What gets through your firewall?
November 03, 2011 | POSTED BY BRETT EDGAR IN UNCATEGORIZED
(Or: How burned is your network?)
One of my colleagues noted in an earlier article that there is a common misconception "that perimeter security alone is enough" to defend the security of a network. The most popular perimeter device is the much-hyped firewall. But firewalls are a mid-1990s invention. Does anyone really want to stake the defense of their network on nothing more than one device whose technology was developed over a decade ago and hasn't changed much since? Of course not.
So when firewalls were found to be an incomplete solution, some smart researchers stepped up with the Intrusion Detection System (IDS) and its evil-twin, the Intrusion Prevention System (IPS). Where a firewall generally looks only at the addressing information of a packet, an IDS looks deeper inside the packet (or flow) to see what content it is carrying. The IDS attempts to match the content to a set of known rules, flagging the packet (or flow) when a match is made. This generates an alert which gets written to a file, database, or some other storage medium. These alerts can be purely informational (e.g., alerting to a computer participating in a P2P file sharing network) or they can indicate malicious intent (e.g., a computer on the corporate network attempting to automatically infect other computers with a worm). But this is where an IDS stops?it is up to another process (usually a human) to analyze the data and decide what it means.
Enter the IPS. The IPS attempts to actively block traffic it determines to be of malicious intent. But remember I said that the IPS is the IDS's evil-twin? That's because an IPS will quite often erroneously block legitimate traffic. As a result, if an IPS is being used at all, it is usually modified to have a very small set of very specific rules installed looking at a very specific subset of network traffic (and thereby leaving a large set of traffic unprotected). This way, legitimate connections are not arbitrarily blocked. Even more rare would an IPS be installed in front of an organization's Internet-facing services like Web and E-mail, because who really wants an automated process guessing at whether or not a connection from a potential customer is nefarious or not? (Quick answer: No one.)
IT administrators quickly learned that an IPS is more trouble than its worth for the small amount of security it may add to the network. A firewall, though, can only prevent the spread of a fire for so long. Eventually the inside of the network is going to get burned. Without the additional inspection capabilities of the IDS/IPS, the corporate network is a lot like a hot-air balloon in an air-cannon battle with fighter jets: big, slow, full of holes, and leaking.
And so IDSs remained a mainstay in the corporate environment. But a significant problem soon arose that slowed the wider deployment of IDSs: who is going to analyze the often enormous quantities of data that these devices generate? This problem of 'who' can be further subdivided into two pieces: qualification (the experience, on-going training and education in the art of managing, monitoring, and responding to IDS alerts); and time (the amount of time that must be spent by humans in the analysis of and response to IDS alerts). It is ridiculous to hire a techie off the street, sit them in front of an IDS console, and expect them to add much value in security to your network. Not to mention that the techie will inevitably be pulled off IDS monitoring to perform the network administration mission as soon as the organization wants to add a few new servers to the network.
Enter managed security services providers (MSSPs). For a competent IDS Security Analyst, an organization can expect to pay $65k in salary, plus benefits, plus all of the yearly training necessary to maintain the analyst's competency in the field. On the other hand, an organization can hire an MSSP at the same (or lesser) price and get multiple analysts monitoring the network. Even better, that MSSP will often provide the IDS if the organization does not yet have one. Better still is the fact that the organization does not have to pay the taxes, benefits, and training costs necesary if it were to hire a security analyst directly.
I encourage everyone to not rely solely on firewalls to defend a network. I also encourage everyone to devote a large human component to the analysis of network security. Automated devices can only do so much, and they certainly can't (yet) synthesize data and context like a human. An IDS is an excellent addition to the defense-in-depth method of network security, but even in a small business organization it is imperative that a human be devoted full-time to anlayzing and responding to the threats it highlights. If your organization can't afford the cost of an IDS Security Analyst, I strongly recommend that you consider hiring an MSSP.
Godspeed in your efforts to defend your networks!