Anomaly-based intrusion protection configuration and installation

Monitoring the network for a few hours is not sufficient. Patterns of activity change over the course of a day and at different times of the month. Sample expected behavior from normal day-to-day operations and any end-of-month or end-of-year activities. An accurate understanding of behavior requires analysis of each application during these periods.

To install anomaly-based intrusion protection, analyze network applications

The first step is to determine which applications run on the network. While it may seem that this step is unnecessary since the inventory of applications should already be up to date, that is not always true. Applications may have been running for years without any need for upgrade or support and may have been forgotten. A detailed inventory may never have been created or may not have been kept up to date. In any case, now is the time to create the inventory or update it.

Creating a profile of expected activity for each application is the next step. An accurate, detailed profile is based on an understanding of what the program does. For example, an application that processes customer credit and checks each time a purchase is made will deliver a single customer record for each transaction, while a program that analyzes monthly patterns of purchases is expected to return much larger blocks of data. An end-of-month accounting application will typically not be accessed mid-month.

The profile should include a listing of the other systems and applications with which the application communicates. If user workstations connect with the application, document exactly which users and which workstations legi...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Hospital gains network visibility by convincing vendors to collaborate Network Security Application-specific network intrusion detection systems emerge Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM)

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

timately access the application.

After you create or update the network application profile, review the expected transaction rates. The application accessing customer records when a purchase is made will normally be executed at the rate of customer transactions. An attack may generate a rapid sequence of transactions. Each transaction may access just a single customer record, but the rate of transactions may indicate that an attack is under way.

Keeping the profiles up to date is a time-consuming task. Any change requires an update. Any time an application is added, an existing application is modified, new equipment is added, the network is modified, or transaction rates change to a significant degree, the change must be reflected in the profiles.

Simplify application profile updating by segmenting the network

Configuring all anomaly-based intrusion protection devices with profiles of all the applications is difficult. Doing so requires updating each device every time any application changes. The task can be made easier by grouping applications on the network so a single intrusion prevention device monitors network activity for a single application or small set of applications.

If multiple instances of an application are run, they should all be grouped on a single physical network link, subnet or virtual LAN (VLAN). In many cases, applications that interact intensively with each other should be grouped together. The intrusion-prevention device on that subnet or VLAN will be configured to recognize only the patterns of behavior expected for the single application or group of applications. Updating the configuration for that device need be done only when a change is made on that small set of applications. Responsibility for maintaining the configuration can be assigned to staff members responsible for the set of applications instead of requiring a central group to be responsible for monitoring all application changes and maintaining all configurations.

Virtualization would appear to make segmenting the network more difficult. Virtual machines (VMs) move from physical server to physical server as load increases or decreases or systems are taken down for maintenance. Grouping applications on a VLAN eliminates the difficulty. VMs maintain the same VLAN membership as they move. All that is required is to configure all of the switches for all of the VLANs in use.

Once installed and configured, anomaly-based intrusion protection is quite effective. But no technology is perfect. A cleverly constructed attack could remain within expected network behavior. False positives are possible. A sudden increase in sales may trigger a level of activity that appears to be an attack. Part 3 of this series examines integrating anomaly-based protection with other technologies.

About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.