Problem solve Get help with specific problems with your technologies, process and projects.

Maximizing IDS/IPS implementations

This tip looks at problems administrators face when implementing IDS/IPS systems and provides suggestions on how to increase the amount of valid information they provide.

Anomaly detection is an important part of any layered security solution. Intrusion detection, intrusion prevention...

and log analysis systems can be critical to identifying trouble areas and potential security breaches. However, when not properly configured, the technology is as useful as a $10,000 paperweight. This tip looks at problems administrators face when implementing these tools and provides suggestions on how to increase the amount of valid information they provide.

Perhaps the biggest problem facing users of IDSes/IPSes is the onslaught of false positive alerts they can generate when not properly configured, tuned and maintained. Let's face it, if you take an IDS off the shelf and plug it into a network of any significant size, you'll be quickly overwhelmed by hundreds (if not thousands) of alerts -- many of which may be meaningless in your environment. It's important that IDS/IPS administrators take time to tune their system well. Here are some things you should do:

  • Administer systems properly. When using an IDS/IPS that depends upon anomaly detection, ensure that the system has a reasonable definition of what's "normal" in order to help it effectively detect what's "abnormal." Therefore, also make sure the system runs in training mode during periods of routine network/system utilization. If the computing environment has different patterns of activity (say, a peak sales season and year-end accounting activity), ensure the training period covers each of those and use multiple training periods if necessary.

  • Tune out irrelevant alerts. Many security products provide fantastic detail on the alerts they generate. Unfortunately, much of that detail is irrelevant for a large number of networks. Be sure to tune the alerts so they reflect the "ground truth" of your network. For example, if it's not running any instances of Microsoft SQL Server, the IDS/IPS shouldn't be monitoring for SQL Server exploits -- that's just asking for false positives!

  • Learn from past mistakes. Every system is going to generate false positive alerts. That's just a fact of life with today's security tools. There is, however, a silver lining if you take the time to analyze the false positives generated by your system and use the results of that analysis to retune the system. For example, if a system constantly generates IDS alerts based upon legitimate file sharing activity between two known hosts, consider excluding those communications from the rule that triggers the false positive alerts. Simple changes like these will make life as an administrator much more pleasant in the long run!
The second largest headache users face is storing and retaining the massive quantities of data these systems create. This is especially true when dealing with analysis of system event logs and audit trails. The ideal solution here is policy-based. Ensure that management lays out clear guidelines for what data must be retained and how long it needs to be kept. This is critical because an organization may be subject to a number of legal and/or regulatory requirements governing the storage and retention of logs. As a security professional, ensure that you're abiding by this policy to the letter. If data isn't stored long enough, your employer may be in danger of violating these retention requirements. On the other hand, if data is retained too long, the privacy rights of your constituents may be violated.

There's another problem inherent in accumulating these massive quantities of data – someone needs to analyze it! If reviewing log files is part your job, a log analysis tool can easily save time and increase the effectiveness of your analyses. Look for a tool that churns through almost any kind of log file and produces easy-to-read reports that help identify and investigate anomalies quickly. It should parse the audit trails of firewalls, network devices, operating systems, Web servers, intrusion detection/prevention systems and much more.

Security monitoring isn't easy work -- that's for sure! However, careful tuning of your systems combined with strong policy and analysis tools can save a great deal of headaches down the road!

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

This article originally appeared on

This was last published in August 2005

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.