your network is a sitting duck without idpacademy.delmar.edu/courses/itsy2430/ebooks...you need an...

Your Network Is a Sitting Duck Without IDP

2 ©2007, Jupitermedia Corp.

The sophistication and severity of attacks by hackers today, combined with the data-intensiveneeds of a mobile workforce, demands a security solution beyond a simple firewall. You need anIntrusion Detection and Prevention System to allow your workforce to get access to the informa-tion they need while at the same time stopping all types of threats, both real and imagined.

Contents

Intrusion Detection and Prevention 3All About IPS & IDS

Evaluating Intrusion Prevention Systems 7

Managed Intrusion Detection and Prevention Services 9

Intrusion Detection and Prevention— 12More Essential Than a Firewall


Used in computer security, intrusion detectionrefers to the process of monitoring computer andnetwork activities and analyzing those events to

look for signs of intrusion in your system. The point oflooking for unauthorized intrusions is to alert IT profes-sionals and system administrators within your organiza-tion to potential system or network security threats andweaknesses.

IDS—A Passive Security SolutionAn intrusion detection system(IDS) is designed to monitor allinbound and outbound networkactivity and identify any suspiciouspatterns that may indicate a net-work or system attack from some-one attempting to break into orcompromise a system. IDS is con-sidered to be a passive-monitor-ing system, since the main func-tion of an IDS product is to warnyou of suspicious activity takingplace—not prevent them. An IDSessentially reviews your networktraffic and data and will identifyprobes, attacks, exploits and othervulnerabilities. IDSs can respondto the suspicious event in one ofseveral ways, which includes dis-playing an alert, logging the eventor even paging an administrator. In some cases the IDSmay be prompted to reconfigure the network to reducethe effects of the suspicious intrusion.

An IDS specifically looks for suspicious activity andevents that might be the result of a virus, worm orhacker. This is done by looking for known intrusion sig-natures or attack signatures that characterize different

worms or viruses and by tracking general varianceswhich differ from regular system activity. The IDS is ableto provide notification of only known attacks.The term IDS actually covers a large variety of prod-ucts, for which all produce the end result of detectingintrusions. An IDS solution can come in the form ofcheaper shareware or freely distributed open sourceprograms, to a much more expensive and secure ven-dor software solution. Additionally, some IDSs consistof both software applications and hardware appliancesand sensor devices which are installed at different

points along your network.

There are several ways to catego-rize an IDS system:

Misuse Detection vs. AnomalyDetectionIn misuse detection, the IDS ana-lyzes the information it gathersand compares it to large databas-es of attack signatures. Essentially,the IDS looks for a specific attackthat has already been document-ed. Like a virus detection system,detection software is only as goodas the database of intrusion signa-tures that it uses to compare pack-ets against. In anomaly detection,the system administrator definesthe baseline, or normal, state of

the network's traffic load, breakdown, protocol, andtypical packet size. The anomaly detector monitors net-work segments to compare their state to the normalbaseline and look for anomalies.

Passive Vs. Reactive SystemsIn a passive system, the IDS detects a potential securitybreach, logs the information and signals an alert. In a



Intrusion Detection and PreventionAll About IPS & IDS

Webopedia

Jupiterimages

reactive system, the IDS responds to the suspiciousactivity by logging off a user or by reprogramming thefirewall to block network traffic from the suspectedmalicious source.

Network-based vs. Host-based IDSIntrusion detection systems are network or host basedsolutions. Network-based IDS systems (NIDS) are oftenstandalone hardware appliances that include networkintrusion detection capabilities. It will usually consist ofhardware sensors located at various points along thenetwork or software that is installed to system comput-ers connected to your network, which analyzes datapackets entering and leaving the network. Host-basedIDS systems (HIDS) do not offer true real-time detection,but if configured correctly are close to true real-time.

