness about network activity, systems and applications, people, and more to promptly assess threats, ensure a consistent and appropriate response, and reduce an organization s security expenditures. The purpose of this paper is: To describe why NGIPS is critical in defending against today s threat landscape To list the essential ingredients of a NGIPS solution, as defined by Gartner To map Gartner s requirements against Sourcefire s NGIPS offering To contrast Sourcefire s NGIPS against a typical, first-generation IPS Why Next-Generation IPS? Organizations have been using network intrusion detection and prevention systems (IDS/IPS) for well over a decade. They ve proven their worth in protecting networks from a wide range of threats. Network-based IDS and IPS systems are now viewed as essential elements of an overall network security strategy, and are mandated by many regulatory and audit frameworks. These technologies have changed significantly over time, reflecting the evolving needs of users. At first, the industry intended for IDS to simply satisfy a security professional s need for information. Understanding what attacks were taking place, where they originated, and what assets were targeted was of immense value. As that knowledge was secured, systems evolved to add attack forensics capabilities crucial in prosecuting attackers. Soon, reporting and high-level analysis emerged as essential features to inform security staff of the potential affect of attacks and the effectiveness of defenses. As detection capabilities and accuracy improved, confidence in automated assessments led users to demand the ability to prevent, not just detect, attacks. Network security continues to evolve with the needs of security administrators and executives. For example, IPS systems have generally focused on detecting attacks against servers and server-based applications. But today, attackers are increasingly employing attacks against clients using applications. As a result, the ability to identify and respond to attacks against a new set of targets is essential. Data center constraints on space, power, and cooling together with the potential efficiencies of multifunction security devices have prompted considerable interest in consolidating network security devices. At the same time, the promise of increased flexibility and speed has driven expanded server virtualization programs. As was the case with previous changes in networking, all of these trends have served to further fuel the ongoing evolution of network security technologies. How does this evolution affect IPS? The ability to identify, monitor, and inspect a wide range of client applications is increasingly critical to both security and compliance initiatives. Ready access to other types of contextual data, such as network behavior, user identity, and the resources used on the network, offers exceptional value when assessing and responding to attacks, and in maintaining defenses. Comprehensive support for virtualized networking environments is essential. That support should entail the ability to both provide visibility into the virtual environment, as well as to operate within it. When selecting security technologies, organizations and vendors must balance the many potential benefits of consolidation with real-world issues of performance, varied security requirements in different portions of the network, and even budgetary constraints and technology refresh cycles. Building on its pioneering work in network- and user-awareness technologies, and best-in-class attack detection capabilities, Sourcefire has now again led the industry in satisfying these requirements, with the creation of its Next-Generation IPS (NGIPS).

2 What Is A Next-Generation IPS? According to Gartner 1, a next-generation network IPS, at a minimum, should have the following attributes: Inline, bump-in-the-wire configuration: Should never disrupt network operations. Standard first-generation IPS capabilities: Should support vulnerability-and threat-facing signatures. Application awareness and full-stack visibility: Should identify applications and enforce network security policy at the application layer. Context awareness: Should bring information from sources outside the IPS to make improved blocking decisions or to modify the blocking rule set. Content awareness: Should be able to inspect and classify inbound executables and other similar file types, such as PDF and Microsoft Office files. Agile engine: Should support upgrade paths for the integration of new information feeds and new techniques to address future threats. Importantly, the NGIPS does not include traditional enterprise network firewall capabilities. Many organizations will benefit from a security system that combines high performing network inspection and control functions, such as a Next-Generation Firewall (NGFW). However, it s also clear such an offering isn t universally applicable. According to Gartner 1, the high end of the security market will tend to continue to use separate firewalls and IPSs, driven by complexity, desire for defense in depth and network operational considerations. Sourcefire maximizes choice by providing