Your Network Is a Sitting Duck Without IDP
advertisement
Your Network Is a Sitting Duck Without IDP Your Network Is a Sitting Duck Without IDP The sophistication and severity of attacks by hackers today, combined with the data-intensive needs of a mobile workforce, demands a security solution beyond a simple firewall. You need an Intrusion Detection and Prevention System to allow your workforce to get access to the information they need while at the same time stopping all types of threats, both real and imagined. Contents 2 Intrusion Detection and Prevention All About IPS & IDS 3 Evaluating Intrusion Prevention Systems 7 Managed Intrusion Detection and Prevention Services 9 Intrusion Detection and Prevention— More Essential Than a Firewall 12 ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP Intrusion Detection and Prevention All About IPS & IDS Webopedia U sed in computer security, intrusion detection refers to the process of monitoring computer and network activities and analyzing those events to look for signs of intrusion in your system. The point of looking for unauthorized intrusions is to alert IT professionals and system administrators within your organization to potential system or network security threats and weaknesses. IDS—A Passive Security Solution An intrusion detection system (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system, since the main function of an IDS product is to warn you of suspicious activity taking place—not prevent them. An IDS essentially reviews your network traffic and data and will identify probes, attacks, exploits and other vulnerabilities. IDSs can respond to the suspicious event in one of several ways, which includes displaying an alert, logging the event or even paging an administrator. In some cases the IDS may be prompted to reconfigure the network to reduce the effects of the suspicious intrusion. An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different 3 worms or viruses and by tracking general variances which differ from regular system activity. The IDS is able to provide notification of only known attacks. The term IDS actually covers a large variety of products, for which all produce the end result of detecting intrusions. An IDS solution can come in the form of cheaper shareware or freely distributed open source programs, to a much more expensive and secure vendor software solution. Additionally, some IDSs consist of both software applications and hardware appliances and sensor devices which are installed at different points along your network. There are several ways to categorize an IDS system: Misuse Detection vs. Anomaly Detection In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, detection software is only as good as the database of intrusion signatures that it uses to compare packets against. In anomaly detection, the system administrator defines Jupiterimages the baseline, or normal, state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies. Passive Vs. Reactive Systems In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source. Network-based vs. Host-based IDS Intrusion detection systems are network or host based solutions. Network-based IDS systems (NIDS) are often standalone hardware appliances that include network intrusion detection capabilities. It will usually consist of hardware sensors located at various points along the network or software that is installed to system computers connected to your network, which analyzes data packets entering and leaving the network. Host-based IDS systems (HIDS) do not offer true real-time detection, but if configured correctly are close to true real-time. Host-based IDS systems consist of software agents installed on individual computers within the system. HIDS analyze the traffic to and from the specific computer on which the intrusion detection software is installed on. HIDS systems often provide features you can't get with a network-based IDS. For example, HIDS are able to monitor activities that only an administrator should be able to implement. It is also able to monitor changes to key system files and any attempt to overwrite these files. Attempts to install Trojans or backdoors can also be monitored by a HIDS and stopped. These specific intrusion events are not always seen by a NIDS. While it depends on the size of your network and the number of individual computers which require intrusion detection system, NIDS are usually a cheaper solution to implement and it requires less administration and training—but it is not as versatile as a HID. Both systems will require Internet access (bandwidth) to ensure the system is kept up-to-date with the latest virus and worm signatures. Key Terms To Understanding Intrusion Detection & Prevention IDS Short for intrusion detection system... IPS Short for intrusion prevention system... Intrusion signatures When a malicious attack is launched against a system, the attack typically leaves evidence of the intrusion in the system.s logs. Each intrusion leaves a kind of footprint behind False positive The condition in which spam-filtering software will incorrectly identify a legitimate, solicited or expected email as a spam transmission. Additional