Host-based IDS systems consist of software agentsinstalled on individual computers within the system.HIDS analyze the traffic to and from the specific com-puter on which the intrusion detection software isinstalled on. HIDS systems often provide features youcan't get with a network-based IDS. For example, HIDSare able to monitor activities that only an administratorshould be able to implement. It is also able to monitorchanges to key system files and any attempt to over-write these files. Attempts to install Trojans or backdoorscan also be monitored by a HIDS and stopped. Thesespecific intrusion events are not always seen by a NIDS.

While it depends on the size of your network and thenumber of individual computers which require intrusiondetection system, NIDS are usually a cheaper solutionto implement and it requires less administration andtraining—but it is not as versatile as a HID. Both sys-tems will require Internet access (bandwidth) to ensurethe system is kept up-to-date with the latest virus andworm signatures.

Is IDS the Same as Firewall?The quick answer is no. Unfortunately, IDS is commonlymistaken for a firewall or as a substitute for a firewall.While they both relate to network security, an IDS dif-fers from a firewall in that a firewall looks out for intru-sions in order to stop them from happening. The fire-wall limits the access between networks in order to pre-vent intrusion and does not signal an attack from insidethe network. An IDS evaluates a suspected intrusion

once it has taken place and signals an alarm. An IDSalso watches for attacks that originate from within a sys-tem. The network-based intrusion protection systemcan also detect malicious packets that are designed tobe overlooked by a firewall's simplistic filtering rules.

An IDS is not a replacement for either a firewall or agood antivirus program. An IDS should be considereda tool to use in conjunction with your standard securityproducts (like anti-virus and a firewall) to increase yoursystem specific or network-wide security.

False Positive and NegativesThe term false positive itself refers to security systemsincorrectly seeing legitimate requests as spam or secu-rity breaches. Basically, the IDS will detect something itis not supposed to. Alternatively, IDS is prone to falsenegatives where the system fails to detect something itshould. Both of these problematic problems are associ-ated with IDS, but are issues vendors spend a lot oftime working on, and as a result, it is not believed that



Key Terms To Understanding IntrusionDetection & Prevention

IDSShort for intrusion detection system...

IPSShort for intrusion prevention system...

Intrusion signaturesWhen a malicious attack is launched against a sys-tem, the attack typically leaves evidence of the intru-sion in the system.s logs. Each intrusion leaves a kindof footprint behind

False positive The condition in which spam-filtering software willincorrectly identify a legitimate, solicited or expectedemail as a spam transmission.

Additional Terms To Understanding IntrusionDetection & PreventionhackerVirusWormTrojan Horsefirewall

IDS detects a high percentage of false positive or falsenegatives. Still, it is a topic worth consideration whenlooking at different IDS solutions.

IPS—An Active Security SolutionIPS or intrusion prevention system, is definitely the nextlevel of security technology with its capability to providesecurity at all system levels from the operating systemkernel to network data packets. It provides policies andrules for network traffic along with an IDS for alertingsystem or network administrators to suspicious traffic,but allows the administrator to provide the action uponbeing alerted. Where IDS informs of a potential attack,an IPS makes attempts to stop it. Another huge leapover IDS, is that IPS has the capability of being able toprevent known intrusion signatures, but also someunknown attacks due to its database of generic attackbehaviors. Thought of as a combination of IDS and anapplication layer firewall for protection, IPS is generallyconsidered to be the "next generation" of IDS.

Currently, there are two types of IPSs that are similar innature to IDS. They consist of host-based intrusion pre-vention systems (HIPS) products and network-basedintrusion prevention systems (NIPS).

Network-based vs. Host-based IPSHost-based intrusion prevention systems are used toprotect both servers and workstations through softwarethat runs between your system's applications and OSkernel. The software is preconfigured to determine theprotection rules based on intrusion and attack signa-tures. The HIPS will catch suspicious activity on the sys-tem and then, depending on the predefined rules, itwill either block or allow the event to happen. HIPSmonitors activities such as application or data requests,network connection attempts, and read or writeattempts to name a few.

