How to buy IPS: select an IPS device

How to buy IPS: select an IPS device

Today's network threats are becoming increasingly severe, and various new types of intrusion attacks are rampant. For example, the previous OpenSSL vulnerability once caused alarms to Internet users. In the face of such sudden vulnerabilities, what measures should users take to prevent them? Therefore, we have to mention the Intrusion Prevention System of IPS (Intrusion Prevention System. IPS is a protection device that works at the OSI application layer. It can interrupt, adjust, or isolate abnormal or harmful network intrusion attacks in real time. As a powerful supplement to the network application layer, firewalls are increasingly valued by users and network administrators and play an increasingly important role.

However, how to purchase an appropriate IPS device in the face of complicated network environment deployment, protection requirements of different scales, and different customization requirements, in order to maximize its value and role. Below I will give a brief explanation of several elements that the customer cares most about, hoping to give some suggestions to readers who are purchasing IPS devices.

Performance: whether it is a vswitch, router, or security protection equipment such as firewall or IPS in the basic network, it seems that the customer's first concern is performance. Yes, because the performance is the most intuitive indicator of the device capacity, and it is also the most direct criterion for determining whether to meet the deployment requirements.

IPS devices provide application-layer protection, which focuses more on application-layer performance (of course, we are talking about the premise that Layer 2 and Layer 3 forwarding capabilities are far greater than application throughput ), such as HTTP, FTP, SMTP, and other real business performance. In addition, the device's HTTP session creation, HTTP concurrency, HTTP throughput, and performance indicators for some typical hybrid application scenarios, these may become performance bottlenecks that restrict network resource allocation, user experience, and server quality. To a certain extent, they affect the efficient intercommunication between application services.

When purchasing IPS devices, you can refer to different performance requirements. The first principle is that the throughput must be greater than the maximum bandwidth in the real network. Otherwise, once an IPS device becomes a performance bottleneck, in view of the characteristics of IPS connection, it will affect the entire network. In addition, because the performance value generally provided by the manufacturer is obtained through internal testing, there is inevitably a single traffic defect. Therefore, when purchasing a product, we must consider the current situation of a large number of applications in the real environment, sometimes the performance claimed by the manufacturer can only meet the requirements of its 1/5 or even fewer current network environments.

Detection rate: if the performance of a device is a hard condition for measuring IPS devices, the detection rate of the device is a soft condition for measuring its capabilities. The detection rate refers to the proportion of the number of blocked Network Vulnerabilities detected by devices to the total number of attacks. This indicator measures the device's ability to detect and cover vulnerabilities. At present, many testing instruments are doing research and development on this aspect, among which BPS (Breaking Point) the company's security attack testing components are relatively complete, and they are also the industry's mainstream methods for testing the detection rate.

The attack feature library quality of the device has a significant impact on detection rate indicators. A good feature library is essential for the efficient operation of IPS, and IPS equipment manufacturers must provide regular feature library updates, to meet new attack protection requirements, which must be supported by mainstream security vendors. The detection rate is also mentioned. We propose a new concept: Full detection rate and full-load detection rate, which can be used as a supplement to performance indicators. The full check rate is defined as the maximum throughput of the device when it can detect all known attacks. It mainly examines the actual throughput of the device when it can detect attacks normally, the full-load detection rate is used to measure the attack detection capability under the maximum throughput of the device. The two indicators complement each other to reflect the processing performance of the device.

 

False alarm and false alarm: When purchasing IPS, false alarm and false alarm should also be an important indicator. False positives can be divided into two aspects: on the one hand, the device mistakenly identifies normal business traffic as an attack behavior, the most direct impact is to make normal business unable to proceed; on the other hand, it identifies an attack event error, that is, one-to-one false positives. Underreporting generally refers to the failure of the device to identify attacks or intrusions, making the attacks "a fish of the Internet ".

False positives have a great impact on the network. For example, in a busy network, if 10 alarms need to be processed per second, IPS must process at least 36,000 alarms per hour, 864,000 entries a day. If the intrusion features are not well written, "false positives" can be exploited, resulting in unexpected interception of legal traffic. If the traffic that triggers a false positive happens to be part of a customer's order, the result can be imagined that the entire session of the customer will be closed, in addition, all valid access requests from the customer to reconnect to the enterprise network will be intercepted by IPS with "due diligence.

Attack escape means check: the attack escape technology, also known as the attack detection and avoidance technology, is the most widely used and effective technology among many deliberate and hidden attacks. When an attacker finds that the target is being protected by IPS and other products, the attacker may adjust the attack mode or content according to the protocol features or vulnerabilities of the target, this avoids the detection of IPS and other products, such as IP fragmentation, TCP restructuring, and HTML encoding format evasion. If the IPS product cannot be properly and effectively processed, such attacks may expose the user's network resources to the attacker, thus reducing the security of the user's network environment, this increases the risk of loss to your assets.

 

With the rapid development of the Internet and the continuous improvement of hacker technology, the attack escape technology is becoming more and more diversified and complicated, and IPS devices are also required to improve the defense capability of more and more escape techniques.

Reliable business assurance: important customers require network systems to be guaranteed, such as financial transaction platforms and website shopping systems, generally, these users require much higher network availability than their consideration of network setup costs. Many vendors have made sufficient articles in terms of high reliability, such as power redundancy, link redundancy, Data Disaster Recovery, dual-machine deployment, and BYPASS functions. If the IPS device supports hot standby deployment, the configuration and policies can be synchronized between the master and slave devices in real time, and the switchover can be achieved in exceptional circumstances, ensuring the normal business continuity of the customer; or if a single device supports the software and hardware BYPASS functions, a temporary channel is formed between interfaces when an exception powers down, the process crashes, or restarts to ensure the normal operation of the service.

Maybe you will think that with the BYPASS technology, you don't have to buy two devices to deploy HA? This is not the case. Dual-host Hot Standby can not only synchronize configurations, but also synchronize session statuses and even share loads. It can achieve real exception switching without being noticed by customers, this is incomparable to BYPASS, so if you have high requirements on network reliability and don't have bad money, buy two!

Flexible Audit and Management: when it comes to management, it involves many aspects. We are concerned with users and often use two aspects: monitoring audit and centralized management.

At present, the network administrator's audit requirements for security events and Security Log reports are rapidly increasing. Previously, we generally required that the device be able to provide real-time feedback on attack events, detailed attack log records, multiple report templates, and rich and detailed content. However, these reports cannot meet the requirements of many customers. For example, dynamic policy adjustment based on real-time attack events, automatic synchronization of backup logs, custom report templates, Top N ranking, and more flexible statistical analysis, more friendly interfaces can all be the reason for choosing an IPS.

In addition, a large number of devices need to be managed in a large system. The centralized management method will increase the management efficiency and get twice the result with half the effort. Centralized management supports simultaneous management of multiple devices, batch adjustment of policies, and unified collection and statistics of attack logs and reports. Mainstream vendors have also launched their own centralized management platforms to facilitate integrated network management. When purchasing a device, you can make a reference based on the network size.

In general, the procurement of IPS equipment can be referred from the above points, through the device performance, detection rate, false positive reporting, full detection rate and other indicators of the device targeted purchase, in addition, you can select devices in terms of device management or functions to make your IPS devices more valuable!