Initial IPS Policy: A Practical Guide

TL;DR

This guide shows you how to create a basic Intrusion Prevention System (IPS) policy to protect your network. We’ll focus on getting something working quickly, then refining it over time. It’s about starting with sensible defaults and learning from what happens.

Creating Your First IPS Policy

1. Choose Your IPS: Select an IPS solution that fits your needs and budget. Popular options include Snort, Suricata, Zeek (formerly Bro), and commercial offerings like Cisco Firepower or Palo Alto Networks Next-Generation Firewall. This guide assumes you have a working IPS installation.
2. Understand Rule Types: IPS policies use rules to detect malicious activity. Common rule types include:
   • Signature-based: Matches known attack patterns (like specific strings in network traffic).
   • Anomaly-based: Detects unusual behaviour that deviates from a baseline.
   • Protocol-based: Looks for violations of protocol standards (e.g., malformed packets).
3. Enable Basic Rule Sets: Most IPS solutions come with pre-defined rule sets. Start by enabling the following:
   • Emerging Threats: A frequently updated set of rules covering common attacks.
   • ET Open Rules: Another good source for signature-based detection.
   • Protocol Detection: Rules to identify and validate network protocols.

   The exact method varies depending on your IPS. For example, in Snort you might use the snortupdate command:

   sudo snortupdate -c /etc/snort/rules -R emerging-threats,etopen,protocol-detection

4. Configure Alerting: Set up alerts to notify you when the IPS detects suspicious activity. Consider these options:
   • Email Alerts: Send notifications to a security email address.
   • Syslog: Log alerts to a central syslog server for analysis.
   • SIEM Integration: Forward alerts to a Security Information and Event Management (SIEM) system like Splunk or ELK Stack.
5. Set Initial Action: Decide what the IPS should do when it detects an attack.
   • Alert Only: Log the event but don’t block traffic. This is a good starting point for learning and minimizing false positives.
   • Drop Packets: Block malicious traffic immediately. Be cautious with this option, as it can disrupt legitimate services.
   • Reset Connection: Terminate the connection associated with the attack.
6. Tune Your Policy (Important!): After enabling alerts, monitor your logs closely.
   • Investigate False Positives: Identify legitimate traffic that is incorrectly flagged as malicious.
   • Suppress Rules: Disable or modify rules that generate excessive false positives. In Snort, you can suppress a rule by adding it to the suppression file (usually located in /etc/snort/rules).
   • Adjust Thresholds: Fine-tune sensitivity levels to reduce noise and improve accuracy.
7. Regular Updates: Keep your IPS rule sets up-to-date to protect against the latest threats.
   • Automate Updates: Schedule regular updates using a cron job or built-in update mechanism.
   • Review Update History: Check what new rules have been added and assess their potential impact on your network.
8. Test Your Policy: Regularly test your IPS policy to ensure it is working as expected.
   • Penetration Testing: Simulate attacks to identify vulnerabilities and gaps in coverage.
   • Vulnerability Scanning: Scan your network for known weaknesses that the IPS should detect.

Further Considerations

This is a basic starting point. As you gain experience, consider these advanced topics:

• Custom Rule Creation: Write your own rules to address specific threats or vulnerabilities in your environment.
• Correlation Rules: Combine multiple alerts to identify more complex attacks.
• Reputation-Based Filtering: Block traffic from known malicious IP addresses and domains.