Network-based intrusion prevention systems (oftencalled inline prevention systems) is a solution for net-work-based security. NIPS will intercept all network traf-fic and monitor it for suspicious activity and events,either blocking the requests or passing it along shouldit be deemed legitimate traffic. Network-based IPSsworks in several ways. Usually package- or software-specific features determine how a specific NIPS solutionworks, but generally you can expect it to scan for intru-

sion signatures, search for protocol anomalies, detectcommands not normally executed on the network andmore.

One interesting aspect of NIPS is that if the systemfinds an offending packet of information it can rewritethe packet so the hack attempt will fail, but it meansthe organization can mark this event to gather evidenceagainst the would be intruder, without the intruder'sknowledge. As with all technology, NIPS is not perfect.In some instances you may end up blocking a legiti-mate network request.

While host-based IPSs are considered to be moresecure than network-based intrusion prevention sys-tems, the cost to install the software to each and everyserver and workstation within your organization may bequite costly. Additionally, the HIPS on each systemmust be frequently updated to ensure the attack signa-tures are up-to-date.

IDS vs. IPSProblems associated with implementing NIPS exist aswell. We already mentioned the possibility of blockinglegitimate traffic, and you also have to take networkperformance into consideration. Since all data movingthrough the network will pass through the IPS it couldcause your network performance to drop. To combatthis problem, network-based IPSs that consist of appli-ance or hardware and software packages are availabletoday (at a larger cost), but it will take most of the loadfrom running a software-based NIPS off your network. IDS vs. IPS

While many in the security industry believe IPS is theway of the future and that IPS will take over IDS, it issomewhat of an apples and oranges comparison. Thetwo solutions are different in that one is a passivedetection monitoring system and the other is an activeprevention system. The age-old debate of why youwant to would be passive when you could be activecomes into play. You can also evaluate the implementa-tion of a more mature IDS technology, versus theyounger, less established IPS solutions. The drawbacksmentioned regarding IDS can largely be overcome withproper training, management, and implementation.Plus, overall an IDS solution will be cheaper to imple-ment. Many, however, look at the added benefits of theintuitive IPS systems and believing that IPS is the next



generation of IDS choose to use the newer IPSs asopposed to the IDSs. Adding to the muddle, of course,will be your initial decision of choosing host-based ornetwork-based systems for either IDS or IPS securitysolutions.

Much like choosing between standard security deviceslike routers and firewalls, it is important to rememberthat no single security device will stop all attacks all thetime. IPS and IDS work best when integrated with addi-tional and existing security solutions. ■

This content was adapted from internet.com'sWebopedia Web site.



With intrusion prevention systems (IPS) fastbecoming as essential a purchase as theubiquitous firewall, the choice is becoming

ever more bewildering as more and more vendors scur-ry to bring new products to market.

Some of these vendors are coming from a solid IDS(intrusion detection) background, while others areessentially hardware manufacturers (switches or anti-mitigation devices) that are crossing over into the IPSworld. The resulting products are often quite different.

For example, the largelysoftware-based IDS productstend to turn into software-based IPS products runningon standard Intel hardware.While performance can beperfectly adequate, you cannever expect them to matchthose ASIC/FPGA-baseddedicated hardware deviceswhich can yield near switch-like latencies, and handle agigabit or more of 64-byte packets without blinking.

On the other hand, the new kids on the block might beable to boast superior performance, but they are oftenstarting from scratch when it comes to signature cover-age and resistance to anti-evasion techniques; areas inwhich the more established IDS/IPS vendors excel.

Of course, these distinctions are disappearing as themarket matures, and in the latest round of IPS testing inour labs we noted a much improved success rate interms of which products passed our stringent tests toachieve NSS Approved awards.

Using hardware accelerators, for example, can providea much needed performance boost for the software-based products, whilst sheer experience (along with thecreation or boosting of an internal security researchteam) can usually improve signature coverage andquality in the newer products.