Terms To Understanding Intrusion Detection & Prevention hacker Virus Worm Trojan Horse firewall once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. The network-based intrusion protection system can also detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. An IDS is not a replacement for either a firewall or a good antivirus program. An IDS should be considered a tool to use in conjunction with your standard security products (like anti-virus and a firewall) to increase your system specific or network-wide security. Is IDS the Same as Firewall? False Positive and Negatives The quick answer is no. Unfortunately, IDS is commonly mistaken for a firewall or as a substitute for a firewall. While they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion The term false positive itself refers to security systems incorrectly seeing legitimate requests as spam or security breaches. Basically, the IDS will detect something it is not supposed to. Alternatively, IDS is prone to false negatives where the system fails to detect something it should. Both of these problematic problems are associated with IDS, but are issues vendors spend a lot of time working on, and as a result, it is not believed that 4 ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP IDS detects a high percentage of false positive or false negatives. Still, it is a topic worth consideration when looking at different IDS solutions. sion signatures, search for protocol anomalies, detect commands not normally executed on the network and more. IPS—An Active Security Solution One interesting aspect of NIPS is that if the system finds an offending packet of information it can rewrite the packet so the hack attempt will fail, but it means the organization can mark this event to gather evidence against the would be intruder, without the intruder's knowledge. As with all technology, NIPS is not perfect. In some instances you may end up blocking a legitimate network request. IPS or intrusion prevention system, is definitely the next level of security technology with its capability to provide security at all system levels from the operating system kernel to network data packets. It provides policies and rules for network traffic along with an IDS for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also some unknown attacks due to its database of generic attack behaviors. Thought of as a combination of IDS and an application layer firewall for protection, IPS is generally considered to be the "next generation" of IDS. Currently, there are two types of IPSs that are similar in nature to IDS. They consist of host-based intrusion prevention systems (HIPS) products and network-based intrusion prevention systems (NIPS). Network-based vs. Host-based IPS Host-based intrusion prevention systems are used to protect both servers and workstations through software that runs between your system's applications and OS kernel. The software is preconfigured to determine the protection rules based on intrusion and attack signatures. The HIPS will catch suspicious activity on the system and then, depending on the predefined rules, it will either block or allow the event to happen. HIPS monitors activities such as application or data requests, network connection attempts, and read or write attempts to name a few. Network-based intrusion prevention systems (often called inline prevention systems) is a solution for network-based security. NIPS will intercept all network traffic and monitor it for suspicious activity and events, either blocking the requests or passing it along should it be deemed legitimate traffic. Network-based IPSs works in several ways. Usually package- or softwarespecific features determine how a specific NIPS solution works, but generally you can expect it to scan for intru- 5 While host-based IPSs are considered to be more secure than network-based intrusion prevention systems, the cost to install the software to each and every server and workstation within your organization may be quite costly. Additionally, the HIPS on each system must be frequently updated to ensure the attack signatures are up-to-date. IDS vs. IPS Problems associated with implementing NIPS exist as well. We already mentioned the possibility of blocking legitimate traffic, and you also have to take network performance into consideration. Since all data moving through the network will pass through the IPS it could cause your network performance to drop. To combat this problem, network-based IPSs that consist of appliance or hardware and software packages are available today (at a larger cost), but it will take most of the load from running a software-based NIPS off your network. IDS vs. IPS While many in the security industry believe IPS is the way of the future and that IPS will take over IDS, it is somewhat of an apples and oranges comparison. The two solutions are different in that one is a passive detection monitoring system and the other is an active prevention system. The age-old debate of why you want to would be passive when you could be active comes into play. You can also evaluate the implementation of a more mature IDS technology, versus the younger, less