intrusion prevention system

Intrusion Prevention System

Group 6

Mu-Hsin WeiRenaud Moussounda

What is IPS IPS (Intrusion prevention system)

Control access to a network

Similar to firewall, but different…

What’s the difference?

Traditional firewall – examines header

IPS – examines payload as well

DPI (Deep Packet Inspection)

DPI enables IPS to…Gather more information

Detect certain attack signatures

Control network traffic intelligently- ftp root access (user root)- HTTP content

TradeoffPayload

- no fixed fields- large in size

Requires high computing resource- CPU- memory

Hardware implementation

IDS vs IPS Intrusion Detection System (IDS):

- DPI- detects- Snort

IPS:- DPI- take action- snort_inline + iptables

Proof of concept Implement an IPS using:

- snort_inline, and- iptables

Test IPS using:- Lab4 firewall configuration- Lab6 imapd buffer overflow

Lab 4 setup

Black - attackerProtected – victimFirewall - IPS

How to capture attack?Attack using buffer overflow string

Long sequence of NOP

snort_inline checks for …90 90 90 90...

FlowProtected runs vulnerable serviceBlackHat attacks

snort_inline captures and tell iptable block traffic

Protected remains safe

IPS + Lab4 + Lab6

BlackHat, Protected, and IPS

ImplicationOne for all

Less dependent on individual server

Vulnerable service made secure

Enhanced security

What you will do in the lab?

Setup machines & install software

Perform first attack without IPS

Perform second attack with IPS enabled

Appreciate IPS/DPI

Questions

?