Management of IPS is a huge issue in product selection, and matching your requirements for management, monitoring and forensics capabilities with the product you choose is as important as any other selection criteria.
IPS products vary in their management philosophy from "virtually no continuing management" to "very high management requirement" styles. These management styles reflect not only the philosophy of the product design team, but the configuration needs that any design implies. A mismatch between IPS management requirements and the product you select can lead to catastrophic failure of your IPS deployment. The worst thing you can possibly do is select a "high management" product and put it into a "no management" environment.
The IDS lifecycle processes of alerting, investigation, and resolution can be translated into the IPS product space as well.
Many IPS management systems are unlike any other application or management system in the network. This difference, and the accompanying complexity, is an important factor, especially if you don't have the luxury of a dedicated IPS/IDS team. As you determine management requirements, keep in mind whom will be responsible for day-to-day management of the IPS, what their level of expertise is, what more they can be expected to learn, and how many hours a day you've budgeted for IPS management.
Some of the other factors that will affect your management requirements include forensics needs, event alerting and lifecycle needs, and performance needs.
Forensic capabilities come about because many IPS products also have IDS capabilities. Although simply turning an IDS into an IPS doesn't give you a good IPS, having an IPS with a lot of IDS features in place can bring a lot of value to a security analyst. This type of feature set--intensive logging, inclusion of IDS signatures, and packet capture are three key indicators here--is an early decision in your IPS deployment plan. As a security analyst, I believe that IPS products with this type of capability are a great addition to any network, contributing to network understanding because it gives you the ability to look at security problems after-the-fact. In some cases, an IPS with IDS features can even replace a standalone IDS.
However, it's important not to look for IDS and forensics capabilities if you don't intend to use them. The cost of maintaining a high-speed management database for IDS is high, as is the amount of hardware and maintenance required to keep such a database running. Paying for a high-end management server that can store a year's worth of alerts and their forensic information is only OK if you actually want to use it. Some IPS products are flexible enough to support either mode of operation: with packet captures and forensics, or without. If you're uncertain what your IDS and forensics requirements are at this stage, you should consider specifying a device that can operate just as easily with packet captures on or off.
Network visibility is a valuable side benefit from many IPS products. Because they see so much traffic, they can provide both network and security managers' insight into what is happening on the network. IPS management systems that present this information graphically offer great benefits and can highlight problems at a glance---which makes basic activity analysis easier.
Event alerting and its correlating event management capabilities are a second set of management features that can differentiate IPS products. For some IPS devices, the only goal of alerting is to provide a brief track-back to help eliminate false positives. These products may store a few days of alerts and have limited capability to search and manage these alerts. Other IPS devices are part of a more sophisticated event lifecycle designed to help the security analyst not only detect the IPS alert, but also follow-through to be sure that problems are identified and resolved.
The IDS lifecycle processes of alerting, investigation, and resolution can be translated into the IPS product space as well--if this is in fact how you want to handle IPS alerts. For organizations that are looking for behavior-based and rate-based IPS built into a firewall, following through on every incident and event is probably not part of an overall security strategy. However, for organizations that maintain dedicated security staff that want to know why an IPS alert occurs--and take action based on these alerts--more sophisticated management supporting the IDS lifecycle is needed.
Management system performance is another aspect to specify carefully, particularly when the need to store events and forensics data can build up massive databases. If you plan to keep a significant amount of old data for investigative, trend matching, or regulatory reasons, you should make an effort to estimate the amount of data to help IPS vendors properly size the management console.
While forensics and alerting levy the greatest demands on IPS management systems, there are other enterprise-class management characteristics that need to be considered when defining your requirements. For example, signature-based IPS device vendors will release signature updates every few days as the threat landscape of the Internet evolves. A management system needs to support this updating in a way that meshes with your own configuration control requirements. For example, if you require that any updates to any security device be handled through a formal change control process, the management system has to support this process.
Finally, the traditional characteristics of any enterprise-class management system should be part of your evaluation criteria or requirements specification. In security devices, this often includes delegated management or role-based management (or both), reporting systems, and scalability to multiple IPS devices.
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
This was first published in March 2009