established IPS solutions. The drawbacks mentioned regarding IDS can largely be overcome with proper training, management, and implementation. Plus, overall an IDS solution will be cheaper to implement. Many, however, look at the added benefits of the intuitive IPS systems and believing that IPS is the next ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP generation of IDS choose to use the newer IPSs as opposed to the IDSs. Adding to the muddle, of course, will be your initial decision of choosing host-based or network-based systems for either IDS or IPS security solutions. Much like choosing between standard security devices like routers and firewalls, it is important to remember that no single security device will stop all attacks all the time. IPS and IDS work best when integrated with additional and existing security solutions. ■ This content was adapted from internet.com's Webopedia Web site. 6 ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP Evaluating Intrusion Prevention Systems By Bob Walder IPSs are becoming today's must-have security solution but don't deploy blindly; testing on your network is the key to success, writes CIO Update guest columnist Bob Walder of The NSS Group W ith intrusion prevention systems (IPS) fast becoming as essential a purchase as the ubiquitous firewall, the choice is becoming ever more bewildering as more and more vendors scurry to bring new products to market. Some of these vendors are coming from a solid IDS (intrusion detection) background, while others are essentially hardware manufacturers (switches or antimitigation devices) that are crossing over into the IPS world. The resulting products are often quite different. For example, the largely software-based IDS products tend to turn into softwarebased IPS products running on standard Intel hardware. While performance can be perfectly adequate, you can never expect them to match those ASIC/FPGA-based dedicated hardware devices which can yield near switchlike latencies, and handle a gigabit or more of 64-byte packets without blinking. On the other hand, the new kids on the block might be able to boast superior performance, but they are often starting from scratch when it comes to signature coverage and resistance to anti-evasion techniques; areas in which the more established IDS/IPS vendors excel. Of course, these distinctions are disappearing as the market matures, and in the latest round of IPS testing in our labs we noted a much improved success rate in terms of which products passed our stringent tests to achieve NSS Approved awards. 7 Using hardware accelerators, for example, can provide a much needed performance boost for the softwarebased products, whilst sheer experience (along with the creation or boosting of an internal security research team) can usually improve signature coverage and quality in the newer products. Quality vs. Quantity Quality is really the watchword here, rather than quantity. It is possible to throw tens or even hundreds of signatures at a problem when you are not limited by hardware performance, but that does not necessarily mean those signatures are good. A single, well-written signature (or protocol decoder) can often provide much more comprehensive coverage for a range of exploits. It is important, for example, that signatures are written to Jupiterimages detect not only the specific exploits currently in the wild, but the underlying vulnerability of which those exploits take advantage. Thus, the next time a new exploit appears riding on the back of that particular vulnerability, it will be detected and blocked immediately without requiring a signature specific to that piece of exploit code. Similarly, it should not be possible to evade the IPS detection capability by any common means such as URL obfuscation, TCP segmentation, IP fragmentation, and so on. The quality of the signatures will also have a bearing on ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP the susceptibility of the device to raising false positive alerts. With IDS devices, false positives are a nuisance, but only that. With IPS devices, installed in-line and in blocking mode, a false positive can have a detrimental effect on the user experience, as legitimate traffic is dropped mistakenly. This is, therefore, a key area to investigate when planning your own trial deployments. All the lab tests in the world cannot tell you how any IPS product is going to perform when subjected to your traffic on your network. Test, Test, Test … This is a key point: no matter how much research you do using reports such as the ones we produce, you should never use those reports as the only basis for making your buying decisions. You should always set aside the time and budget and technical resource to perform a full bake-off in-house between all the vendors on your short-list. This means installing all the devices at key points in your network (they can be installed in-line in detectonly mode to begin with to minimize problems), and all the necessary management software. And don't rely on the single-device Web interface if you know you will eventually need the full-blown enterprise management product. It will never be