Formerly the domain of large financial ortechnically elite organizations, networkintrusion detection systems (NIDS) nowprovide mainstream corporate security.However, until recently, they were oftenadditional devices that sat upon the net-work, typically “out-of-band”, and theresponsibility of the nominated corporatesecurity expert.

The latest devices now form an inte-grated element of the network topology.Just as network bridges were supersededwith devices that could logically routenetwork traffic based upon the data pack-ets themselves and even implement anaccess control list (ACL), the new genera-tion of device goes further towards mak-ing the network more robust andmanageable. These devices, referred to asintrusion prevention systems (IPS),incorporate NIDS technology into a sin-gle in-line device.

While many organizations initiallythink of IPS as only a security device, andthus the remit of the security department,this is not necessarily the case. The com-bination of technologies result in whatmany are calling the revolutionary aspectof IPS – the fact that the resultant main-stream device will be managed by anorganizations network infrastructuredepartment.

Looking similar, and typically posi-tioned within the network topology justlike a router, they provide the extended

range of protection technologies nowmandatory to thwart current and futureprojected network threats.

In many ways IPS is the evolution oftwo complementary technologies.

Routers are commonly used to connectmultiple network segments together andprovide a robust, and often dynamic,path for traffic to navigate a distributedcorporate infrastructure. They are alsofrequently configured to provide trafficcontrol through ACL’s, thereby regulat-ing network throughput and providingsome basic level of security utilising portfiltering techniques.

On the other hand, we have NIDS.Historically, the technology was primarily an analysis and alerting tool – designed to identify probable network based attacks and respond in apredetermined manner (such as alertingthe security administrator or blockingsome types of attack). NIDS major strength is deep packet inspection,and the ability to analyse network trafficfor threats right up to the applicationlayer.

Thus the combination of the two tech-nologies allows for a device that:

• Regulates network traffic at a levelbeyond routers and their firewallcousins

• Provides detailed traffic analysis andmanagement options.

• Can automatically respond to threatsat the network layer right through tothe application layer.

An IPS is more that the sum of itsparts, and should be viewed as a criticalnetwork infrastructure component –installed and managed by an organiza-tions network infrastructure depart-ment. The simplification of devicemanagement and configuration, com-bined with a mature automated responsesystem – all built into a single appliance– means that security departments canfocus upon developing higher-levelimplementation security plans, and net-work departments can focus upon man-aging a hardware device in a similarcapacity to other existing infrastructurecomponents.

For many organizations, an under-standing of the types of threats an IPSsystem can prevent from affecting thenetwork is often required before theimportance of the new technology can befully appreciated.

Consider classic port filtering throughACL’s as an example. ACL’s are ideal forpreventing unwanted traffic passingbetween network segments. However, they are not capable of identi-fying unwanted network protocols com-municating in unexpected ways — suchas running SSH services over HTTPS(doubly complex as both services areencrypted). Such problems regularlyarise, and many current security threats such as popular chat and file-sharing applications, purposefullyexploit the inadequacies of simple portfiltering techniques to bypass typical corporate firewall installations.The ability to inspect the content of each network packet, and check forprotocol conformity, is a basic require-ment in preventing such bypass techniques.

The facility to provide a level of deeppacket inspection also means that an IPSdevice is potentially able to providehigher level logic functions based uponthe content of an individual data packet,or a stream of fragmented data. Thesehigher level functions would include the

ips

18

Intrusion PreventionSystems (IPS) destined toreplace legacy routersGunter Ollmann, manager of X-Force Security Assessment

Services EMEA for Internet Security Systems

Whether the term is evolution or revolution, corporate network managers musthave noticed that change is in the air. Just as network design changed with theimplementation of cost effective routers to replace legacy network bridging devices,the design rulebook is once again under revision.

ability to correlate the data contentagainst a series of rules or other logicprocesses. In one sense, it is a simpleprocess to identify content that may beassociated directly with threats such asviruses, worms, exploitation code orother hybrid-threats and respond in apre-determined way.

This response may include passiveactions such as logging and alerting, ormore proactive actions such as “cleans-ing” the data payload (such as existinganti-virus solutions), directing it some-where else (such as the functions per-formed by network proxy servers), orresetting and preventing network con-nection (commonly carried out byactive IDS installations).

