REDSPHERE GLOBAL - Intrusion Prevention Systems (IPS):
IPS Services
Often neglected in the design and functional area of a network are the Intrusion Prevention Systems. Given the continually growing number of threats to your infrastructure and information such as virus activity and morphing, online stalkers, targeted attacks to unacceptable pornographic issues and beyond this tool is rapidly becoming a network necessity.
RedSphere has extensive experience reviewing, designing and implementing IPS solutions for Government Agencies, multinational corporations and private individuals. Our experts both work with leading edge technology and design custom solutions to suit the individual needs of our customer. So, whether you are looking to implement a "golden quadrant" solution and simply need the expertise to determine the best location and configuration, perhaps you need a more cost effective open-source based solution implemented, or require a completely custom solution, our IPS security experts are ready to help you.
If you are not sure that you need IPS, we have outlined some of the basics of IPS below and would be happy to put together a comprehensive report detailing your current network security posture to help determine where IPS would most benefit you.
top of page
IPS Basics
An intrusion prevention system is a computer or network security device that exercises access control to protect computers from exploitation. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology but it is actually another form of access control, like an application layer firewall. The latest Next Generation Firewalls leverage their existing deep packet inspection engine by sharing this functionality with an Intrusion-prevention system.
Intrusion prevention systems (IPS) were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related.
Intrusion prevention systems may also serve secondarily at the host level to deny potentially malicious activity. There are advantages and disadvantages to host-based IPS compared with network-based IPS. In many cases, the technologies are thought to be complementary.
An Intrusion Prevention system must also be a very good Intrusion Detection system to enable a low rate of false positives. Some IPS systems can also prevent yet to be discovered attacks, such as those caused by an undiscovered Buffer overflow vulnerability.
top of page
IDS/IPS Contrast
IPS have many advantages over their legacy counterparts, intrusion detection systems (IDS). One advantage is they are designed to sit inline with traffic flows and prevent attacks in real-time. In addition, most IPS solutions have the ability to look at (decode) layer 7 protcols like HTTP, FTP, and SMTP which provides greater awareness. When deploying NIPS however, consideration should be given to whether the network segment is encrypted or not as many products are unable to support inspection of such traffic.
top of page
Host Based IPS
A host based IPS (HIPS) is one where the intrusion-prevention application is resident on that specific IP address (For example, this could be your PC system.)
top of page
Network IPS
A network based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s)is done from a host with another IP address on the network (This could be on a front-end firewall appliance.)
Network intrusion prevention systems (NIPS) are purpose-built hardware/software platforms that are designed to analyze, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic.
top of page
Content Based IPS
A content based IPS (CBIPS) inspects the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attack such as worm infections and hacks.
top of page
Protocol Analysis
A key development in IDS/IPS technologies was the use of protocol analyzers. Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits. For example, the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending packets.
Not all IPS/IDS engines are full protocol analyzers. Some products rely on simple pattern recognition techniques to look for known attack patterns. While this can be sufficient in many cases, it creates an overall weakness in the detection capabilities. Since many vulnerabilities have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines can be evaded. For example, some pattern recognition engines require hundreds of different signatures (or patterns) to protect against a single vulnerability. This is because they must have a different pattern for each exploit variant. Protocol analysis-based products can often block exploits with a single signature that monitors for the specific vulnerability in the network communications.
top of page
Rate Based IPS
Rate based IPS (RBIPS) are primarily intended to prevent denial of service and Distributed Denial of Service attacks. They work by monitoring and learning normal network behaviors. Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second, packets per connection, packets to specific ports etc. Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics
Unusual but legitimate network traffic patterns may create false alarms. The system's effectiveness is related to the granularity of the RBIPS rulebase and the quality of the stored statistics
Once an attack is detected, various prevention techniques may be used such as rate-limiting specific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).
top of page
Host based vs network
- HIPS can handle all types of encrypted networks and can analyze all code.
- NIPS does not use processor and memory on computer hosts but uses its own CPU and memory resources.
- NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain.
top of page
For additional information or comments please inquire here...
“I am prepared for the worst but hope for the best”
- Benjamin Disraeli
|