possible to vet all of the signatures in a vendor's database, and it is just a waste of effort to try. Independent testing should give you a good idea of the quality and extent of coverage. It is more important to run your own traffic through the device and monitor the effects. Are you seeing a large number of alerts raised against what you know to be legitimate traffic? This could point to problems with the signature database or could highlight where traffic from custom applications in your own organization genuinely resembles exploit traffic. The latter case is easily handled, but large numbers of false positives from clean traffic indicates a potential problem, especially once the device is placed in blocking mode. gorize the make-up of traffic on your own network, you may find that you would be happy with a much lowerperforming device at a much more reasonable cost. Latency can sometimes be a very subjective issue. A device which we identify as having higher than normal latency for internal deployments may well have no effect whatsoever when installed at the perimeter of your network. Do some simple user-based testing, such as downloading large files both with and without the IPS in-line, and note the difference. At least part of the evaluation period should also be performed with blocking enabled. It is not unknown for devices which work perfectly well in detect-only mode to fail completely once placed into blocking mode. While this type of testing could be considered "disruptive," it is better to discover such a failing before committing to a major purchasing decision. You can reduce the risk of nasty surprises and major failures during evaluation by short-listing those devices which have achieved NSS Approved status. You can be sure that we have tested these devices extensively inline in both detect-only and full blocking mode, with a wide range of exploits and evasion techniques, and under a wide range of network loads and traffic conditions. A thorough bake-off in your own network, however, will allow you to assess more accurately the effect of these devices when subjected to your own traffic, and is likely to create some unique challenges for the vendors taking part. ■ Bob Walder is director of The NSS Group security testing labs in the south of France. With over 25 years in the industry, he brings broad experience to the testing environment. This content was adapted from EarthWeb's CIO Update Web site. Performance testing is also important. NSS tests push devices to the extreme, but if you can accurately cate8 ©2007, Jupitermedia Corp. for threats that come out of thin air a very fine filter There's a new era in security. Airborne security. It’s a time when businesses need to move as freely as the air itself, yet avoid the malicious threats that contaminate it. Enter Nokia. Our intrusion prevention solutions feature Sourcefire® technology that runs on Nokia appliances, hardened at the core with the Nokia IPSO security OS. All purpose-built to detect and filter the most sophisticated threats. It’s time to secure the mobile marketplace. It’s time to secure the air. ©2007 Nokia. Use of the word secure is intended to describe the functionality of the product or feature described, and is not intended to extend a warranty to the purchaser or to any end user that the product or feature described is completely secure and invulnerable to random attacks. www.nokiaforbusiness.com/security Nokia for Business Your Network Is a Sitting Duck Without IDP Managed Intrusion Detection and Prevention Services Lisa Phifer ISP-Planet's biennial survey of MSSPs finds that intrusion prevention and detection services are augmented by new devices to deliver unified threat management in several different forms. A s network security improves, attackers have sharpened their focus. Today's internet threats have grown increasingly targeted, using malicious code and crafted application messages to compromise specific server and client vulnerabilities. During the first six months of 2006, Symantec estimates that 80 percent of 2,249 new-found vulnerabilities were easily exploitable, with an average enterprise exposure of 28 days before patches were available and applied. Aggressive, rigorous patch management can help, but one of the most effective and efficient steps you can take to defend those vulnerable hosts is to prevent intrusions from reaching them in the first place. Network Intrusion Detection Systems (IDS) are designed to observe and analyze traffic, spot potential attacks, and notify network operators by sending intrusion alerts. Network Intrusion Prevention Systems (IPS) go a step further, taking steps in real-time to impede the flow of suspicious traffic and therefore limit potential asset damage or data theft. IDS is generally deployed a passive countermeasure—an insurance policy against intruders that might otherwise sneak past firewalls. IPS is (at least to some degree) proactive and automated, jumping in whenever perceived risk exceeds a predefined tolerance level. 