IPS
Intrusion Prevention System
An IPS is a network security tool/device that can not only detect intruders, but also prevent them from successfully initiation of any known attack. Intrusion prevention systems combine the abilities of firewalls and intrusion detection systems. However, implementing an IPS on an effective scale can be costly, so businesses should carefully measure their IT risks before making the investment.
IPS are not as fast as robust like firewalls and IDS, so an IPS might not be an suitable solution when speed is an entire requirement.
One key difference to make is the variance between intrusion prevention and active response. An active response device dynamically reconfigures or alters network or system access controls, session streams or separate packets based on triggers from packet inspection and other detection devices. Active response happens after the event has occurred; thus, a single packet attack will be successful on the first effort but will be blocked in future attempts; for example, a DDoS attack will be successful on the first packets but will be blocked afterwards. While active response devices are beneficial, this one aspect makes them unsuitable as an overall solution. Network intrusion prevention devices, on the other hand, are typically inline devices on the network that inspect packets and make decisions before forwarding them on to the destination.
This type of device has the ability to defend against single packet attacks on the first attempt by blocking or modifying the attack inline.
Most important, an IPS must perform packet inspection and analysis at wire speed. Intrusion prevention systems should be performing detailed packet inspection to detect intrusions, including application-layer and zero-day attacks.
System or host intrusion prevention devices are also inline at the operating system level. They have the capability to intercept system calls, file, memory, processes and other system functions to prevent attacks. There are several intrusion prevention technologies, including the following:
System memory and process protection:
This type of intrusion prevention strategy exist at the system level. Memory protection consists of a mechanism to prevent a process from corrupting the memory of another process running on the same system. Process protection consists of a mechanism for monitoring process execution, with the ability to kill processes that are suspected of being attacks.
Inline network devices:
This type of intrusion prevention approach places a network device directly in the path of network communications with the capability to modify and block attack packets as they traverse the device’s interfaces. It acts much like a router or firewall combined with the signature-matching capabilities of an IDS. The detection and response happens in real time before the packet is passed on to the destination network.
Session sniping:
This type of intrusion prevention strategy terminates a TCP session by sending a TCP RST packet to both ends of the connection. When an attempted attack is detected, the TCP RST is sent and the attempted exploit is flushed from the buffers and thus prevented. Note that the TCP RST packets must have the correct sequence and acknowledgement numbers to be effective.
Session sniping system identification is another concern when deploying active response IPSs. When systems terminate sessions with RST packets, an attacker might be able to discover not only that an IPS is involved but also the type of underlying system. Readily accessible passive operating system identification tools examine packets to determine the underlying operating system.
TCP RST or TCP Reset is when an unexpected TCP packet arrives at a host, that host usually responds by sending a reset packet back on the same connection. A reset packet is simply one with no payload and with the RST bit set in the TCP header flags.
Gateway interaction devices:
This type of intrusion prevention strategy allows a detection device to dynamically interact with network gateway devices such as routers or firewalls. When an attempted attack is detected, the detection device can direct the router or firewall to block the attack.
There are several risks when deploying intrusion prevention technologies. Most notable is the recurring issue of false positives in today’s intrusion detection systems. On some occasions, legitimate traffic will display characteristics similar to malicious traffic. This could be anything from inadvertently identical signatures to uncharacteristically high traffic volume. Even a finely tuned IDS can present false positives when this occurs. When intrusion prevention is involved, false positives can make a denial-of-service (DoS) condition for real traffic. Attackers who control or suspect the use of intrusion prevention methods can purposely create a DoS attack against legitimate networks and sources by sending attacks with spoofed source IP addresses. A simple mitigation to some DoS conditions is to use a whitelisting policy.
Another risk with active response IPSs involves gateway interaction timing and race conditions. In this scenario, a detection device directs a router or firewall to block the attempted attack. However, because of network latency, the attack has already passed the gateway device before it receives this direction from the detection device. A similar situation could occur with a scenario that creates a race condition on the gateway device itself between the attack and the response.
During positioning an IPS, everyone should carefully monitor and tune your systems and be aware of the risks involved. Everyone must also have an in-depth understanding of their network, its traffic, and both its normal and abnormal characteristics. It is always recommended to run IPS and active response technologies in test mode for a while to thoroughly understand their performance.
-DR
No comments:
Post a Comment