Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis Intrusion Prevention Systems (IPS) detect, identify, alert and protect your organisation from threats such as: Worms Spyware Peer to peer (P2P) Denial of service (DoS) and distributed denial of service (DDoS) Botnets Targeted attacks against Web applications Proprietary or sensitive data leaving the network Cross-site scripting SQL injection Buffer overflow Web directory traversal Without IPS you may never know that you have been the victim of a malicious attack or be able to discover any information about its nature. Interoutes IPS introduces an additional layer of defence into the infrastructure that not only detects but can also automatically mitigate such attacks and activity. Interoute Communications Limited June/2011 Version: 1.0
Technical Service Details Interoutes intrusion prevention detects and blocks intrusion attempts, malicious code transmission and network based threats without impacting your networks performance. The service operates transparently to the user and therefore it does not require any reconfiguration of the existing network to which it connects. Deployment inline behind an Interoute managed firewall is the only supported, standard solution as it achieves the highest degree of protection and manageability. The IPS has the following attributes: Real time network analysis Discovers changes to the infrastructure dynamically Client side application protection Protects end users against attacks that target applications used everyday. Advanced network protection Advanced intrusion prevention including DNS protection. Data security Monitoring and identification of unencrypted data. Web application security Protection for Web apps, Web 2.0 and databases. Interoutes structured methodology for the implementation and operation of IPS services has been developed by our security professionals with extensive experience in intrusion analysis, attack and penetration techniques. The high-level methodology is as follows: IPS Setup Configure management, tuning, monitoring and alerting variables Install recommended ruleset Settling-in process Automatically tune the IPS to the customer environment Automatically refine the rules as a result of the learning process Post installation process Enable alerting and reporting Enable threat protection Our structured approach means that the IPS is introduced into your network in a controlled fashion, ensuring that it is tuned correctly and will not block your production traffic. 2
Customer Requirements Interoutes Network IPS comes out of the box with protection for; Worms Spyware Peer to peer (P2P) Denial of service (DoS) and distributed denial of service (DDoS) Botnets Targeted attacks against Web applications Proprietary or sensitive data leaving the network Cross-site scripting SQL injection Buffer overflow Web directory traversal Interoute will be responsible for all aspects of the IPS configuration management, including: Maintenance and modification of the IPS. Signature management and maintenance, with new IPS signatures scheduled for download on a daily basis from the vendor site to capture the latest threats as they are published. Platform updates, with patches and version upgrades applied on a monthly basis. The specific time of the update will be agreed with the customer. False positive reduction based on customer analysis and feedback from the monthly report with a 5 day service window to implement required changes. Note: SSL session traffic that terminates on a device behind the IPS sensor will not be scanned. The IPS sensor needs to be able to see the traffic unencrypted to be able to analyse. All SSL traffic that is encrypted will be passed by the IPS sensor without action. Supported Service Charges The Interoute Network IPS service is billed as a combination of Non-Recurring Charges (NRC), and Monthly Recurring Charges (MRC). The main element on which the charges are based is the number of devices that are required to be covered by the service. This impacts both the type of hardware required (impacting mainly the NRC) and the cost of software licenses and updates (impacting mainly the MRC). Reporting Interoute will provide you with a monthly IPS report that includes the following information relative to your specific managed IPS service: Top Events Top Targets Top Sources Event Activity Trend Security Information 3
Performance Statistics Interoute will monitor the IPS and in the event that the appliance does not responding to a poll, or in the event of an error condition being identified, will investigate and remediate to return the IPS to normal service. Interoute also captures health status generated by the installed IPS to a centralised management system that provides command, control and monitoring capabilities. When an alert is generated by the IPS it will be automatically assessed using industry standard classifications and assigned a priority level to determine whether the alert is low, medium or high along with likely impact based on what the IPS has learned of the customer network (Realtime Network Analysis). Traffic must match both priority and impact for further assessment as low/potentially vulnerable attacks most frequently contain false positives. This assessment will determine the action, the speed and method that the customer is informed. This scheme is described below: Priority Impact Event Description Action Taken Low Unknown No direct threat, but may contain information indicative of attempted intrusion activity Store for a period of time for forensic purposes, view available on customer portal. Medium Currently Not A malevolent packet (a deprecated attack or intrusive enumeration) sent to the target representing no direct threat to operation. A medium alert would not impact the operation or the logical access controls of a system. Automated event analysis. Trend analysis and correlation with other events available on customer portal. High Potentially Attack on the target, representing a real potential threat and having an impact on the availability or security of a systems and its data i.e. service interruption, data integrity loss or data exposure, injection of malicious code or software, etc. Significant evidence of ongoing actual system compromise. Multiple high events corroborated by supporting system evidence (i.e. defaced website, system unavailable or maxed bandwidth/cpu). Target must be analysed by customer to identify if it was compromised or a false positive. Escalation to the customer. 4
The Event to Alert time defines the maximum time between the moment the alarm is raised on the IPS platform, its analysis and information communicated to you the customer. These are shown in the table below: Threat Level Time Communication Media Alert to Response Email Alert 30 Minutes Potentially Daily Email Report N/A Not / Unknown Monthly Report N/A Supported Service Options CIR selectable from 100Mbps through to 1Gbps (up to 20Gbps available as a custom order) Virtual IPS appliances for those customers with VMware ESXi Virtual machines hosted within an Interoute data centre with up to 100Mbps CIR. Fully managed service with customer access to customer specific area of management platform Management of standard (vendor supplied) rules disabling rules to manage false positives or enabling rules Custom rules, alerting and reporting available as a professional services engagement DMZ inspection available provided hardware matches requirements to support the Interoute standard DMZ service (Medium and Large sized IPS only) Unsupported Service Options Features other than IPS and RNA Product Codes Interoutes intrusion prevention systems are selected by a specifying a committed information rate and required interface format these are referred to as a SVC-IPSI (IPS inspection points). Sizing Committed Information Rate Maximum supported Inspection points(svc-ipsi) Support DMZ service Product Code Small 100Mbps 1 No CON-SF3D7030 Medium 500Mbps 2 Yes CON-SF3D7120 Large 1Gbps 2 Yes CON-SF3D8120 How to order Order through an Interoute Account Manager. More information For product enquiries please consult the Security Services Product Manager. 5