9 A managed IDS / IPS service starts with the installation and provisioning of in-line or out-of-band traffic sensors and an intrusion analysis engine, accompanied by ongoing policy refinement, intrusion signature and software updates, and 24/7/365 monitoring by the MSSP's SOC. Included response can range from customer notification to provider implementation of recommended countermeasures. All but one participant in this year's Managed Security Service Provider (MSSP) survey offer this type of service, detailed by the chart shown at right (click to view full size). Jupiterimages The exception is Globix, which declined to include IDS in its survey response but describes a managed IDS service on its Website. In fact, we believe that IDS / IPS has become a core managed security service offering. As shown in the following chart (below), IDS / IPS offerings have grown from fewer than half the MSSPs surveyed in 1999 to effectively all of the MSSPs surveyed this year. This trend tracks the evolution of network security threats, technologies, and best practices. Many firewalls and unified threat management appliances now incorporate some IDS / IPS capabilities. Today's network firewalls are simply expected to detect basic TCP/IP attacks, like TCP SYN floods and Ping of Death attacks. Deeper, broader application-layer intrusion detection ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP and prevention often involves additional software modules, licensed feature activation, and in some cases, additional hardware sensors. The line between managed firewall and managed IDS / IPS services reflects this layering. Two of our surveyed managed firewall services included IDS / IPS features, while ten offered these capabilities as options. Furthermore, all 15 providers described separatelybranded managed IDS / IPS services. Three MSSPs (AT&T, IBM ISS, and Verizon) even offer more than one IDS / IPS service. For example, AT&T offers three separate services: a network-based IDS, a CPE-based IDS, and a CPEbased IPS. As illustrated in this pie chart (below), this year's field was evenly split between IDS and IPS offerings. Seven services provide intrusion detection, monitoring, and customer notification-incident response, if any, is manual. Another seven provide automated intrusion analysis and policy-based response for welldefined threats—customers are notified of intrusions and stop-loss actions taken on their behalf. The remainder encompass both models within a single named service, letting service parameters determine the desired response model. In fact, we continue to find it difficult to compare intrusion monitoring and response in a tabular survey. This year, we tried asking providers to check one of four alternatives: • Customer monitors own intrusion alerts. • Provider passively monitors intrusion alerts and notifies customer. • Provider analyzes and manually responds to alerts. • Service responds automatically to intrusions. 10 Most checked several answers, noting that this depends on customer preference, incident severity, and identification reliability. If an event is clearly identified and poses significant risk, automated analysis and realtime countermeasures may be warranted. Potential intrusions that are less clear-cut may deserve human review by SOC experts and consultation with the customer regarding steps to block the offender or eliminate vulnerabilities. Fortunately, even an IPS can usually start in detect-only mode, refining prevention rules as you become more comfortable with the service's accuracy. In short, don't expect easy answers or simple comparison when it comes to intrusion response. Make sure your MSSP has the experience, infrastructure, and resources to accurately recognize and keep pace with new threats, a well-defined process for communicating them to you, and a response strategy that fits with your own corporate policy. To identify intrusions, every IDS / IPS service must capture traffic. This year, 13 of 18 surveyed services use passive/out-of-band platforms, which are typically situated at key points throughout your network. Of those, 5 support distributed sensors and 4 support Wi-Fi sensors. These options are used to create additional observation points that can report back to a central server. Alternatively, 14 services use active/in-line platforms that observe the traffic flowing through them. Not surprisingly, many providers support both passive and active deployment models, reflecting this year's mix of detection/prevention services. IDS/IPS platforms have grown more diverse since our last survey, dominated by IBM ISS and Cisco, followed by a noteworthy mix of Juniper, TippingPoint, McAfee, Snort, and Sourcefire. The capabilities of these platforms have a direct impact on traffic inspection, detec©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP tion, and response methods. For intrusion detection, most surveyed services still employ some combination of behavior analysis, signature detection, and traffic anomaly detection. But application layer header and content inspection are now supported by just over half of the surveyed services. As for response methods, inline packet discard, IP quarantine, and TCP reset are still very common, whether initiated manually or automatically. But this year, five services also had Wi-Fi Deauthenticate