The “cleansing” of data on-the-fly isprobably the easiest to understand, butthe most complex to implement from atechnology point of view. However,dedicated anti-virus products have beendoing this for many years now and therobustness of the technology is widelyaccepted.

A large number of organizationsutilise proxy servers to control and reg-ulate outbound access from their inter-nal networks. Typically, these proxiesrequire each client connection (such asWeb browsers and FTP clients) to beconfigured with the device address anddirected to it. Once again, technologyhas moved on. With the use of in-linedevices providing transparent proxyfunctions, no client-level configurationis required and (unlike static host proxies) almost impossible to circum-vent. From a management perspective,transparent proxy functionality provides greater flexibility in medium to large enterprises whenadding, removing, or otherwise chang-ing the allowable suite of outboundconnectivity at an application level(rather than at the less satisfactory pro-tocol level as achieved with firewalls) –while still protecting the internal network.

The in-line position of the IPS alsogreatly increases the success of the NIDS functionality to thwart attacks.

A limitation of NIDS has always beenthe “spectator view” on the network andthe inability to respond to attacks withinsingle network packets or connectionlessprotocols such as UDP. By going in-line, the IPS can analyze traffic beforepassing it on to the next network seg-ment and decide whether to allow or dis-allow individual packets. This isparticularly appropriate when respond-ing to threats such as the last Slammer Worm whereby networks wereinundated with Microsoft SQL Serverprobes and consequently great volumes of SQL Server specific traffic.Without an IPS, there were only tworesponse options – either turn off theSQL Server host or filter and block allports associated with the SQL Server(thereby shutting off the SQL Server).With an IPS device, any SQL trafficassociated with the attack could beblocked, while other acceptable trafficwould be allowed to traverse the network– thereby providing the flexibility anorganization requires to continue tooperate while infected hosts were dealtwith.

For most environments, an IPSdevice will cover the majority ofrequirements within an organisation or for use between sites with direct(non-shared) network connections.However, broadening the IPS tech-nology further – primarily towardsusage as a gateway or perimeter networksegregator – already the first generationof “IPS+” devices have extended thebasic suite of security functions toinclude VPN tunnelling, anti-virus,anti-spam, content-filtering, cachingand proxying. Advanced features suchas these enable the device to providefront-line defences for the organizationagainst threat from a shared or non-trusted network such as theInternet – while also simplifying thenetwork topology.

Although multiple vendors have cho-sen to supply network appliances provid-ing this enhanced IPS functionality,there is no common nomenclature –instead terms such as “Gateway

Appliance”, “Perimeter DefenceSystem”, “Border Defence Appliance”,etc. have been used. Until such anagreed name is developed, “IPS+” will besatisfactory for now.

Just as IPS technology represents an evolution of routers and NIDS, IPS+ represents a technological leap overFirewalls and other DMZ-based securitytools. An IPS+ appliance is capable of replacing border firewalls, along with related border defences such as STMP anti-virus, VPN’s, content fil-tering and proxying – thereby greatly simplifying the normally complex and often distributed DMZ environ-ment, and bringing together similar secu-rity defences into a single manageabledevice.

These IPS+ devices are therefore capa-ble of one-for-one firewall replacement –being located at the same infrastructurelocation. The ability to replace a firewallwith an IPS+ device, and consequentlyremove other “Internet visible” hosts atthe same time, will appeal to almost allorganisations. At this early stage of firstgeneration IPS+ appliances, it is likelythat they would be best suited for small tomedium sized enterprises, as well as thesatellite offices or branches of larger glob-al enterprises.

Indeed, the case for upgrading to thenew generation of IPS or IPS+ appliancesis so compelling that many organisationswill probably find themselves carryingout one-for-one replacements of theirnow legacy routers and firewalls in thenext financial year.

About the authorGunter Ollmann is the EMEA manager ofX-Force Security Assessment Services forInternet Security Systems, responsible for security assessments, penetration testing and vulnerability research. Prior to2000 he held various network management,e-business management and consultancyroles in the United Kingdom and NewZealand - focusing largely upon networksecurity and solutions development. Heholds various degrees in Physics andMathematics.

19

ips