Your Network Is a Sitting Duck Without IDP

advertisement
Your Network Is a
Sitting Duck Without IDP
Your Network Is a
Sitting Duck Without IDP
The sophistication and severity of attacks by hackers today, combined with the data-intensive
needs of a mobile workforce, demands a security solution beyond a simple firewall. You need an
Intrusion Detection and Prevention System to allow your workforce to get access to the information they need while at the same time stopping all types of threats, both real and imagined.
Contents
2
Intrusion Detection and Prevention
All About IPS & IDS
3
Evaluating Intrusion Prevention Systems
7
Managed Intrusion Detection and Prevention Services
9
Intrusion Detection and Prevention—
More Essential Than a Firewall
12
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
Intrusion Detection and Prevention
All About IPS & IDS
Webopedia
U
sed in computer security, intrusion detection
refers to the process of monitoring computer and
network activities and analyzing those events to
look for signs of intrusion in your system. The point of
looking for unauthorized intrusions is to alert IT professionals and system administrators within your organization to potential system or network security threats and
weaknesses.
IDS—A Passive Security Solution
An intrusion detection system
(IDS) is designed to monitor all
inbound and outbound network
activity and identify any suspicious
patterns that may indicate a network or system attack from someone attempting to break into or
compromise a system. IDS is considered to be a passive-monitoring system, since the main function of an IDS product is to warn
you of suspicious activity taking
place—not prevent them. An IDS
essentially reviews your network
traffic and data and will identify
probes, attacks, exploits and other
vulnerabilities. IDSs can respond
to the suspicious event in one of
several ways, which includes displaying an alert, logging the event
or even paging an administrator. In some cases the IDS
may be prompted to reconfigure the network to reduce
the effects of the suspicious intrusion.
An IDS specifically looks for suspicious activity and
events that might be the result of a virus, worm or
hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different
3
worms or viruses and by tracking general variances
which differ from regular system activity. The IDS is able
to provide notification of only known attacks.
The term IDS actually covers a large variety of products, for which all produce the end result of detecting
intrusions. An IDS solution can come in the form of
cheaper shareware or freely distributed open source
programs, to a much more expensive and secure vendor software solution. Additionally, some IDSs consist
of both software applications and hardware appliances
and sensor devices which are installed at different
points along your network.
There are several ways to categorize an IDS system:
Misuse Detection vs. Anomaly
Detection
In misuse detection, the IDS analyzes the information it gathers
and compares it to large databases of attack signatures. Essentially,
the IDS looks for a specific attack
that has already been documented. Like a virus detection system,
detection software is only as good
as the database of intrusion signatures that it uses to compare packets against. In anomaly detection,
the system administrator defines
Jupiterimages
the baseline, or normal, state of
the network's traffic load, breakdown, protocol, and
typical packet size. The anomaly detector monitors network segments to compare their state to the normal
baseline and look for anomalies.
Passive Vs. Reactive Systems
In a passive system, the IDS detects a potential security
breach, logs the information and signals an alert. In a
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
reactive system, the IDS responds to the suspicious
activity by logging off a user or by reprogramming the
firewall to block network traffic from the suspected
malicious source.
Network-based vs. Host-based IDS
Intrusion detection systems are network or host based
solutions. Network-based IDS systems (NIDS) are often
standalone hardware appliances that include network
intrusion detection capabilities. It will usually consist of
hardware sensors located at various points along the
network or software that is installed to system computers connected to your network, which analyzes data
packets entering and leaving the network. Host-based
IDS systems (HIDS) do not offer true real-time detection,
but if configured correctly are close to true real-time.
Host-based IDS systems consist of software agents
installed on individual computers within the system.
HIDS analyze the traffic to and from the specific computer on which the intrusion detection software is
installed on. HIDS systems often provide features you
can't get with a network-based IDS. For example, HIDS
are able to monitor activities that only an administrator
should be able to implement. It is also able to monitor
changes to key system files and any attempt to overwrite these files. Attempts to install Trojans or backdoors
can also be monitored by a HIDS and stopped. These
specific intrusion events are not always seen by a NIDS.