capability, supported by Wireless IPS platforms from Cisco, AirDefense, and AirMagnet. In the end, a managed IDS / IPS service comes down to effective risk management. Many businesses that deploy their own IDS sensors or IPS-capable UTM appliances do not use those technologies to their full potential. Without proper tuning, an IDS can overwhelm you with inconsequential alerts—or overlook serious intrusions because an annoyed administrator disabled those alerts. Outsourcing this burden to well-trained MSSP staff should reduce false positives and focus your attention on alerts that matter. Because they monitor intrusion alerts occurring in many customer networks, your MSSP's SOC should have the broad perspective needed to quickly recognize fast-breaking "zero day" attacks. When intrusions do occur, your MSSP should have the sophisticated event management and correlation tools required to assess impact and recommend effective countermeasures. For each of these tasks, experience and competence really counts, so look beyond feature checklists to choose the best managed IDS / IPS service for your business. ■ This content was adapted from internet.com's ISP Planet Web site. 11 ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP Intrusion Detection and Prevention— More Essential Than a Firewall By Manish Parks As attacks become more sophisticated, you need better tools to protect your enterprise from threats—both existing and planned. Where firewalls were the de rigueur solution in the 90s, today you need an Intrusion Detection and Prevention system to make sure your corporate IT assets—and data—remain secure. W hile corporate assets relocated from brick and mortar to bits and bytes, so too has enterprise security from cameras and security guards to intrusion detection and intrusion prevention systems. While Intrusion Detection and Prevention (IDP) is now staunchly embedded in the enterprise security toolkit, it still must adapt to provide more layers of asset protection against the ever-evolving landscape of threats from hackers, spyware and Trojans to rootkits and keyloggers. IDS/IDP systems continually assess traffic connections, evaluating the source or the communication along with the type of traffic to determine whether it should even be permitted into your network environment. In the best cases, they have the power to stop an attack before it ever reaches an internal system or user. User preferences for distributed mobile computing environments combined with the growing complexity of corporate networks (intranets, extranets, remote and Internet access) provides a would-be attacker a fairly large, target-rich threat surface. In today's enterprise environment a vast majority of corporate intellectual property, sensitive customer information and valuable trade secrets are all stored in digital format, thus making enterprise security a top priority against economically 12 motivated efforts to infiltrate the company network. As threats evolve from benign adware and randomized hijacks of 2004/2005 to malicious adware and trojans in 2006 to targeted / customized trojans and phishing in 2006/2007, the mechanisms for distribution, infection and removal have also evolved. Threat distribution has advanced from websites to Peer to Peer and finally to email and internal hacking. The sophistication of threat infections has also increased in complexity from file placement and naming to DLL injection and even modification of executables. Threat removal is no longer as simple as deleting a file on disk or deleting registry keys but is now an involved process of file neutering, correlation or driver-based removal and even dynamic conditional removal. As the threat complexity has increased, so too has the cost for repair and support. Since the global Jupiterimages market for malware-laden software shows no signs of relenting, the need for improved security tools such as IDS and IPS will only increase in the near future. Intrusion Detection Grows Up The evolution of intrusion detection has grown from a ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP rudimentary audit-trial analysis in the 1970s, to rules based expert systems in the 1980s, to an explosion of available IDS/IDP systems in 1990s and today. We have seen the emergence of active IDS; Intrusion Detection and Prevention and Intrusion Prevention Systems (IPS) as well as convergence of technologies such as Firewalls + Anti-Virus + IDP to Appliances and security switches. Intrusion Detection provides layered security at multiple locations from the network perimeter down to the individual host. When deployed at the perimeter of the enclave, an Intrusion Detection/Prevention System inspects connections and evaluates both the content type as well as the origin of the connection, to decide if the traffic should even be permitted into the protected enclave. Traditionally, IDS would log suspicious connections, or report them in real time to a Security Information Monitor (SIM) or other control system. Today, IPS integration into the perimeter layer allows for the active blocking of known malicious attacks as well as protocol anomaly attacks. For example, a computer trying