systems offering a range of security functionality, across both physical and virtual platforms. This Agile Security strategy offers security teams a high degree of flexibility in deployment decisions, as well as the potential for significant capital and operational expense savings. The remainder of this paper will describe how Sourcefire s NGIPS solution meets and exceeds the requirements as defined by Gartner. Inline, Bump-in-the-Wire Configuration In the event of service disruption from a network IPS device configured for inline operation perhaps caused by onboard hardware failure, software malfunction, or power loss in most instances, the network IPS should be configured to fail open as not to cause disruption in network connectivity. In this case, ingress and egress interfaces of an interface set are mechanically bridged, thus continuing to pass traffic (without further inspection). Unlike other providers that offer limited or no failopen interfaces, 100% of Sourcefire s purpose-built 3D Appliances come equipped with fail-open copper and/or fiber interfaces. This often negates the need to purchase expensive inline taps, saving considerable time and money. Standard, First-Generation IPS Capabilities Sourcefire is consistently recognized for offering the best protection in the business. Based on the award-winning open source Snort detection engine, which has rapidly become the most widely used IPS detection engine in the world today, Sourcefire has been recognized by NSS Labs as offering the industry s best overall protection among all major IPS providers for two years running. Results like these are a consequence of the rigorous development methodology employed by the Sourcefire Vulnerability Research Team (VRT), which is designed to maximize performance, eliminate false negatives, and minimize false positives. Application Awareness and Full-Stack Visibility Sourcefire is the first and only IPS provider to offer passive, real-time network intelligence gathering. Sourcefire FireSIGHT (formerly Sourcefire RNA ) aggregates rich network intelligence in realtime to enable security administrators to actually enforce corporate acceptable use policies (AUPs) regarding usage of approved operating systems and applications. This can be accomplished within Sourcefire s NGIPS solution through compliance rules and whitelists. By limiting the use of operating systems and applications that can be used on the network, organizations can improve productivity and reduce risk by minimizing the network s surface area of attack. Contextual Awareness Accurate and timely detection of attacks is an essential requirement of an NGIPS. But equally important is deciding how to respond, or even whether to respond, to those attacks. Context, the complex set of circumstances that surround a specific attack, is a crucial element in assessing the risk posed by an attack, dictating the priority of the response. Sourcefire was the first vendor to deliver commercial IPS solutions that provided essential information about both the behavior and composition of a network under attack, as well as the identification of the specific individuals affected by a security incident. Network Awareness Contextual information about the network provides benefits by enabling proactive responses to developing situations before an attack or breach. 1 Defining Next-Generation Network Intrusion Prevention, October 7, 2011, Gartner. 2

3 Sourcefire NGIPS provides continuous network visibility, including identification of new hosts as they join the network, network and host configuration changes, and compliance with IT policies. The experience of Sourcefire customers has shown the value of incorporating this contextual data into threat response and ongoing operational and administrative activities. For example, if certain operating systems, devices, or applications are not expected to exist in a network, protections related to those systems can be turned off, eliminating unneeded checks. However, if Sourcefire detects the emergence of an unexpected device, relevant protections can automatically be engaged protecting the devices from attack while security staffers investigate the network addition. Similarly, contextual data can be used when evaluating attacks for possible response. Sourcefire employs Impact Flags to guide security staff in identifying the most pressing attacks. Attacks against devices not susceptible to an exploit an IIS exploit directed at an Apache server, for example are of little operational concern. While the attack itself may be recorded to provide information for statistical and historical analysis, the NGIPS set Impact Flags for such events to a low priority. This signals to security analysts and event responders that they can safely ignore the attacks. Experience has demonstrated that this approach reduces actionable events by up to 99%, delivering a dramatic productivity gain. Augmenting the identifying information passively gathered by Sourcefire with specific knowledge about known vulnerabilities further refines the accuracy of Impact Flags. To that end, Sourcefire supports an application-programming interface (API) that facilitates information sharing between vulnerability management systems (and other security and configuration management systems) and the NGIPS. This enables users to share information with virtually any such system, and a fully tested and supported interface for the market-leading QualysGuard vulnerability management product is available. 