While it depends on the size of your network and the
number of individual computers which require intrusion
detection system, NIDS are usually a cheaper solution
to implement and it requires less administration and
training—but it is not as versatile as a HID. Both systems will require Internet access (bandwidth) to ensure
the system is kept up-to-date with the latest virus and
worm signatures.
Key Terms To Understanding Intrusion
Detection & Prevention
IDS
Short for intrusion detection system...
IPS
Short for intrusion
prevention system...
Intrusion signatures
When a malicious attack is launched against a system, the attack typically leaves evidence of the intrusion in the system.s logs. Each intrusion leaves a kind
of footprint behind
False positive
The condition in which spam-filtering software will
incorrectly identify a legitimate, solicited or expected
email as a spam transmission.
Additional Terms To Understanding Intrusion
Detection & Prevention
hacker
Virus
Worm
Trojan Horse
firewall
once it has taken place and signals an alarm. An IDS
also watches for attacks that originate from within a system. The network-based intrusion protection system
can also detect malicious packets that are designed to
be overlooked by a firewall's simplistic filtering rules.
An IDS is not a replacement for either a firewall or a
good antivirus program. An IDS should be considered
a tool to use in conjunction with your standard security
products (like anti-virus and a firewall) to increase your
system specific or network-wide security.
Is IDS the Same as Firewall?
False Positive and Negatives
The quick answer is no. Unfortunately, IDS is commonly
mistaken for a firewall or as a substitute for a firewall.
While they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside
the network. An IDS evaluates a suspected intrusion
The term false positive itself refers to security systems
incorrectly seeing legitimate requests as spam or security breaches. Basically, the IDS will detect something it
is not supposed to. Alternatively, IDS is prone to false
negatives where the system fails to detect something it
should. Both of these problematic problems are associated with IDS, but are issues vendors spend a lot of
time working on, and as a result, it is not believed that
4
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
IDS detects a high percentage of false positive or false
negatives. Still, it is a topic worth consideration when
looking at different IDS solutions.
sion signatures, search for protocol anomalies, detect
commands not normally executed on the network and
more.
IPS—An Active Security Solution
One interesting aspect of NIPS is that if the system
finds an offending packet of information it can rewrite
the packet so the hack attempt will fail, but it means
the organization can mark this event to gather evidence
against the would be intruder, without the intruder's
knowledge. As with all technology, NIPS is not perfect.
In some instances you may end up blocking a legitimate network request.
IPS or intrusion prevention system, is definitely the next
level of security technology with its capability to provide
security at all system levels from the operating system
kernel to network data packets. It provides policies and
rules for network traffic along with an IDS for alerting
system or network administrators to suspicious traffic,
but allows the administrator to provide the action upon
being alerted. Where IDS informs of a potential attack,
an IPS makes attempts to stop it. Another huge leap
over IDS, is that IPS has the capability of being able to
prevent known intrusion signatures, but also some
unknown attacks due to its database of generic attack
behaviors. Thought of as a combination of IDS and an
application layer firewall for protection, IPS is generally
considered to be the "next generation" of IDS.
Currently, there are two types of IPSs that are similar in
nature to IDS. They consist of host-based intrusion prevention systems (HIPS) products and network-based
intrusion prevention systems (NIPS).
Network-based vs. Host-based IPS
Host-based intrusion prevention systems are used to
protect both servers and workstations through software
that runs between your system's applications and OS
kernel. The software is preconfigured to determine the
protection rules based on intrusion and attack signatures. The HIPS will catch suspicious activity on the system and then, depending on the predefined rules, it
will either block or allow the event to happen. HIPS
monitors activities such as application or data requests,
network connection attempts, and read or write
attempts to name a few.
Network-based intrusion prevention systems (often
called inline prevention systems) is a solution for network-based security. NIPS will intercept all network traffic and monitor it for suspicious activity and events,
either blocking the requests or passing it along should
it be deemed legitimate traffic. Network-based IPSs
works in several ways. Usually package- or softwarespecific features determine how a specific NIPS solution
works, but generally you can expect it to scan for intru-
5
While host-based IPSs are considered to be more
secure than network-based intrusion prevention systems, the cost to install the software to each and every
server and workstation within your organization may be
quite costly. Additionally, the HIPS on each system
must be frequently updated to ensure the attack signatures are up-to-date.