Quality vs. Quantity Quality is really the watchword here, rather than quanti-ty. It is possible to throw tens or even hundreds of sig-

natures at a problem whenyou are not limited by hard-ware performance, but thatdoes not necessarily meanthose signatures are good. Asingle, well-written signature(or protocol decoder) canoften provide much morecomprehensive coverage fora range of exploits.

It is important, for example,that signatures are written todetect not only the specific

exploits currently in the wild, but the underlying vulner-ability of which those exploits take advantage. Thus,the next time a new exploit appears riding on the backof that particular vulnerability, it will be detected andblocked immediately without requiring a signature spe-cific to that piece of exploit code.

Similarly, it should not be possible to evade the IPSdetection capability by any common means such asURL obfuscation, TCP segmentation, IP fragmentation,and so on. The quality of the signatures will also have a bearing on



Evaluating Intrusion Prevention SystemsBy Bob Walder

IPSs are becoming today's must-have security solution but don't deploy blindly; testing on yournetwork is the key to success, writes CIO Update guest columnist Bob Walder of The NSS Group

Jupiterimages

the susceptibility of the device to raising false positivealerts. With IDS devices, false positives are a nuisance,but only that. With IPS devices, installed in-line and inblocking mode, a false positive can have a detrimentaleffect on the user experience, as legitimate traffic isdropped mistakenly.

This is, therefore, a key area to investigate when plan-ning your own trial deployments. All the lab tests in theworld cannot tell you how any IPS product is going toperform when subjected to your traffic on your network.

Test, Test, Test … This is a key point: no matter how much research youdo using reports such as the ones we produce, youshould never use those reports as the only basis formaking your buying decisions. You should always setaside the time and budget and technical resource toperform a full bake-off in-house between all the ven-dors on your short-list.

This means installing all the devices at key points inyour network (they can be installed in-line in detect-only mode to begin with to minimize problems), and allthe necessary management software. And don't rely onthe single-device Web interface if you know you willeventually need the full-blown enterprise managementproduct.

It will never be possible to vet all of the signatures in avendor's database, and it is just a waste of effort to try.Independent testing should give you a good idea ofthe quality and extent of coverage.

It is more important to run your own traffic through thedevice and monitor the effects. Are you seeing a largenumber of alerts raised against what you know to belegitimate traffic?

This could point to problems with the signature data-base or could highlight where traffic from custom appli-cations in your own organization genuinely resemblesexploit traffic. The latter case is easily handled, butlarge numbers of false positives from clean traffic indi-cates a potential problem, especially once the device isplaced in blocking mode.

Performance testing is also important. NSS tests pushdevices to the extreme, but if you can accurately cate-

gorize the make-up of traffic on your own network, youmay find that you would be happy with a much lower-performing device at a much more reasonable cost.Latency can sometimes be a very subjective issue.

A device which we identify as having higher than nor-mal latency for internal deployments may well have noeffect whatsoever when installed at the perimeter ofyour network. Do some simple user-based testing, suchas downloading large files both with and without theIPS in-line, and note the difference.

At least part of the evaluation period should also beperformed with blocking enabled. It is not unknown fordevices which work perfectly well in detect-only modeto fail completely once placed into blocking mode.

While this type of testing could be considered "disrup-tive," it is better to discover such a failing before com-mitting to a major purchasing decision.

You can reduce the risk of nasty surprises and majorfailures during evaluation by short-listing those deviceswhich have achieved NSS Approved status. You can besure that we have tested these devices extensively in-line in both detect-only and full blocking mode, with awide range of exploits and evasion techniques, andunder a wide range of network loads and traffic condi-tions.

A thorough bake-off in your own network, however, willallow you to assess more accurately the effect of thesedevices when subjected to your own traffic, and is likelyto create some unique challenges for the vendors tak-ing part. ■

Bob Walder is director of The NSS Group security test-ing labs in the south of France. With over 25 years inthe industry, he brings broad experience to the testingenvironment.