3 FLAG Meaning discussion 1 - Red Act immediately Vulnerable 2 - Orange Investigate Potentially Vulnerable 3 - Yellow Information Currently Not Vulnerable 4 - Blue Information Unknown Target 0 - White Information Unknown Network Gray Information Blocked The targeted system is associated with a known vulnerability. Contextual data also helps enhance the performance of other network and system security programs. For example, the identification of new systems on a network enables patch management systems to evaluate their status, helping prevent insecure systems from exposing a network to unnecessary risks. Application Awareness Threats posed by specific applications along with usage policies prompt organizations to develop standards articulating the applications permitted on a given network or segment. For example, certain applications typically file sharing, messaging, and social applications pose a higher-than-acceptable level of risk. Sourcefire has long supported the ability to identify the use of applications and has led the market in delivering the ability to detect operating systems, virtual machines, consumer devices like smart phones and tablet computers, VoIP systems, network devices, printers, and more. This data, which is gathered passively in a way that poses no operational risks to the network, makes a broad range of compliance and policy enforcement initiatives possible. Identity Awareness Sourcefire NGIPS also provides essential information about users of a network, either individually or as members of groups. This data available from both Microsoft Active Directory systems and a variety of open standards-based LDAP directory servers is The targeted system either: Is known to operate the service assoicated with the attack (port-oriented traffic) Is known to use a protocol associated with the attack (non port-oriented traffic) The targeted system either: Has closed the associated port (for TCP/UDP traffic) Does not use the associated protocol (i.e., ICMP) The host is known to exist, but no data regarding the system is available. The target is located on a network which is not being monitored. Traffic was dropped by the NGIPS application awareness - representative sampling of applications identified AIM Clarizen eharmony.com etrade Facebook Gmail Jabber Lotus Match.com Myspace.com NetBotz Oracle Outlook Salesforce.com Scottrade Skype Twitter WebEx Windows Messenger Table 2. Sample applications detected by Sourcefire FireSIGHT technology. Table 1. Sourcefire Defense Center correlates threats against target systems to assess the impact of security events, helping to reduce the number of actionable events by up to 99%. Yahoo Mail frequently used to identify the potential victims of an attack, speeding response. For example, most intrusion prevention and detection systems operate solely on the basis of an affected system s IP

4 address. If a device has been compromised, it s often essential that security staff communicate with its owner. They may need to speak with the individual to investigate the circumstances of a breach, warn the individual of interruptions in network services, or prompt the person to undertake remediation and restoration efforts. With only an IP address to go on, those activities are delayed. The Sourcefire NGIPS automatically makes the connection between device and owner, and conveniently provides contact information that speeds and simplifies incident workflows. Behavior Awareness Behavior awareness works by establishing expected traffic baselines, an understanding of what type and amount of network traffic is normal. From there, the NGIPS monitors network activity, looking for unusual or anomalous traffic. Unexpected network traffic or connections might signal a botnet attempting to contact a command and control server, for example. Highlighting such events and responding to them either automatically by quarantining compromised systems, or by alerting trained individuals aids in preventing system breaches and data loss. Behavior awareness also aids operations by monitoring bandwidth consumption and delivering troubleshooting information to help diagnose performance degradation. Intelligent Automation Automation is a critical emerging requirement for security systems of all types. The number of incidents, the complexity of networks, and the increasing criticality of compliance and standards initiatives all demand an NGIPS to respond to events in realtime. Along with speeding response, intelligent automation can reduce costs, ensure a consistent response to events, and enable strained security staffs to focus their attention on only the most crucial and challenging problems. The Sourcefire NGIPS delivers multiple automation capabilities. Automated IPS Tuning Multiple independent tests and the experience of countless security organizations have