to initiate an HTTP connection to an eMarketing server would not be considered suspect. The same machine trying to scan every available port on the web server could be automatically terminated, and prevented from future connections. As deployed within the enclave, IDS would be deployed in front of designated resources: web servers, email and file services, database engines, all of the content repositories as well as key infrastructure components such as authentication and domain controllers. The key here is protection against internal attacks, from compromised machines and unauthorized users/programs. Since these threats are often both more uncommon and more surreptitious, IDS systems are often chosen. The passive reporting of IDS ensures high availability to enterprise systems is not compromised, while providing an extensive audit trail for human and SIMbased response. The IDS also analyzes audit trails and log files sent to it by hosts as well as processes and systems running on the network hosts themselves. IPS at the network layer allows for an "Active" defense by allowing for rule enforcement to shutdown network connections. IPS also allows for "Integration" to firewalls and thus the ability to disable threat vectors. Finally, IPS allows "data mining" to summarize events and generate reports. 13 Finally, at the individual host, IDP runs as a trusted application in charge of the network protocol stack. IDP active prevention is at its best here, as an application server is in the optimum position to know best what specific connection types and requests are appropriate to its function. The host can also identify attacks specific to its operating system and application suite. Recent advances in intrusion prevention allow the system to perform protocol and stack enforcement as well as file checksum monitoring to protect against the exploitation of software vulnerabilities via buffer overflow or protocol anomaly. Intrusion Detection vs. Intrusion Prevention Intrusion detection serves the function of a camera on the premises while intrusion prevention serves the function of a security guard or a guard dog on the premises. While the notion of blocking an attack when it happens sounds logical and useful it has some significant drawbacks such as false positives, denial of service (DoS) and latency. False positives lend to the blocking of normal traffic while denial of service leads to blocking of spoofed hosts and finally latency in blocking limits it's overall effectiveness. The evolution of technology and the merging of firewall and IDP functionality into a cohesive system is mitigating many of the above stated problems. With the advent of specialized hardware such as Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) and network processors, IPS can be effectively implemented as part of the network fabric instead of a passive IDP like implementation. Features important in the selection of a good IDP system include application-level encryption protection, security policy enforcement, denial of service detection, network attack detection, network reconnaissance detection, buffer overflow detection and web application protection. The deployment considerations for IDP will generally involve sensor selection based on network media, performance analysis and network environment. Sensor placement is also crucial, as total enterprise wide deployment should consider Internet, extranet, remote-access and intranet boundaries as well as servers and desktops. Sensor management considerations such as out-of-band management versus in-band are also of significance as out-of-band management provides greater security and isolation but at a higher ©2007, Jupitermedia Corp. Your Network Is a Sitting Duck Without IDP cost, while in-band management provides for a cheaper but somewhat less secure sensor management. Signatures Are Key in IDP—Atomic or Stateful For an IDP system, atomic signatures which examine a single packet, activity or event to determine if a positive match should trigger a signature action or not are the simplest types of signatures. Stateful signatures, unlike atomic signatures, generate an event based on a sequence of specific events that requires the IPS device to maintain state. Currently, IDPs incorporate pattern detection, anomaly-based detection and behaviorbased detection as the main triggering mechanisms to generate an action. While pattern detection is the simplest to implement all three mechanisms lead to one or more of the following signature actions: Generating an alert, dropping or preventing the activity, logging the activity, resetting the TCP connection, blocking future activity or allowing the activity. As attacks get more sophisticated and companies have more of their assets on their corporate network, the coverage provided by an IDP is essential to maintaining the data integrity of the enterprise. ■ Manish Parks is a senior security consultant specializing in DoD system certification and accreditation. He has more than ten years experience in developing networking and security solutions for corporate and academic environments. Contact him at manish.parks@gmail.com. 14 ©2007, Jupitermedia Corp.