This content was adapted from EarthWeb's CIOUpdate Web site.



Nokia for Business

for threats thatcome out of thin air a very

fine filterThere's a new era in security. Airborne security. It’s a time when businesses need to move as freely as the air itself, yet avoid the malicious threats that contaminate it. Enter Nokia. Our intrusion prevention solutions feature Sourcefire® technology that runs on Nokia appliances, hardened at the core with the Nokia IPSO security OS. All purpose-built to detect and filter the most sophisticated threats. It’s time to secure the mobile marketplace. It’s time to secure the air.

www.nokiaforbusiness.com/security

©20

07 N

okia

. Use

of t

he w

ord

secu

re is

inte

nded

to d

escr

ibe

the

func

tion

alit

y of

the

prod

uct o

r fe

atur

e de

scri

bed,

and

is n

ot in

tend

ed to

ext

end

a w

arra

nty

to th

e pu

rcha

ser

or to

any

end

use

r th

at th

e pr

oduc

t or

feat

ure

desc

ribe

d is

com

plet

ely

secu

re a

nd in

vuln

erab

le to

rand

om a

ttac

ks.

As network security improves, attackers havesharpened their focus. Today's internet threatshave grown increasingly targeted, using mali-

cious code and crafted application messages to com-promise specific server and client vulnerabilities. Duringthe first six months of 2006, Symantec estimates that80 percent of 2,249 new-found vul-nerabilities were easily exploitable,with an average enterprise exposureof 28 days before patches wereavailable and applied. Aggressive,rigorous patch management canhelp, but one of the most effectiveand efficient steps you can take todefend those vulnerable hosts is toprevent intrusions from reachingthem in the first place.

Network Intrusion DetectionSystems (IDS) are designed toobserve and analyze traffic, spotpotential attacks, and notify networkoperators by sending intrusionalerts. Network Intrusion PreventionSystems (IPS) go a step further, tak-ing steps in real-time to impede theflow of suspicious traffic and therefore limit potentialasset damage or data theft. IDS is generally deployed apassive countermeasure—an insurance policy againstintruders that might otherwise sneak past firewalls. IPSis (at least to some degree) proactive and automated,jumping in whenever perceived risk exceeds a pre-defined tolerance level.

A managed IDS / IPS service starts with the installationand provisioning of in-line or out-of-band traffic sensorsand an intrusion analysis engine, accompanied byongoing policy refinement, intrusion signature and soft-ware updates, and 24/7/365 monitoring by the MSSP'sSOC. Included response can range from customer noti-

fication to provider implementationof recommended countermeasures.All but one participant in this year'sManaged Security Service Provider(MSSP) survey offer this type of serv-ice, detailed by the chart shown atright (click to view full size).

The exception is Globix, whichdeclined to include IDS in its surveyresponse but describes a managedIDS service on its Website. In fact,we believe that IDS / IPS hasbecome a core managed securityservice offering. As shown in the fol-lowing chart (below), IDS / IPS offer-ings have grown from fewer thanhalf the MSSPs surveyed in 1999 toeffectively all of the MSSPs surveyedthis year.

This trend tracks the evolution of network securitythreats, technologies, and best practices. Many firewallsand unified threat management appliances now incor-porate some IDS / IPS capabilities. Today's networkfirewalls are simply expected to detect basic TCP/IPattacks, like TCP SYN floods and Ping of Death attacks.Deeper, broader application-layer intrusion detection



Managed Intrusion Detection and Prevention Services

Lisa Phifer

ISP-Planet's biennial survey of MSSPs finds that intrusion prevention and detection services areaugmented by new devices to deliver unified threat management in several different forms.

Jupiterimages

and prevention often involves additional software mod-ules, licensed feature activation, and in some cases,additional hardware sensors.