conclusively demonstrated that tuning intrusion detection and prevention rule sets is a critical activity for the most accurate results. But the typical tuning process requires the review of groups of rules (or, worse, even thousands of individual rules), to ensure that appropriate protections are in place. It s time consuming and represents a significant risk to network integrity if not performed promptly and accurately. Sourcefire NGIPS uniquely eliminates the challenges of tuning by reliably automating the process. Since the Sourcefire NGIPS knows what operating systems 2 Requires integration with appropriate network switching and routing devices. and services are running on a network, it can automatically recommend the activation of only those rules relevant to the environment. Automated tuning helps eliminate unneeded checks as well, dropping rules that protect against attacks against nonexistent systems. With this automation, the Sourcefire NGIPS precisely balances sensor resources and performance. Importantly, Sourcefire NGIPS can implement its rule recommendations either automatically or after human review and approval. Network Systems Management and Security System Integration The typical organization, small or large, employs multiple management systems to deploy, monitor, and control information technology. Speedy, efficient responses to management issues routinely require the interaction of many of these systems. Sourcefire offers customers more ways to enable the integration and interoperation of the NGIPS with other IT management systems than any other vendor: estreamer API: Streams security and status events to security information and event management (SIEM) systems Remediation API: Supports interaction with routers, NAC devices and more to quarantine a problem system OPSEC: Offers capabilities similar to the Remediation API based on Check Point Software s Open Platform for Security, a proprietary SDK SYSLOG: Captures specific system log messages to forward to another system, sometimes used as a less comprehensive means of integration to SIEMs SNMP Traps: Alerts generated by way of the Simple Network Management Protocol (SNMP), the lingua franca of network and systems management solutions Host Input API: Obtains endpoint and vulnerability intelligence to augment data captured by Sourcefire NGIPS; this is the basis for the Sourcefire QualysGuard integration offering NetFlow: Provides access to routing and switch data flows from Cisco systems, used to support network behavioral detection processes LDAP: Access to Lightweight Directory Access Protocol-based directories, an (often open source) alternative to Microsoft s Active Directory Compliance Reporting and Assessment Maintaining and demonstrating compliance with governmental, industry group, and corporate audit standards is a time-consuming task. Sourcefire NGIPS automates this process using multiple approaches. Policy Enforcement: NGIPS enforces an organization s defined policies, considering attributes such as the network address, host information, user identity, device type, application or service, and more. Violations of these policy mandates can be addressed by the generation of alerts prompting further investigation, or more active enforcement such as quarantining a device 2. 4

5 Whitelists: To speed the implementation of policy management programs, Sourcefire NGIPS is capable of evaluating the current condition (existing hosts, services, etc.) of the network and establishing that state as a baseline, known as a compliance whitelist. Future changes from the approved whitelist prompt alerts or other responses as appropriate. Compliance Reports: Customizable compliance reports reveal information regarding the number of network resources and/or users that are in compliance with mandates. By tracking these metrics, the security team can demonstrate progress towards achieving goals and prove compliance to auditors and regulators. Remediation Once Sourcefire NGIPS has identified an out-ofcompliance system, it s necessary for the security team to respond and resolve the issue. Manually responding to the myriad of these issues in the typical network can cause a significant drain on staff. Users can automate many of these activities using the Remediation and OPSEC APIs supported by Sourcefire NGIPS. The APIs are highly flexible and support a range of possible responses. Examples include: Network Quarantine: Instruct network switches or routers to remove a device from the network, or constrain network access Vulnerability Assessment: Check the security stance of unknown or suspect devices by directing a vulnerability scanning system to conduct an examination Patch: Correct missing patches by submitting a system for automated updates through a patch management system Workflows and Incident Response Sourcefire NGIPS provides highly customizable, yet easy-to-use workflows for investigating security events. Workflows enable a consistent, standardized response to events and provide access to the information and tools needed to expedite their evaluation and resolution. Three types of workflow are supported: Predefined: Sourcefire-created