IDS vs. IPS
Problems associated with implementing NIPS exist as
well. We already mentioned the possibility of blocking
legitimate traffic, and you also have to take network
performance into consideration. Since all data moving
through the network will pass through the IPS it could
cause your network performance to drop. To combat
this problem, network-based IPSs that consist of appliance or hardware and software packages are available
today (at a larger cost), but it will take most of the load
from running a software-based NIPS off your network.
IDS vs. IPS
While many in the security industry believe IPS is the
way of the future and that IPS will take over IDS, it is
somewhat of an apples and oranges comparison. The
two solutions are different in that one is a passive
detection monitoring system and the other is an active
prevention system. The age-old debate of why you
want to would be passive when you could be active
comes into play. You can also evaluate the implementation of a more mature IDS technology, versus the
younger, less established IPS solutions. The drawbacks
mentioned regarding IDS can largely be overcome with
proper training, management, and implementation.
Plus, overall an IDS solution will be cheaper to implement. Many, however, look at the added benefits of the
intuitive IPS systems and believing that IPS is the next
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
generation of IDS choose to use the newer IPSs as
opposed to the IDSs. Adding to the muddle, of course,
will be your initial decision of choosing host-based or
network-based systems for either IDS or IPS security
solutions.
Much like choosing between standard security devices
like routers and firewalls, it is important to remember
that no single security device will stop all attacks all the
time. IPS and IDS work best when integrated with additional and existing security solutions. ■
This content was adapted from internet.com's
Webopedia Web site.
6
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
Evaluating Intrusion Prevention Systems
By Bob Walder
IPSs are becoming today's must-have security solution but don't deploy blindly; testing on your
network is the key to success, writes CIO Update guest columnist Bob Walder of The NSS Group
W
ith intrusion prevention systems (IPS) fast
becoming as essential a purchase as the
ubiquitous firewall, the choice is becoming
ever more bewildering as more and more vendors scurry to bring new products to market.
Some of these vendors are coming from a solid IDS
(intrusion detection) background, while others are
essentially hardware manufacturers (switches or antimitigation devices) that are crossing over into the IPS
world. The resulting products are often quite different.
For example, the largely
software-based IDS products
tend to turn into softwarebased IPS products running
on standard Intel hardware.
While performance can be
perfectly adequate, you can
never expect them to match
those ASIC/FPGA-based
dedicated hardware devices
which can yield near switchlike latencies, and handle a
gigabit or more of 64-byte packets without blinking.
On the other hand, the new kids on the block might be
able to boast superior performance, but they are often
starting from scratch when it comes to signature coverage and resistance to anti-evasion techniques; areas in
which the more established IDS/IPS vendors excel.
Of course, these distinctions are disappearing as the
market matures, and in the latest round of IPS testing in
our labs we noted a much improved success rate in
terms of which products passed our stringent tests to
achieve NSS Approved awards.
7
Using hardware accelerators, for example, can provide
a much needed performance boost for the softwarebased products, whilst sheer experience (along with the
creation or boosting of an internal security research
team) can usually improve signature coverage and
quality in the newer products.
Quality vs. Quantity
Quality is really the watchword here, rather than quantity. It is possible to throw tens or even hundreds of signatures at a problem when
you are not limited by hardware performance, but that
does not necessarily mean
those signatures are good. A
single, well-written signature
(or protocol decoder) can
often provide much more
comprehensive coverage for
a range of exploits.
It is important, for example,
that signatures are written to
Jupiterimages
detect not only the specific
exploits currently in the wild, but the underlying vulnerability of which those exploits take advantage. Thus,
the next time a new exploit appears riding on the back
of that particular vulnerability, it will be detected and
blocked immediately without requiring a signature specific to that piece of exploit code.
Similarly, it should not be possible to evade the IPS
detection capability by any common means such as
URL obfuscation, TCP segmentation, IP fragmentation,
and so on.
