Intrusion Prevention System

1
Intrusion Prevention System

• Group 6
• Mu-Hsin Wei
• Renaud Moussounda

2
What is IPS

• IPS (Intrusion prevention system)
• Control access to a network
• Similar to firewall, but different

3
Whats the difference?

• Traditional firewall examines header
• IPS examines payload as well
• DPI (Deep Packet Inspection)

4
DPI enables IPS to

• Gather more information
• Detect certain attack signatures
• Control network traffic intelligently - ftp root
  access (user root) - HTTP content

5
Tradeoff

• Payload - no fixed fields - large in size
• Requires high computing resource - CPU - memory
  
• Hardware implementation

6
IDS vs IPS

• Intrusion Detection System (IDS) - DPI -
  detects - Snort
• IPS - DPI - take action - snort_inline
  iptables

7
Proof of concept

• Implement an IPS using - snort_inline, and -
  iptables
• Test IPS using - Lab4 firewall configuration -
  Lab6 imapd buffer overflow

8
Lab 4 setup

• Black - attacker
• Protected victim
• Firewall - IPS

9
How to capture attack?

• Attack using buffer overflow string
• Long sequence of NOP
• snort_inline checks for 90 90 90 90...

10
Flow

• Protected runs vulnerable service
• BlackHat attacks
• snort_inline captures and tell
• iptable block traffic
• Protected remains safe

11
IPS Lab4 Lab6

• BlackHat, Protected, and IPS

12
Implication

• One for all
• Less dependent on individual server
• Vulnerable service made secure
• Enhanced security

13
What you will do in the lab?

• Setup machines install software
• Perform first attack without IPS
• Perform second attack with IPS enabled
• Appreciate IPS/DPI

14
Questions

• ?