workflows, applicable to a broad rage of organizations and incident types Saved Custom: Modified versions of predefined workflows that have been altered to meet an organization s or team s unique requirements Custom: From scratch workflow definitions created to address specific requirements Content Awareness The ability to detect threats is by far the most important aspect of any network IPS device. But today s threats are constantly evolving and more sophisticated than ever. Network security vendors must raise the bar by not only detecting more traditional threats (e.g., worms, Trojans, spyware, buffer overflows, denial-of-service attacks), but also threats embedded in content, such as Adobe PDFs and Microsoft Office files. Sourcefire leads the industry in preventing threats embedded in content within its NGIPS solution and its comprehensive Snort rules library. Agile Engine We are famously advised to trust, but verify. That axiom carries even more weight in the security community where trust is a fundamental requirement. But even within the context of a trusted relationship, the ability to examine detection approaches and threat detection rules to understand exactly what s being inspected is a crucial requirement. Open systems and rules can be easily extended when default protections don t address unique security requirements. Open systems are easier to evaluate. Understanding and documenting detection capabilities may be necessary to demonstrate protection against an attack. Regardless of the motivation, open architectures enable the ready evaluation, validation, and customization of security protections. It s surprising, then, so many vendors force customers into a closed, black box architecture that in some cases can t even be customized. We re asked to trust, but are given no means to verify. Since the original release of the Snort open source intrusion detection system, Sourcefire has championed an open architecture. This philosophy is one of the reasons the Snort detection engine, the basis for the commercial Sourcefire NGIPS offering, has become the most widely deployed intrusion prevention technology in the world. The Snort rule format, in the process, has become the de facto standard for the industry. Sourcefire NGIPS satisfies requirements for an agile engine in the following ways. Default Detection Policies Sourcefire offers the industry s most accurate default detection rates, according to independent tests performed by NSS Labs. Sourcefire offers three default detection policy options reflecting differing security needs to reduce configuration effort and shorten overall deployment time: Security over Connectivity: For cases where the integrity of network infrastructure supersedes user convenience, this is the highest level of default security with the largest number of protections and checks enabled. Connectivity over Security: Recommended when accessibility to resources and applications by individuals is the highest priority, this is the least restrictive option. 5

6 Balanced Security and Connectivity: This option provides an optimal solution for the organization with typical security needs. Custom Configurations Along with these basic configurations, our open architecture provides opportunities to customize and refine both detection activities and overall policies to accommodate unique requirements. For example, users can divide Sourcefire rules into different categories, including those based on platforms, applications, services, specific threats, and many others. Users can also view, enable, or disable individual rules or groups of rules based on these categories. This makes it simple to modify default rule sets to reflect organizational needs. The Sourcefire Defense Center also supports a hierarchical approach for implementing policies. With Policy Layering, administrators supplement Sourcefiredefined policy layers with their own custom layers. For example, broad security policies might be defined in a company-wide layer, while more specific limits would be placed in a site-specific layer. Higher-level policies take precedence over settings in lower policy layers. This is helpful for larger organizations with complex and/or extensive deployments because it reduces the effort required to implement policy changes across a large population of sensors. Users can customize and modify individual rules in the Sourcefire NGIPS precisely to deliver needed detection and protection. Sourcefire NGIPS is based on the Snort rule format, the most widely used network intrusion rule format in the industry. As a result, the majority of Sourcefire-provided rules are completely customizable. Any customer can also create his or her own rules as needed, using a built-in Rule Editor. Information Capture and Interpretation Information capture was the first and remains a critical purpose of the intrusion prevention system. Sourcefire provides multiple event viewing and reporting facilities. Sourcefire NGIPS remains one of the few systems on the market capable of efficiently capturing network packets associated with attacks. Unlike competitive offerings that require the use of standalone tools for examining