IPS offers extra layer of protection

Detecting security breaches is not enough. To make sure that threats are prevented before they reach the network, companies should look at using IPS tools.

  • E-Mail
By  Peter Branton Published  April 24, 2005

Introduction|~||~||~|An intrusion detection system (IDS) is like a home security system consisting of surveillance cameras, sensors and monitoring equipment to keep an eye for any suspicious activity. It is there to detect attempted intrusion within the perimeter of a network environment and to alert a systems administrator once such events occur. The problem, however, with ids is it is, by nature, passive and reactive. ids devices are effective only at detecting potential security breaches but do not have sufficient protection against them. for instance, zero-day attacks spread so fast that by the time an alert was generated and the IT administrator was able to investigate and identify the origin of the attack, the damage has been done. “When a passive IDS detects malicious traffic, its only real recourse is to send a request to another device to try and stop the attack. These passive responses generally include either sending a TCP Reset request to the attacker or the victim to try to close the connection or signalling the firewall to block any future connections from the attacker’s IP address,” says Anton Grashion, Product Marketing Manager for Europe, Middle East and Africa, Juniper Networks. “The latency involved in both of these responses, from the time it is detected to the time the action is attempted, allows the attack to reach the victim,” he adds. This limitation has led vendors to change the role of their IDS solutions from mere detection to actually being able to automatically defend network environments once threats are spotted, leading to the birth of intrusion prevention systems. “IDS systems are passive monitoring devices that were never designed for prevention,” says Gabor Szabo, security specialist at 3Com Europe, Middle East and Africa. “When digital bad guys get by active devices like firewalls and antivirus gateways, IDS systems provide a last line of defence,” Szabo adds. “An IDS merely monitors incoming network traffic, and provides alarms or reports on suspicious traffic that need to be investigated and acted upon 24/7 by IT personnel. In other words, the malicious activity detected by the system can continue to wreak havoc on the network unless immediate action to mitigate it is taken by the personnel monitoring the system,” continues Grashion. Szabo describes intrusion prevention systems (IPSs) as an additional security fence surrounding your network environment. “If IDSs are the motion detectors of the network, IPSs are like another layer of barriers within the house. Both types of systems may watch the network for unusual behaviour but this is where the similarity ends,” Szabo says. “The scope of IDS is limited to detection of attacks and intrusions. That is, an IDS’ function is only to find out dangerous traffic and alert administrators,” adds Hatem Ali, territory manager, Internet Security Systems Middle East. “IPS adds an extra layer of functionality. Besides doing what IDS does, IPS takes the appropriate corrective actions, like reset, drop, or block offending traffic packets. IPS can take such actions because it is deployed lively inline on the network, whereas IDS is deployed passively on the network in ‘sniffing mode’ where the analysis is done on a copy of the network traffic.” ||**||How it works|~||~||~|There are different approaches to intrusion prevention, although the goals are the same: protect system resources, stop privilege escalation exploits, prevent buffer overflow exploits, prohibit access to e-mail contact list, and prevent directory traversal. In general, an IPS has to sit between the systems that need to be protected and the rest of the network so that it can access all the traffic that passes through the network. “In a typical large enterprise, IPS would be deployed behind the corporate firewalls, in front of server farms, DMZs (demilitarised zones), and connections to third parties and remote offices. On a single segmented small office network, one IPS on the gateway is sufficient,” Ali says. Once installed, the IPS then deeply analyses network traffic looking for signs of intrusions and or attacks and then take preventive actions when malicious traffic is detected to stop it, says Ali. “IPS works in inline mode. That is, network traffic shall be analysed — on the fly — by IPS before it passes through to other parts of the network. Analysis techniques like protocol anomaly detection, protocol validation, stateful pattern matching, and other techniques are applied to network traffic to find out malicious patterns. Then whenever IPS analysis engine finds out an attack, it executes prevention action as it is instructed in the preventive security policy of the IPS,” explains Ali. “For example, if a worm like Blaster attempts to propagate on an IPS guarded network, it will be blocked. It is important here to make a distinction between firewall and IPS,” Ali continues. “Traditional firewalls allow or deny network traffic based on the source and or the destination of the traffic, besides the service communication ports used in the connection. IPS uses deeper analysis techniques to detect attacks rather than just looking at IP addresses and ports. Therefore, an HTTP attack fro instance will pass the firewall (since HTTP port is typically opened on firewall), but it won’t pass the IPS.” Aside from blocking or dropping suspicious packets, some IPSs have the ability — called packet scrubbing — to rewrite the offending packet to something that will not work. Packet scrubbing is useful if you don’t want the attacker to know that his attacks are unsuccessful or if you want the attacker to continue to attack one of your systems in an attempt to gather more evidence. ||**||HIPS or NIPS?