Intrusion prevention system

From Hill2dot0

The nature of information security continues to grow ever more complex. With new vulnerabilities that seem to be uncovered on a daily basis, the emergence of new types of attacks, the shrinking time between vulnerability discovery and exploit development, the propagation speeds of automated worm attacks, and the dissolving network perimeter, it is no wonder that security teams are feeling overwhelmed.

Traditional security solutions like firewalls, antivirus software, and intrusion detection systems are becoming inadequate protection. The challenge of dealing with security threats is further exacerbated by the process of applying patches in a timely manner. A new type of security device and process is needed. One that pervades the network and automatically protects from a broad variety of attack types (e.g., worms, viruses, Trojans, distributed denial of service (DDoS) attacks, Spyware, etc) and from all potential points of attack, both inside or out.

Contents 1 Defining an IPS 2 Heuristics Underlies IPS Technology 3 History 4 Types of Intrusion Prevention Systems 4.1 Host-based 4.2 Network-based 4.3 Content-based 4.4 Protocol Analysis 4.5 Rate-based 5 Snort 6 Summary 7 References 8 See Also 9 PodSnacks

Defining an IPS

Intrusion prevention systems were the first step in the direction of creating a new method for ensure enhanced security protection. An intrusion prevention system is essentially a “next generation firewall” that combines network-level and application-level filtering techniques in combination with a reactive intrusion detection system (IDS) to proactively protect a network or host device based on heuristics, or network behavior analysis. An IPS uses deep packet inspection to overcome the shortcomings originally thought to exist within firewalls and early IDS systems. An IPS is less a product than a process or function that is now embedded within a computerized security device.

Intrusion prevention should be thought of as a proactive (versus reactive) preemptive approach to network security that is being used to identify potential threats and respond to them quickly. Like an IDS, an IPS will monitor network traffic for security threats and exploits.

In the simplest sense, an intrusion prevention system is an in-line device that blocks attacks before they can reach their target. In a broader sense, an IPS performs a deep packet inspection, and is therefore able to extend a new a range of functions due to this thorough analysis and classification of traffic.

Heuristics Underlies IPS Technology

If a device could learn about normal network behavior, and apply experience-derived knowledge to a problem, it would be deemed “intelligent.” That is the concept underlying heuristics.

From the Greek word "heuriskein" meaning "to discover,” heuristic software looks for known sources, commonly-used text phrases, and transmission or content patterns that experience has shown to be associated with a threat or exploit. The concept is to apply a behavior analysis technique through a software engine to security processes.

Network behavior analysis therefore becomes a method to enhance the security of a host device or network by monitoring traffic, and diagnosing unusual or aberrant actions or departures from the norm. A heuristic or behavioral analysis solution would be able to offer added protection for a device or network over that which is provided by traditional anti-threat applications such as firewalls, antivirus software and anti-spyware software programs.

A behavior analysis program passively monitors the traffic flow between computers in real time and would flag unknown, new or unusual patterns that could indicate the presence of threats. The software engine can also monitor and record trends in bandwidth and protocol usage based on the same behavior trend analysis.

History

The first IPS’s were invented in the late 1990s to resolve what was then believed to be ambiguities in traditional passive network monitoring done by firewalls and IDS’s. By placing detection systems in-line, and IPS could make access control decisions based on application content, rather than access control list filtering based on IP address or ports as older, traditional firewalls had been doing.

The term intrusion prevention system was originally created by Andrew Plato, a technical writer and consultant for NetworkICE, now part of IBM’s Internet Security Systems group, and the original creators of the first commercially available IPS, BlackICE.

BlackICE came on to the market in 1998. Both a business and personal version of the product were offered. BlackICE was able to provide both host-based and network-based IPS capabilities using protocol analysis. The BlackICE products included a firewall that could respond, in real-time to intrusions and block attackers. NetworkICE was purchased in June 2000 by Internet Security Systems (ISS). ISS purchased by IBM in 2006.

Since IPS systems were originally a literal extension of intrusion detection systems, they continue to be related, and hence the confusion.

Types of Intrusion Prevention Systems

There are various types of Intrusion Prevention Systems, depending on where they are residing and what they are protecting. In many cases, these devices are integrated with other functions such as firewalls, or intrusion detection systems.

Host-based

A host-based intrusion prevention system (HIPS) runs the intrusion-prevention application on a specific host or end device, such as one’s one computer, or a server with a unique IP address.

Network-based

A network-based intrusion prevention system (NIPS) are in-line purpose-built integrated hardware and software computer platforms that are designed to analyze, detect, and report on security related events, and proactively take action based on behavior analysis techniques.

Content-based

A content-based IPS inspects the content of network packets for unique sequences, called signatures, to detect and preempt known types of attack such as worm infections, hacks and DDoS attacks.

Protocol Analysis

A key development in IDS/IPS technologies was the use of protocol analyzers. Protocol analyzers have the inherent ability to decode application-layer network protocols, like HTTP or FTP.

By looking deep within a packet at the upper layers of the protocol stack, an IPS analysis engine can evaluate different parts of the protocol for aberrant behavior or exploits. For example, the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending packets.

But, not all IPS/IDS engines are full protocol analyzers. Some products rely on simple pattern recognition techniques to look for known attack patterns known as signatures. This creates an overall weakness in security threat detection. Many vulnerabilities have dozens, or possibly hundreds of exploit variants. As a result, pattern recognition-based IPS/IDS engines can be by-passed.

Rate-based

Intrusion prevention systems that are Rate-based are designed to fundamentally prevent denial of service and distributed denial of service (DDoS) attacks. Like most IPSs, they monitor and learn normal network behaviors (heuristics.) They then compare the traffic with normal stored statistics to identify abnormal rates for certain types of traffic — TCP, UDP, or ARP packets, connections per second, packets per connection, packets to specific ports, etc. Various attacks can then be detected when the normal thresholds are exceeded. The thresholds are often dynamically adjusted based on time of day, day of the week by relying upon the stored traffic statistics.

Unusual but legitimate network traffic patterns may create false alarms (false positive). A false positive is when the system triggers an alarm in error when there is really no threat. A preponderance of false positives can be considered a nuisance, but they can also result in a network administrator turning off the trigger. The system's effectiveness is related to the granularity of the signature rules database and the quality of the stored statistics.

A false negative is when the IPS systems fails to note as a true threat, and lets it through without setting off a triggered alarm. Some would argue that a false positive is not as significant an event as a false negative.

Once an attack is detected, various prevention techniques may be used such as rate-limiting specific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).

Snort

As with intrusion detection, Snort® is the most widely deployed IDS and IPS product and has become the de facto standard for the industry. It is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods.

Summary

It seems that over time, firewalls, intrusion detection systems and intrusion prevention systems are taking on more attributes from each other, and the line of demarcation will continue to grow more fuzzy. The convergence of networking, security and smart behavior analysis software is at hand.

It should be noted that like an IDS or firewall, the IPS’s heuristic approach is not a panacea. It should be used in addition to conventional firewalls and solutions for the detection, blocking and removal of security threats and exploits.

References

• Network Intrusion Prevention (IPS)

• NIST Special Publication 800-94, Intrusion Detection and Intrusion Prevention Systems

See Also

• Intrusion detection system
• Firewall

PodSnacks

| Intrusion detection system (IDS)

| Intrusion prevention system (IPS)

| Host-based vs. Network-based Security