packets, the Sourcefire NGIPS provides detailed displays for inspecting attacks directly within the management system. Regardless of the built-in capabilities of an NGIPS s reporting system, people often find it useful to transport alert data to another system for specialized processing, analysis, or reporting. For that reason, Sourcefire supports direct access to the underlying Defense Center database by third-party reporting tools. Virtual Environments As organizations embrace options for virtualization and cloud computing, new types of threats emerge and existing threats may change with the new environment. Sourcefire was the first and remains the only vendor to deliver a complete virtual network security solution, fully interoperable and compatible with its physical offerings. The following are available on VMware, Xen, and Red Hat platforms: Sourcefire Virtual Defense Center : Customers can leverage their investment in virtualization technology and support the operation of one or more Defense Center instances on a single physical host with this full-featured virtual appliance implementation of the Sourcefire Defense Center. Sourcefire Virtual 3D Sensor : Customers can use this feature-complete appliance to enhance the level of protection provided within virtual environments, to economically extend deployment of sensors to the far corners of the network, and to further take advantage of the cost and energy saving benefits associated with virtualization. Inspection of Encrypted Traffic Encrypted network traffic has emerged as a growing security concern. Ironically, this is partially a consequence of efforts to enhance the security of users and applications. Encrypted links to browsers or applications and VPN connections keep authorized traffic safe from prying eyes and manipulation. But it also means required threat detection isn t being performed. In industries where security and integrity are crucial, such as finance, it s been observed that as much as 70% of all network traffic is encrypted. Lacking the ability to cost-effectively decrypt and re-encrypt traffic, most security gateways simply pass it on and hope it s attack free. This has created a large, and growing, blind spot. Sometimes, encryption is used as a means of bypassing security controls. Annonymizing networks, file sharing, and ad hoc communication applications like instant messaging frequently exploit encryption to hide, leading to liability and compliance issues. The typical IPS fails to provide a solution to these security challenges. A few products that do attempt to decrypt traffic do so using a software-based process executing directly on the device. Most organizations have discovered this approach is simply unworkable, since the processing demands of decryption drag down sensor performance to unacceptable levels. Additional security risks are created when, in an effort to boost performance, traffic is not re-encrypted after inspection. 6

7 The Sourcefire NGIPS overcomes these problems by employing a dedicated appliance for decryption (and re-encryption) of network traffic. In addition to providing optimal performance and reliability, the approach enhances flexibility by enabling deployment of the technology only as and where needed. Conclusion Security teams must address a variety of functional requirements in a diverse mix of network environments. Within an organization, the mix of inspection and control needs can vary considerably from the perimeter to the data center and within different network segments. Organizations are also at different points in their technology lifecycle and, unfortunately, acquisition and end-of-life activities don t generally mesh across products. For all of these reasons, it is essential that security teams be able to select from a mix of product offerings to best address their unique requirements. As both technology and security threats evolve, it s essential that tools and systems intended to protect and defend resources keep pace. Sourcefire, the developer of Snort, the original and most widely deployed network intrusion prevention and detection system, has demonstrated a record of innovation and advancement unmatched in the industry. As organizations begin to consider requirements for additional capabilities and converged security infrastructure, Sourcefire will continue to lead the way. To learn more, visit us at or contact Sourcefire or a member of the Sourcefire Global Security Alliance today. key capabilities typical ips sourcefire ngips Inline IPS and Passive IDS Modes Reports, Alerts & Dashboard Policy Management Advanced Poilcy Management Custom Rules Automated Impact Assessment Automated Tuning Host Profiles and Network Map Network Behavior Analysis User Identity Tracking Table 3. The Next-Generation IPS from Sourcefire significantly extends the capabilities of typical IPS products, delivering strong network security functions and fully meeting needs for an open architecture, full contextual awareness, and automation Sourcefire, Inc. All rights reserved. Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, ClamAV, Immunet and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others REV2