Page 225 - DCAP403_Operating System
P. 225
Operating System
Notes
Task How will you implements security defenses on your system? Discuss.
11.9 Implementation Challenges
There are a number of challenges to the implementation of an IPS device that do not have to be
faced when deploying passive-mode IDS products. These challenges all stem from the fact that
the IPS device is designed to work in-line, presenting a potential choke point and single point of
failure.
If a passive IDS fails, the worst that can happen is that some attempted attacks may go undetected.
If an in-line device fails, however, it can seriously impact the performance of the network.
Perhaps latency rises to unacceptable values, or perhaps the device fails closed, in which case
you have a self-inflicted Denial of Service condition on your hands. On the bright side, there will
be no attacks getting through! But that is of little consolation if none of your customers can reach
your e-commerce site.
Even if the IPS device does not fail altogether, it still has the potential to act as a bottleneck,
increasing latency and reducing throughput as it struggles to keep up with up to a Gigabit or
more of network traffi c.
Devices using off-the-shelf hardware will certainly struggle to keep up with a heavily loaded
Gigabit network, especially if there is a substantial signature set loaded, and this could be a
major concern for both the network administrator – who could see his carefully crafted network
response times go through the roof when a poorly designed IPS device is placed in-line – as
well as the security administrator, who will have to fight tooth and nail to have the network
administrator allow him to place this unknown quantity amongst his high performance routers
and switches.
As an integral element of the network fabric, the Network IPS device must perform much like a
network switch. It must meet stringent network performance and reliability requirements as a
prerequisite to deployment, since very few customers are willing to sacrifice network performance
and reliability for security. A NIPS that slows down traffic, stops good traffic, or crashes the
network is of little use.
Dropped packets are also an issue, since if even one of those dropped packets is one of those used
in the exploit data stream it is possible that the entire exploit could be missed. Most high-end
IPS vendors will get around this problem by using custom hardware, populated with advanced
FPGAs and ASICs – indeed, it is necessary to design the product to operate as much as a switch
as an intrusion detection and prevention device.
It is very difficult for any security administrator to be able to characterize the traffic on his network
with a high degree of accuracy. What is the average bandwidth? What are the peaks? Is the traffi c
mainly one protocol or a mix? What is the average packet size and level of new connections
established every second – both critical parameters that can have detrimental effects on some
IDS/IPS engines? If your IPS hardware is operating “on the edge”, all of these are questions that
need to be answered as accurately as possible in order to prevent performance degradation.
Another potential problem is the good old false positive. The bane of the security administrator’s
life (apart from the script kiddie, of course!), the false positive rears its ugly head when an
exploit signature is not crafted carefully enough, such that legitimate traffic can cause it to fi re
accidentally. Whilst merely annoying in a passive IDS device, consuming time and effort on
the part of the security administrator, the results can be far more serious and far reaching in an
in-line IPS appliance.
218 LOVELY PROFESSIONAL UNIVERSITY