The line between managed firewall and managed IDS /IPS services reflects this layering. Two of our surveyedmanaged firewall services included IDS / IPS features,while ten offered these capabilities as options.Furthermore, all 15 providers described separately-branded managed IDS / IPS services. Three MSSPs(AT&T, IBM ISS, and Verizon) even offer more than oneIDS / IPS service.

For example, AT&T offers three separate services: anetwork-based IDS, a CPE-based IDS, and a CPE-based IPS. As illustrated in this pie chart (below), thisyear's field was evenly split between IDS and IPS offer-ings. Seven services provide intrusion detection, moni-toring, and customer notification-incident response, ifany, is manual. Another seven provide automated intru-sion analysis and policy-based response for well-defined threats—customers are notified of intrusionsand stop-loss actions taken on their behalf. The remain-der encompass both models within a single namedservice, letting service parameters determine thedesired response model.

In fact, we continue to find it difficult to compare intru-sion monitoring and response in a tabular survey. Thisyear, we tried asking providers to check one of fouralternatives:

• Customer monitors own intrusion alerts. • Provider passively monitors intrusion alerts andnotifies customer. • Provider analyzes and manually responds to alerts. • Service responds automatically to intrusions.

Most checked several answers, noting that thisdepends on customer preference, incident severity, andidentification reliability. If an event is clearly identifiedand poses significant risk, automated analysis and real-time countermeasures may be warranted. Potentialintrusions that are less clear-cut may deserve humanreview by SOC experts and consultation with the cus-tomer regarding steps to block the offender or elimi-nate vulnerabilities. Fortunately, even an IPS can usuallystart in detect-only mode, refining prevention rules asyou become more comfortable with the service's accu-racy. In short, don't expect easy answers or simplecomparison when it comes to intrusion response. Makesure your MSSP has the experience, infrastructure, andresources to accurately recognize and keep pace withnew threats, a well-defined process for communicatingthem to you, and a response strategy that fits with yourown corporate policy.

To identify intrusions, every IDS / IPS service must cap-ture traffic. This year, 13 of 18 surveyed services usepassive/out-of-band platforms, which are typically situ-ated at key points throughout your network. Of those,5 support distributed sensors and 4 support Wi-Fi sen-sors. These options are used to create additional obser-vation points that can report back to a central server.Alternatively, 14 services use active/in-line platformsthat observe the traffic flowing through them. Not sur-prisingly, many providers support both passive andactive deployment models, reflecting this year's mix ofdetection/prevention services.

IDS/IPS platforms have grown more diverse since ourlast survey, dominated by IBM ISS and Cisco, followedby a noteworthy mix of Juniper, TippingPoint, McAfee,Snort, and Sourcefire. The capabilities of these plat-forms have a direct impact on traffic inspection, detec-



tion, and response methods. For intrusion detection,most surveyed services still employ some combinationof behavior analysis, signature detection, and trafficanomaly detection. But application layer header andcontent inspection are now supported by just over halfof the surveyed services. As for response methods, in-line packet discard, IP quarantine, and TCP reset arestill very common, whether initiated manually or auto-matically. But this year, five services also had Wi-FiDeauthenticate capability, supported by Wireless IPSplatforms from Cisco, AirDefense, and AirMagnet. In the end, a managed IDS / IPS service comes downto effective risk management. Many businesses thatdeploy their own IDS sensors or IPS-capable UTMappliances do not use those technologies to their fullpotential. Without proper tuning, an IDS can over-whelm you with inconsequential alerts—or overlookserious intrusions because an annoyed administratordisabled those alerts.

