Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Two Reasons why IPS is a "Must Have" for your Network

Created: 13 Nov 2013 • Updated: 25 Nov 2013 | 12 comments
Language Translations
Mick2009's picture
+10 10 Votes
Login to vote

Introduction

This is the third of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions). 

This third article illustrates how Symantec Endpoint Protection's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network.

IP What?

Unlike AntiVirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.  It’s very cool.

SEP’s IPS component greatly increases the number of threats that can be blocked, so the use of IPS is strongly recommended on almost all endpoints.  More details are contained in:

Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

Not Just for Windows Any More!

IPS has been an optional component of SEP for Windows since the beginning.  In order to enable IPS in Symantec Endpoint Protection 11.x, the client firewall portion (Network Threat Protection) must be installed and running. In SEP 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function. 

SEP 12.1 RU4 brought many new features to the SEP client that runs on Macintosh (“SEP for Mac”).  An overview of these enhancements can be found in:

Overview for Symantec Endpoint Protection 12.1.4 for Mac
http://www.symantec.com/docs/HOWTO92146

One of the best of these enhancements is that IPS can now defend Mac machines as well as the Windows boxes on the network.  So, definitely upgrade the protection on your Macs!

How IPS Defends Clients

For an excellent illustration of how IPS can protect against a very dangerous threat, see Recovering Ransomlocked Files Using Built-In Windows Tools.  Even if the initial Trojan.Cryptolocker .exe is not detected by SEP’s AntiVirus components, IPS attack signatures can still block the network traffic that this threat relies upon in order to generate the keys necessary to sabotage a computer’s files.  If you see a pop-up “System Infected: Trojan.Cryptolocker” then IPS has just blocked the Trojan’s network activity (and saved you a load of grief).  Get that computer isolated and perform a load point diagnostic to identify any unidentified malware files!

Generating SEPM Reports of Network Attacks

As detailed in my first article, your Symantec Endpoint Protection Manager contains advanced capabilities for reporting and alerting.  It can often tell you exactly what is going on with the security of your network, if you know how to look.

One report that it can generate on demand is Network Threat Protection: Attacks.  (Remember: in SEP 12.1, it is not necessary to have the NTP component of SEP installed in order to take advantage of IPS.  IPS can be installed without NTP.  The report of all IPS attacks is still listed under Network Threat Protection as a legacy inherited from SEP 11 days.)

Just click on Monitors, Logs tab, and pick the "Network Threat Protection" option for Log type.  Choose “Attacks” to see all the IPS events that have occurred on managed SEP clients and been forwarded to the SEPM.

Logs.jpg

The logs for all the attack events will be displayed on screen, and can be exported for more advanced parsing and analysis with your favorite spreadsheet program. 

Identifying Unprotected Computers

One example of how these can be useful: in a recent real-world case, an administrator had been fighting a never-ending battle to eradicate W32.Downadup from the corporate network.  There were constant detections of this threat being stopped, but somewhere out there were infected computers which constantly tried to re-infect others.  Examining the Risk Reports failed to show any instances where the threat was being detected by AV but “left alone,” so where were they?

Examining the exported Network Attack logs, it was pretty clear that IPS was also blocking infection attempts (traffic that attempted exploit of the vulnerability that W32.Downadup uses to spread).  These logs, though, showed what IP addresses involved with each “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM”

traffic.jpg

Examining the Remote Hosts that were responsible for all that traffic was the solution to this case.  There were a handful of infected computers that had no AV product on them at all. Installing SEP ended the persistent W32.Downadup troubles for good. 

Identifying Infected Machines

In another recent real-world example: hundreds of Auto-Protect virus events (Event ID 51) were seen on the shared directory of a file server.  Several days were spent examining the load points of the server itself, with nothing malicious found.  The reason: the infection was on one of the 400 clients which connect daily to that mapped drive.  Some client in the network had attempted to do the damage- but which one?  It would not be possible to examine load point diagnostics from all those hundreds of clients.

Luckily, that file server had IPS installed.  The IPS logs were examined and a large number of ”Incoming Auto-Block Event” entries were spotted, coming from one particular IP Address.  This activity might have been a coincidence, but in this case it was a very big clue as to which mapped client was infected.  That computer was isolated, cleaned, patched and returned to the network.  Problem solved.  

Conclusion

IPS can protect your computers- and everything on them-  in ways that AV alone cannot.  And, its logs can provide valuable intelligence about which computers in the network are infected. 

Moral of this story: it’s much easier to deploy the SEP IPS client and read its logs than to examine 400 load point diagnostics.  &: )

One final recommendation: it is always a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques.  Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Many thanks for reading!  Please do leave comments and feedback below. 

Comments 12 CommentsJump to latest comment

.Brian's picture

nice! I do believe IPS actually stops more threats than AV sigs, correct?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

+1
Login to vote
Mick2009's picture

Thanks Brian!

I don't have any statistics in front of me about which stops more, but trying to defend your data with AV alone is definitely fighting with one arm tied behind your back.  

With thanks and best regards,

Mick

0
Login to vote
Mithun Sanghavi's picture

Here is another masterpiece from the master himself..!!!smileyyes

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+1
Login to vote
SebastianZ's picture

Great and very informative article - highly recommended as part of securing the environment with SEP Best Practices.

In scope of IPS topic I can recommend as well following KBs:

- about IPS Policies implementation in SEPM:

* About working with Intrusion Prevention Policies

Article:HOWTO27088  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27088

* Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

Article:TECH104434  |  Created: 2008-01-20  |  Updated: 2013-02-20  |  Article URL http://www.symantec.com/docs/TECH104434

- about the IPS Attack signatures:

* Security Updates informations:

http://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep

* Database on the existing Attack Signatures that are being monitored by IPS

http://www.symantec.com/security_response/attacksignatures/

+1
Login to vote
Mick2009's picture

Many thanks, SebastianZ!  Excellent links on this topic.  &: )

With thanks and best regards,

Mick

0
Login to vote
sumitjoshi's picture

Thank you Mick for sahring this information...

+1
Login to vote
Mick2009's picture

Adding a couple of official Symantec KB's that will help admins decide whether or not it is safe and desirable to install IPS on their servers....

Best Practices for Installing Symantec Endpoint Protection (SEP) on Windows Servers
http://www.symantec.com/docs/TECH92440

Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection on high-availability/high bandwidth servers.
http://www.symantec.com/docs/TECH162135

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

The fourth in this series has just been posted- it is a long one, but definitely worthwhile.

The Day After: Necessary Steps after a Virus Outbreak

https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

By request, adding the link to where more information can be found about each IPS SU (Security Updates) - these are new "definitions" for SEP's IPS component.  New SU's come out every day or two- be sure to keep up-to-date!

Symantec Endpoint Protection
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep
 

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

The fifth article in this series is now available.  An illustrated guide to the tools and techniques necessary to defeat W32.Downadup can be found in the new Connect article:

Killing Conficker: How to Eradicate W32.Downadup for Good
https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good

With thanks and best regards,

Mick

0
Login to vote
JUSTICE's picture

Mick,

BRAVO ZULU on this. Absolutely outstanding article!

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

+1
Login to vote
R_Sran's picture

Great and very informative article.

+1
Login to vote