|~||~||~|The new crop of IPS products largely falls into two categories: host-based intrusion prevention system (HIPS) and network-based intrusion prevention system (NIPS). A HIPS is used to protect servers and workstations through software agents that is installed between applications and the operating system’s kernel. It blocks low-level system activities such as disk read-write requests, network connection requests and attempts to change the registry and write to memory, or malicious ones like attempts to rewrite executable files within the operating system. Based on pre-configured rules, HIPS allows or denies the intercepted action. HIPS is an ideal alternative to system patches for protecting known server vulnerabilities especially when you want to test newly-released patches before installing them into the network. It follows patterns or behaviours, allowing it to combat new forms of attacks and does not require regular updates in the same way NIPS do to recognise the latest worms and exploits. However, the drawback of HIPS is that you have to install it on every system you want secured, which can trigger deployment issues for your IT staff. Also, it’s not a reliable detector of attacks made in your network in general, such as denial-of-service attacks. On the other hand, NIPS sits in-line, monitoring network traffic and scanning it for suspicious activities. NIPS normally use different techniques such as signature scanning or protocol anomaly detection. NIPS is especially useful in situations where HIPS or a firewall is not effective, like if the attack comes from within the network. Yet, NIPS has its own problems such as false positives. IPSs depend on pre-configured rules, but if these rules are not frequently updated, any unusual activity is registered as an alert, including legitimate traffic (or false positives). False positives can either be a nuisance because it can quickly overwhelm your network with volumes of alerts, or can be disastrous especially when it shuts down a customer connection by mistake. Since NIPS depends on signatures to detect attacks, it has to be updated constantly for it to remain reliable; otherwise it might have difficulty securing your network from new security breaches. And since it is connected to your network, it can also be a cause of bottleneck if it won’t be able to support the maximum bandwidth utilisation your network can accommodate. ||**||IPS vs. IDS|~||~||~|On the surface, IPS and IDS appear competitive, since they share a lot of similar components such as packet inspection, protocol validation, stateful analysis, fragment reassembly and signature matching. But this parallelism fades when one talks about the stark differences of the reasons for which they are deployed, but saying that you only need one or the other is not necessarily true, says Szabo. “IDS versus IPS is the wrong question. Comparing the technologies assumes that they are competitive solutions but a more thorough investigation demonstrates that they are actually quite complementary,” explains Szabo. “IPS works directly on live network traffic, whereas IDS works passively on copy of traffic. This immediately suggests that each technology has its own deployment scenarios. Depending on what part of the network is to be secured, we might need to use only IPS, or IDS, or both,” adds Ali. How the two solutions co-exist can be best described by a simple analogy: An IPS is like a security guard at the gate of a private neighbourhood whose main responsibility is to check up anyone who wants to enter the community and allow or deny entry based on credentials and some predefined policies. An IDS can be likened to a patrol car that drives around the area, monitoring and looking for abnormal situations. No matter how reliable your security staff at the gate is it is still necessary to have someone monitoring the premises to ensure complete safety and security. “IPS devices live in-band on the network, filtering packets in real time. A typical architecture would place IPS protection in front of the firewall, and on the corporate backbone. As such, IPS devices join an active, defence-in-depth infrastructure team along with technologies like firewalls, antivirus software, spam filtering and content security,” Szabo comments. No one claims that IPS can replace firewalls, IDS and other network security tools completely. Instead, IPS is believed to make the most sense if it is a part of a layered security strategy, one that makes use of several different technologies at multiple entry points in your network. For instance, if an attacker was able to pass through your initial defence barriers (such as IPS), other security measures, like IDS, can help detect the attack and provide the necessary information to help your systems administrator contain the damage and prevent future assaults. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code