Outsourcing this burden to well-trained MSSP staffshould reduce false positives and focus your attentionon alerts that matter. Because they monitor intrusionalerts occurring in many customer networks, yourMSSP's SOC should have the broad perspective need-ed to quickly recognize fast-breaking "zero day"attacks. When intrusions do occur, your MSSP shouldhave the sophisticated event management and correla-tion tools required to assess impact and recommendeffective countermeasures. For each of these tasks,experience and competence really counts, so lookbeyond feature checklists to choose the best managedIDS / IPS service for your business. ■

This content was adapted from internet.com's ISPPlanet Web site.





While corporate assets relocated from brickand mortar to bits and bytes, so too hasenterprise security from cameras and security

guards to intrusion detection and intrusion preventionsystems. While Intrusion Detection and Prevention (IDP)is now staunchly embedded in the enterprise securitytoolkit, it still must adapt to provide more layers ofasset protection against the ever-evolving landscape ofthreats from hackers, spyware and Trojans to rootkitsand keyloggers. IDS/IDP systems continually assesstraffic connections, evaluatingthe source or the communica-tion along with the type oftraffic to determine whether itshould even be permittedinto your network environ-ment. In the best cases, theyhave the power to stop anattack before it ever reachesan internal system or user.

User preferences for distrib-uted mobile computing envi-ronments combined with thegrowing complexity of corpo-rate networks (intranets, extranets, remote and Internetaccess) provides a would-be attacker a fairly large, tar-get-rich threat surface. In today's enterprise environ-ment a vast majority of corporate intellectual property,sensitive customer information and valuable tradesecrets are all stored in digital format, thus makingenterprise security a top priority against economically

motivated efforts to infiltrate the company network.

As threats evolve from benign adware and randomizedhijacks of 2004/2005 to malicious adware and trojans in2006 to targeted / customized trojans and phishing in2006/2007, the mechanisms for distribution, infectionand removal have also evolved. Threat distribution hasadvanced from websites to Peer to Peer and finally toemail and internal hacking. The sophistication of threatinfections has also increased in complexity from file

placement and naming toDLL injection and even modi-fication of executables. Threatremoval is no longer as sim-ple as deleting a file on diskor deleting registry keys but isnow an involved process offile neutering, correlation ordriver-based removal andeven dynamic conditionalremoval. As the threat com-plexity has increased, so toohas the cost for repair andsupport. Since the globalmarket for malware-laden

software shows no signs of relenting, the need forimproved security tools such as IDS and IPS will onlyincrease in the near future.

Intrusion Detection Grows UpThe evolution of intrusion detection has grown from a

Intrusion Detection and Prevention—More Essential Than a Firewall

By Manish Parks

As attacks become more sophisticated, you need better tools to protect your enterprise fromthreats—both existing and planned. Where firewalls were the de rigueur solution in the 90s,

today you need an Intrusion Detection and Prevention system to make sure your corporate ITassets—and data—remain secure.

Jupiterimages

rudimentary audit-trial analysis in the 1970s, to rulesbased expert systems in the 1980s, to an explosion ofavailable IDS/IDP systems in 1990s and today. We haveseen the emergence of active IDS; Intrusion Detectionand Prevention and Intrusion Prevention Systems (IPS)as well as convergence of technologies such asFirewalls + Anti-Virus + IDP to Appliances and securityswitches. Intrusion Detection provides layered securityat multiple locations from the network perimeter downto the individual host.

When deployed at the perimeter of the enclave, anIntrusion Detection/Prevention System inspects connec-tions and evaluates both the content type as well asthe origin of the connection, to decide if the trafficshould even be permitted into the protected enclave.Traditionally, IDS would log suspicious connections, orreport them in real time to a Security InformationMonitor (SIM) or other control system. Today, IPS inte-gration into the perimeter layer allows for the activeblocking of known malicious attacks as well as protocolanomaly attacks. For example, a computer trying to ini-tiate an HTTP connection to an eMarketing serverwould not be considered suspect. The same machinetrying to scan every available port on the web servercould be automatically terminated, and prevented fromfuture connections.

