Intrusion prevention and management of events for control systems
IDS/IPS are tools designed to monitor network traffic and generate alarms if said traffic is unexpected. Unlike firewalls, they allow for a better traffic monitoring since they are mainly based on the contents of the message and not only on the headers. Therefore, they are often used together with firewalls, so the firewall acts a first filter by origin, destination and ports and then the IDS/IPS applies an additional filter based on content. A certain communication can be approved by the firewall and subsequently rejected by the IDS/IPS if such communication does not meet the company criteria.
The installation of tools for the management of network traffic, as any other security tool, requires the proper monitoring of the alerts/warnings generated in order to be effective and rule out false positives and negatives. A local monitoring and an individual monitoring for each machine may be a complex task depending on the number of solutions deployment. In order to make these installations easier, we need to use a centralised alerts management system able to collect events from several sources and present them homogeneously and easily for an operator or network administrator.
From INCIBE-CERT we have worked to create an IDS/IPS SNORT installation guide in Inline mode (allowing to block traffic if necessary, depending on the rules set out) together with the SNORBY event manager for data presentation. Data collection and submission between both tools is carried out through BARNYARD2. These tools are available to anyone who wishes to improve the security of their networks.
It is important to take into account that these solutions depend to a large extent on the hardware they are going to be installed in and the capacity of it. Free solutions, installed in commercial or free operating systems are not a replacement for those tools specifically designed for the same purpose. Specific tools take into account additional factors, such as the throughput, the number of warnings that can be managed, etc. These factors must be taken into consideration when selecting a security tool for a production environment. The tools selected require the setting of the relevant parameters in order to operate securely which, in a number of cases, cannot be addressed and may require the contracting of a specialised support system.
The installation of the selected tools is carried out following a proper architecture allowing for the access to the information stored in the event management from a management network; however, it does not grant access to the IDS, which can only be accessed locally for configuration purposes. Therefore, our network architecture has three different segments:
- Supervision network: Network from which field devices are controlled. This network includes HMI equipment or the engineering station.
- Field network (Untrusted): It includes the network of all devices controlling the process.
- Management network: It contains those devices used to view those warning generated by means of the security tools.
The IDS/IPS manages traffic between the field and supervision networks and submits warnings to the management network.
The following document shows the deployment architecture and the steps necessary to implement it.
- IDS/IPS and Centralized Alert Management System Deployment Diagram -
- IDS/IPS and Centralized Alert Management System Deployment -