Intrusion Protection System (IPS)

1
Intrusion Protection System (IPS)

• Taoho Wei

2
Security Components

• Firewalls
• Anti-Virus Programs
• Intrusion Detection System (IDS)
• Intrusion Prevention System (IPS)

3
Firewall

• The first line of defense
• Provide protection against
• Unauthorized external access
• Compromising authentication
• Spoofing
• Session stealing
• Tunneling
• Flooding

4
Firewall contd.

• Types of firewalls
• Static packet filtering firewalls
• Filter packets according to allow/deny rules
• Stateful packet filtering firewalls
• Using state table and client/server
  request/response to by passing firewall rules to
  optimizing the screening process.
• Stateful inspection firewalls
• Examines the payload and selectively opens and
  closes ports on the fly as per the protocol.
• Proxy firewalls
• Brdak up a client/server connection to examine
  the protocols syntax.

5
Firewall contd.

• Problems
• Its anything but a wall or a gate guard.
• Cannot prevent internal attacks.
• Initial set up cost is huge
• Need human interaction to update the set of
  rules
• Cannot counter new (unknown) attack techniques.
• Only scan packets for source/destination
  addresses and port number, not actual data.

6
Anti-Virus Programs

• A Clean-up programs
• Using Pattern matching
• Similar to a cop watching out for a criminal
• Problems
• Signatures need to be updated
• Passive, cannot detect unknown attack signatures.
• Can only detect and clean knowen viruses.

7
Intrusion Detection System (IDS)

• Second layer of defense
• Detects the presence of attacks within traffic
  that flows in through the holes punched into the
  firewall.
• The process of monitoring the events occurring in
  a computer system or network and analyzing them
  for signs of intrusions.
• Effective against internal attacks

8
IDS contd.

• Identify evidence of intrusion, either while in
  progress or after the fact.
• Monitoring, profiling and analysis of system
  events and user behaviors.
• When used in conjunction with firewalls, a better
  strategy for defending against attacks is made
  available.

9
IDS contd.

• Types of IDS (by alarm triggering mechanism)
• Anomaly detection based IDS (compare normal
  range)
• Misuse detection based IDS (pattern matching)
• Types of IDS (by data source/monitoring
  location)
• Network based IDS (NIDS) (monitor packets)
• Host based IDS (HIDS) (collect system logs/audit
  trails)

10
IDS contd.

• Problems
• IDS dose not block attacks, it only reports
  attacks took place like an alarm with no lock.
• Increased analysis of data often comes decreased
  performance, especially when resource is limited.
• NIDS cannot review encrypted data.
• Do not guard effectively against complex evasion
  techniques that concentrate on exploiting TCP/IP
  attacks launched by sophisticated attackers

11
Why IPS?

• Firewall can block ports, but how about allowed
  ports?
• Anti-virus Programs only deal with known virus
  and worms, but how about unknown attacks such as
  scanning and probing etc?
• IDS only detect and report attacks patterns, but
  how to stop them?
• IPS proactively detects both known and unknown
  attacks, and also stop them in real-time.

12
Intrusion Prevention System IPS

• Prevent the attacks from being successful. Stop
  attacks in real-time before they cause harm.
• Harm could be prevented by
• Protecting system resources
• Stopping privilege escalation exploits
• Preventing buffer overflow exploits
• Prohibit access to e-mail contact list
• Prevent directory traversal

13
IPS contd.

• IPS Approaches
• Software based heuristic approach
• Similar to IDS anomaly detection using neural
  networks
• Sandbox approach
• Quarantine mobile code (i.e. ActiveX, Java
  applets) in a sandbox.
• Hybrid approach
• On NIPS, including various detection methods.
• Kernel based protection approach
• On HIPS, restrict access to system resources.

14
IPS contd.

• Types of IPS
• Inline Network Intrusion Detection System
• Layer Seven Switches
• Application Firewalls/IDS
• Hybrid Switches
• Deceptive

15
IPS contd.

• Inline Network Intrusion Detection System
• Writing rules offers a way to catch new attacks
• In the case of a protocol anomaly inline NIDS, it
  will be able to stop unknown attacks based on the
  protocols that it is able to decode, as well as
  the knowledge of those protocols.

16
IPS contd.

• Inline Network Intrusion Detection System

17
IPS contd.

• Inline Network Intrusion Detection System
• Products
• ISS Guard
• Hogwash
• NetScreen
• TippingPoint
• Intruvert

18
IPS contd.

• Layer Seven Switches
• Be able to inspect the URL to direct particular
  request to specific servers based on predefined
  rules with security features such as DoS and DDoS
  protection.
• Can easily handle gigabit and multi-gigabit
  traffic.
• Placing these devices in front of your firewalls
  would give protection for the entire network.
• inspecting layer seven content for
  routing/switching decisions

19
IPS contd.

• Layer Seven Switches

20
IPS contd.

• Layer Seven Switches
• Products
• Redware
• TopLayer
• Foundry

21
IPS contd.

• Application IPS/Firewalls
• Protect against poor programming and unknown
  attacks.
• Loaded on each server that is to be protected.
• Profile a system or create policies to stop
  malicious actions from taking place.
• Customizable to each application that they are to
  protect.
• Dont look at packet level information, rather,
  look at
• API calls
• memory management (i.e. buffer overflow attempts)
• how the application interacts with the operating
  system
• how the user is suppose to interact with the
  application

22
IPS contd.

• Application IPS/Firewalls

23
IPS contd.

• Application IPS/Firewalls
• Products
• Okena StormWatch
• McAfee Entercept

24
IPS contd.

• Hybrid Switches
• A cross between the host-based application
  firewall/IDS and the layer seven switch.
• Hardware based in front of the servers
• Use a policy similar to the application
  IDS/firewall
• Inspect specific traffic for malicious content
  defined by the policy that is configured.
• The hybrid switch can be combined with a layer
  seven switch to offer even higher performance.

25
IPS contd.

• Hybrid Switches

26
IPS contd.

• Hybrid Switches
• Products
• Appshild
• Kavado

27
IPS contd.

• Deceptive Applications
• First, it watches all your network traffic and
  figures out what is good traffic, similar to the
  profiling phase of the application IPS/firewall.
• Then, when it sees attempts to connect to
  services that do not exist or at least exist on
  that server, it will send back a response to the
  attacker.
• The response will be marked with some bogus
  data so that when the attacker comes back and
  tries to exploit the server the IPS will see the
  marked data and stop all traffic coming from
  the attacker.

28
IPS contd.

• Deceptive Applications

29
IPS contd.

• Deceptive Applications
• Products
• Forescout

30
IPS contd.

• Conclusion
• IPS is an evolution of IDS technology. It adds to
  the defense in depth approach to security
• Different environment needs different solutions.
• Each type of IPS offers different level of
  protection. There is no one size fits all
  solution.
• Using more than one type of the solutions.
• A mix of firewall, anti-virus, and IPSs.

31
Reference

• Bharat Goyal, Sriranjoni Staraman, Srinivasan
  Krishnamurthy, Intrusion Detection Systems An
  OverView, Department of Computer Science,
  University of Texas at Dallas
• Dinesh Sequeira, Intrusion prevention systems
  securitys silver bullet?, GSEC V1.4B Option 1,
  SANS Institute, 2002.
• Neil Desai, Intrusion Prevention System the
  Next Step in the Evolution of IDS, Feb 27, 2003.
  http//www.securityfocus.com/infocus/1670
• Salma Abdul-Rahman, Network Intrusion Detection
  Systems, April 20, 2000, http//www.cs.utk.edu/a
  bdulrah/netsecurity/papaer.html