As deployed within the enclave, IDS would bedeployed in front of designated resources: web servers,email and file services, database engines, all of thecontent repositories as well as key infrastructure com-ponents such as authentication and domain controllers.The key here is protection against internal attacks, fromcompromised machines and unauthorized users/pro-grams. Since these threats are often both more uncom-mon and more surreptitious, IDS systems are often cho-sen. The passive reporting of IDS ensures high avail-ability to enterprise systems is not compromised, whileproviding an extensive audit trail for human and SIM-based response.

The IDS also analyzes audit trails and log files sent to itby hosts as well as processes and systems running onthe network hosts themselves. IPS at the network layerallows for an "Active" defense by allowing for ruleenforcement to shutdown network connections. IPSalso allows for "Integration" to firewalls and thus theability to disable threat vectors. Finally, IPS allows "datamining" to summarize events and generate reports.

Finally, at the individual host, IDP runs as a trustedapplication in charge of the network protocol stack. IDPactive prevention is at its best here, as an applicationserver is in the optimum position to know best whatspecific connection types and requests are appropriateto its function. The host can also identify attacks specif-ic to its operating system and application suite. Recentadvances in intrusion prevention allow the system toperform protocol and stack enforcement as well as filechecksum monitoring to protect against the exploita-tion of software vulnerabilities via buffer overflow orprotocol anomaly.

Intrusion Detection vs. IntrusionPreventionIntrusion detection serves the function of a camera onthe premises while intrusion prevention serves the func-tion of a security guard or a guard dog on the premis-es. While the notion of blocking an attack when it hap-pens sounds logical and useful it has some significantdrawbacks such as false positives, denial of service(DoS) and latency. False positives lend to the blockingof normal traffic while denial of service leads to block-ing of spoofed hosts and finally latency in blocking lim-its it's overall effectiveness. The evolution of technologyand the merging of firewall and IDP functionality into acohesive system is mitigating many of the above statedproblems. With the advent of specialized hardwaresuch as Application Specific Integrated Circuits (ASICs),Field Programmable Gate Arrays (FPGAs) and networkprocessors, IPS can be effectively implemented as partof the network fabric instead of a passive IDP likeimplementation.

Features important in the selection of a good IDP sys-tem include application-level encryption protection,security policy enforcement, denial of service detection,network attack detection, network reconnaissancedetection, buffer overflow detection and web applica-tion protection. The deployment considerations for IDPwill generally involve sensor selection based on net-work media, performance analysis and network environ-ment. Sensor placement is also crucial, as total enter-prise wide deployment should consider Internet,extranet, remote-access and intranet boundaries as wellas servers and desktops. Sensor management consider-ations such as out-of-band management versus in-bandare also of significance as out-of-band managementprovides greater security and isolation but at a higher



cost, while in-band management provides for a cheap-er but somewhat less secure sensor management.

Signatures Are Key in IDP—Atomic orStatefulFor an IDP system, atomic signatures which examine asingle packet, activity or event to determine if a posi-tive match should trigger a signature action or not arethe simplest types of signatures. Stateful signatures,unlike atomic signatures, generate an event based on asequence of specific events that requires the IPS deviceto maintain state. Currently, IDPs incorporate patterndetection, anomaly-based detection and behavior-based detection as the main triggering mechanisms togenerate an action. While pattern detection is the sim-plest to implement all three mechanisms lead to one ormore of the following signature actions: Generating analert, dropping or preventing the activity, logging theactivity, resetting the TCP connection, blocking futureactivity or allowing the activity.

As attacks get more sophisticated and companies havemore of their assets on their corporate network, thecoverage provided by an IDP is essential to maintainingthe data integrity of the enterprise. ■

Manish Parks is a senior security consultant specializingin DoD system certification and accreditation. He hasmore than ten years experience in developing network-ing and security solutions for corporate and academicenvironments. Contact him [email protected].



your network is a sitting duck without idpacademy.delmar.edu/courses/itsy2430/ebooks...you need an...

Documents