The quality of the signatures will also have a bearing on
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
the susceptibility of the device to raising false positive
alerts. With IDS devices, false positives are a nuisance,
but only that. With IPS devices, installed in-line and in
blocking mode, a false positive can have a detrimental
effect on the user experience, as legitimate traffic is
dropped mistakenly.
This is, therefore, a key area to investigate when planning your own trial deployments. All the lab tests in the
world cannot tell you how any IPS product is going to
perform when subjected to your traffic on your network.
Test, Test, Test …
This is a key point: no matter how much research you
do using reports such as the ones we produce, you
should never use those reports as the only basis for
making your buying decisions. You should always set
aside the time and budget and technical resource to
perform a full bake-off in-house between all the vendors on your short-list.
This means installing all the devices at key points in
your network (they can be installed in-line in detectonly mode to begin with to minimize problems), and all
the necessary management software. And don't rely on
the single-device Web interface if you know you will
eventually need the full-blown enterprise management
product.
It will never be possible to vet all of the signatures in a
vendor's database, and it is just a waste of effort to try.
Independent testing should give you a good idea of
the quality and extent of coverage.
It is more important to run your own traffic through the
device and monitor the effects. Are you seeing a large
number of alerts raised against what you know to be
legitimate traffic?
This could point to problems with the signature database or could highlight where traffic from custom applications in your own organization genuinely resembles
exploit traffic. The latter case is easily handled, but
large numbers of false positives from clean traffic indicates a potential problem, especially once the device is
placed in blocking mode.
gorize the make-up of traffic on your own network, you
may find that you would be happy with a much lowerperforming device at a much more reasonable cost.
Latency can sometimes be a very subjective issue.
A device which we identify as having higher than normal latency for internal deployments may well have no
effect whatsoever when installed at the perimeter of
your network. Do some simple user-based testing, such
as downloading large files both with and without the
IPS in-line, and note the difference.
At least part of the evaluation period should also be
performed with blocking enabled. It is not unknown for
devices which work perfectly well in detect-only mode
to fail completely once placed into blocking mode.
While this type of testing could be considered "disruptive," it is better to discover such a failing before committing to a major purchasing decision.
You can reduce the risk of nasty surprises and major
failures during evaluation by short-listing those devices
which have achieved NSS Approved status. You can be
sure that we have tested these devices extensively inline in both detect-only and full blocking mode, with a
wide range of exploits and evasion techniques, and
under a wide range of network loads and traffic conditions.
A thorough bake-off in your own network, however, will
allow you to assess more accurately the effect of these
devices when subjected to your own traffic, and is likely
to create some unique challenges for the vendors taking part. ■
Bob Walder is director of The NSS Group security testing labs in the south of France. With over 25 years in
the industry, he brings broad experience to the testing
environment.
This content was adapted from EarthWeb's CIO
Update Web site.
Performance testing is also important. NSS tests push
devices to the extreme, but if you can accurately cate8
©2007, Jupitermedia Corp.
for threats that
come out of thin air
a very
fine filter
There's a new era in security. Airborne security.
It’s a time when businesses need to move as freely
as the air itself, yet avoid the malicious threats
that contaminate it. Enter Nokia. Our intrusion
prevention solutions feature Sourcefire® technology
that runs on Nokia appliances, hardened at the core
with the Nokia IPSO security OS. All purpose-built
to detect and filter the most sophisticated threats.
It’s time to secure the mobile marketplace.
It’s time to secure the air.
©2007 Nokia. Use of the word secure is intended to describe the functionality of the product or feature described, and is not intended to extend a
warranty to the purchaser or to any end user that the product or feature described is completely secure and invulnerable to random attacks.
www.nokiaforbusiness.com/security
Nokia for Business
Your Network Is a Sitting Duck Without IDP
Managed Intrusion Detection
and Prevention Services
Lisa Phifer
ISP-Planet's biennial survey of MSSPs finds that intrusion prevention and detection services are
augmented by new devices to deliver unified threat management in several different forms.
