IPS System Audit and Updates

About

Traffic IQ Professional v2.2 (TIQ) Traffic IQ Professional is a highly versatile network security testing and auditing tool that is used to assess the effectiveness of next-generation firewalls, IDS/IPS as well as routers and switches. MS Windows based TIQ makes complex compliance auditing and penetration testing a simple point and click process without the need for specialist development or scripting knowledge. Incorporating an extensive library of exploit traffic files and security rules TIQ uses a unique closed-loop process to enable safe testing of live network environments. Designed and developed in the UK by network security and penetration testing professionals Traffic IQ uses a unique, bi-directional closed loop process to enable stateful delivery of exploit traffic files to be sent through a complex network environment, with guaranteed packet delivery. This means that TIQ can be safely used for penetration testing in a live network during normal operational hours without the need to set up sacrificial servers or risk disrupting normal network activity. An MS Windows based tool TIQ can be deployed on most basic PC or laptops operating with up to Windows 10 OS. It works by binding a sending and a receiving host to the device’s separate network interface cards. Each virtual host can be set up with any IP or MAC address within the network range but operates transparently and does not respond to normal network traffic. Each host can then send or receive exploit traffic through the whole network environment from the network edge via any NGFW or IPS devices to the access switches, in either ingress or egress directions, to test and report on whether any malicious packets have been blocked or allowed through. Users have a point and click management interface that enables automated and scheduled testing as part of routine security best practice or to carry out comprehensive compliance audits. TIQ can be used by non-specialist IT teams and also provides a flexible range of advanced configuration settings to enable fine tuning and granular analysis using a wide range of target device and traffic file criteria. TIQ incorporates an extensive library of over 12,000 exploit traffic files and security rules that are updated on a monthly basis. Users can also integrate their own pcaps into the library and can group, replay and pause traffic flows based on all or selected files in the library. Updated Snort rules from the library can then be applied to any devices that have allowed exploit traffic through, prior to retesting, using Idappcom’s Easy Rules Manager tool. (see Separate Entry) For advanced users TIQ also includes packet and byte level editing as well as a Scripting engine to enable the creation of attack traffic capable of testing systems against known evasion and obfuscation techniques that have not yet been widely deployed by hackers. Finally, the system has an advanced reporting engine that enables the creation of technical and management test reports including details of the outcome of each test that show which packets had been allowed and which had been blocked. Traffic IQ Professional has been widely used by the development and pre-production teams of many of the industry leading firewall and IPS vendors including Cisco and Check Point (DO NOT QUOTE) for several years to test their product effectiveness against current attack traffic and to provide independent 3rd party validation of their own rule sets. Over the past 12 months there has been a series of significant new business wins that have resulted in a revenue growth of approximately 45% notably through long term contracts with Huawei and Airbus (France) part of the EADS Group. Assessing and auditing network security plays a critical part in ensuring that commercial and personal data is as fully protected as possible at all times. In fact, organizations that store details of individuals, particularly banking information have a duty to regularly prove that their security defences are up to date and capable of blocking malware traffic as it emerges as a threat. Traffic IQ has been developed in the UK by a small privately funded team of security professionals for security professionals. As such it has been built to address the weaknesses of other proprietary and open source tools based on years of practical experience at the sharp end of the network penetration testing world. In particular TIQ incorporates a range of unique features and functionality that enable network security auditing to become a routine, low cost task for any size of organization or network complexity. Easy Rules Manager (ERM) ERM works together with TIQ to control and streamline the manual rule deployment process via a centralised management dashboard. This powerful application ensures that rules from multiple vendor and third party sources are correctly and appropriately deployed based on the network requirements. Running in parallel with a SIEM solution on a common operating system ERM is a management application that can handle multiple rules feeds and store them as one single rules library. This means that any changes to a rule in the library will be inherited by all the sensors that have that rule deployed to it. Key features of the software include methods for sorting, filtering and grouping rules to a custom policy defined by the organisation and not necessarily the rules vendors as well as a method to log events that are performed by users, in order that investigation teams are better informed if your organisation does suffer a breach Organisation and Sorting A single rule-set from a rules vendor can be in excess of 25,000 rules. Making sense of what is contained within a rules file or even just viewing a single rule can be problematic. Some vendors will try and help in the organisation of their rules, by supplying them in readymade group files. Each file will contain rules that will be connected in some way, be it protocol or application. But even then, you have no real way to break away from the method of sorting the vendor has forced onto you. ERM allows you to group rules in categories that are appropriate to your network infrastructure. Tuning Most IDS/IPS work with text based rules files and each rule is identified by a Signature ID. That ID is normally passed to a Security Incident and Event Management system (SIEM) to identify which rule fired an alert and allows a security analyst to investigate the alert. The process of recording that Signature ID, moving away from the SIEM and then hunting for that rule from within text files is far from efficient. If a rule is written in more than one of the text files, the process of re-writing or disabling a false positive rule, becomes more than difficult. ERM cross-references the text files in each rule-set to save time and avoid duplicated effort in deploying the right rule for each sensor. Filtering and Grouping A good rules deployment policy is one where you only deploy those rules that are necessary on your different subnets, to avoid false positives. To do that effectively, you have to be able to filter and group your specifically chosen rules into your desired categories. Working with text files, does not give you the flexibility to be able to identify rules based on even the simplest of filters, such as protocol or destination port numbers. Multiple Copies of Your Rules Once rules have been grouped and uploaded to your network IDS/IPS, it is very likely that many rules have been duplicated and deployed to more than one subnet. If you make a change to any single rule that is deployed in more than one location, you will have to change the rule multiple times. Keeping track of what version level a particular sensor will be hap-hazard, at best. Leaving old versions of rules on your networks will leave gaping holes in your network security and plenty of opportunity for a cracker to attack. By utilising ERM rule-duplication is avoided and User Audit Not having any vision or control over rules sorting, filtering, grouping and deployment, causes problems after an attack too. Without a user audit trail to follow, there is limited forensic evidence available to help an investigation. If you don't know if a rule was available, deployed and enabled on your network for a particular attack, then how are you going to be able know if you are going to be vulnerable to the same attack? If a rule was available, but was disabled, it would be useful to know why it was disabled and who disabled it. At least you would have a starting point for your investigations. The availability of Easy Rules Manager means that network security managers now have a viable third choice that addresses the short-comings of both the automated vendor updates and the purely manual rule deployment process. By streamlining their IPS/IDS update methodology organisations not only save time and money but significantly reduce the risk of a network security breach resulting from a successful vulnerability exploit.