A
s network security improves, attackers have
sharpened their focus. Today's internet threats
have grown increasingly targeted, using malicious code and crafted application messages to compromise specific server and client vulnerabilities. During
the first six months of 2006, Symantec estimates that
80 percent of 2,249 new-found vulnerabilities were easily exploitable,
with an average enterprise exposure
of 28 days before patches were
available and applied. Aggressive,
rigorous patch management can
help, but one of the most effective
and efficient steps you can take to
defend those vulnerable hosts is to
prevent intrusions from reaching
them in the first place.
Network Intrusion Detection
Systems (IDS) are designed to
observe and analyze traffic, spot
potential attacks, and notify network
operators by sending intrusion
alerts. Network Intrusion Prevention
Systems (IPS) go a step further, taking steps in real-time to impede the
flow of suspicious traffic and therefore limit potential
asset damage or data theft. IDS is generally deployed a
passive countermeasure—an insurance policy against
intruders that might otherwise sneak past firewalls. IPS
is (at least to some degree) proactive and automated,
jumping in whenever perceived risk exceeds a predefined tolerance level.
9
A managed IDS / IPS service starts with the installation
and provisioning of in-line or out-of-band traffic sensors
and an intrusion analysis engine, accompanied by
ongoing policy refinement, intrusion signature and software updates, and 24/7/365 monitoring by the MSSP's
SOC. Included response can range from customer notification to provider implementation
of recommended countermeasures.
All but one participant in this year's
Managed Security Service Provider
(MSSP) survey offer this type of service, detailed by the chart shown at
right (click to view full size).
Jupiterimages
The exception is Globix, which
declined to include IDS in its survey
response but describes a managed
IDS service on its Website. In fact,
we believe that IDS / IPS has
become a core managed security
service offering. As shown in the following chart (below), IDS / IPS offerings have grown from fewer than
half the MSSPs surveyed in 1999 to
effectively all of the MSSPs surveyed
this year.
This trend tracks the evolution of network security
threats, technologies, and best practices. Many firewalls
and unified threat management appliances now incorporate some IDS / IPS capabilities. Today's network
firewalls are simply expected to detect basic TCP/IP
attacks, like TCP SYN floods and Ping of Death attacks.
Deeper, broader application-layer intrusion detection
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
and prevention often involves additional software modules, licensed feature activation, and in some cases,
additional hardware sensors.
The line between managed firewall and managed IDS /
IPS services reflects this layering. Two of our surveyed
managed firewall services included IDS / IPS features,
while ten offered these capabilities as options.
Furthermore, all 15 providers described separatelybranded managed IDS / IPS services. Three MSSPs
(AT&T, IBM ISS, and Verizon) even offer more than one
IDS / IPS service.
For example, AT&T offers three separate services: a
network-based IDS, a CPE-based IDS, and a CPEbased IPS. As illustrated in this pie chart (below), this
year's field was evenly split between IDS and IPS offerings. Seven services provide intrusion detection, monitoring, and customer notification-incident response, if
any, is manual. Another seven provide automated intrusion analysis and policy-based response for welldefined threats—customers are notified of intrusions
and stop-loss actions taken on their behalf. The remainder encompass both models within a single named
service, letting service parameters determine the
desired response model.
In fact, we continue to find it difficult to compare intrusion monitoring and response in a tabular survey. This
year, we tried asking providers to check one of four
alternatives:
• Customer monitors own intrusion alerts.
• Provider passively monitors intrusion alerts and
notifies customer.
• Provider analyzes and manually responds to alerts.
• Service responds automatically to intrusions.
10
Most checked several answers, noting that this
depends on customer preference, incident severity, and
identification reliability. If an event is clearly identified
and poses significant risk, automated analysis and realtime countermeasures may be warranted. Potential
intrusions that are less clear-cut may deserve human
review by SOC experts and consultation with the customer regarding steps to block the offender or eliminate vulnerabilities. Fortunately, even an IPS can usually
start in detect-only mode, refining prevention rules as
you become more comfortable with the service's accuracy. In short, don't expect easy answers or simple
comparison when it comes to intrusion response. Make
sure your MSSP has the experience, infrastructure, and
resources to accurately recognize and keep pace with
new threats, a well-defined process for communicating
them to you, and a response strategy that fits with your
own corporate policy.
To identify intrusions, every IDS / IPS service must capture traffic. This year, 13 of 18 surveyed services use
passive/out-of-band platforms, which are typically situated at key points throughout your network. Of those,
5 support distributed sensors and 4 support Wi-Fi sensors. These options are used to create additional observation points that can report back to a central server.
Alternatively, 14 services use active/in-line platforms
that observe the traffic flowing through them. Not surprisingly, many providers support both passive and
active deployment models, reflecting this year's mix of
detection/prevention services.
IDS/IPS platforms have grown more diverse since our
last survey, dominated by IBM ISS and Cisco, followed
by a noteworthy mix of Juniper, TippingPoint, McAfee,
Snort, and Sourcefire. The capabilities of these platforms have a direct impact on traffic inspection, detec©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
tion, and response methods. For intrusion detection,
most surveyed services still employ some combination
of behavior analysis, signature detection, and traffic
anomaly detection. But application layer header and
content inspection are now supported by just over half
of the surveyed services. As for response methods, inline packet discard, IP quarantine, and TCP reset are
still very common, whether initiated manually or automatically. But this year, five services also had Wi-Fi
Deauthenticate capability, supported by Wireless IPS
platforms from Cisco, AirDefense, and AirMagnet.
In the end, a managed IDS / IPS service comes down
to effective risk management. Many businesses that
deploy their own IDS sensors or IPS-capable UTM
appliances do not use those technologies to their full
potential. Without proper tuning, an IDS can overwhelm you with inconsequential alerts—or overlook
serious intrusions because an annoyed administrator
disabled those alerts.
Outsourcing this burden to well-trained MSSP staff
should reduce false positives and focus your attention
on alerts that matter. Because they monitor intrusion
alerts occurring in many customer networks, your
MSSP's SOC should have the broad perspective needed to quickly recognize fast-breaking "zero day"
attacks. When intrusions do occur, your MSSP should
have the sophisticated event management and correlation tools required to assess impact and recommend
effective countermeasures. For each of these tasks,
experience and competence really counts, so look
beyond feature checklists to choose the best managed
IDS / IPS service for your business. ■
This content was adapted from internet.com's ISP
Planet Web site.
11
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
Intrusion Detection and Prevention—
More Essential Than a Firewall
By Manish Parks
As attacks become more sophisticated, you need better tools to protect your enterprise from
threats—both existing and planned. Where firewalls were the de rigueur solution in the 90s,
today you need an Intrusion Detection and Prevention system to make sure your corporate IT
assets—and data—remain secure.
W
hile corporate assets relocated from brick
and mortar to bits and bytes, so too has
enterprise security from cameras and security
guards to intrusion detection and intrusion prevention
systems. While Intrusion Detection and Prevention (IDP)
is now staunchly embedded in the enterprise security
toolkit, it still must adapt to provide more layers of
asset protection against the ever-evolving landscape of
threats from hackers, spyware and Trojans to rootkits
and keyloggers. IDS/IDP systems continually assess
traffic connections, evaluating
the source or the communication along with the type of
traffic to determine whether it
should even be permitted
into your network environment. In the best cases, they
have the power to stop an
attack before it ever reaches
an internal system or user.
User preferences for distributed mobile computing environments combined with the
growing complexity of corporate networks (intranets, extranets, remote and Internet
access) provides a would-be attacker a fairly large, target-rich threat surface. In today's enterprise environment a vast majority of corporate intellectual property,
sensitive customer information and valuable trade
secrets are all stored in digital format, thus making
enterprise security a top priority against economically
12
motivated efforts to infiltrate the company network.
As threats evolve from benign adware and randomized
hijacks of 2004/2005 to malicious adware and trojans in
2006 to targeted / customized trojans and phishing in
2006/2007, the mechanisms for distribution, infection
and removal have also evolved. Threat distribution has
advanced from websites to Peer to Peer and finally to
email and internal hacking. The sophistication of threat
infections has also increased in complexity from file
placement and naming to
DLL injection and even modification of executables. Threat
removal is no longer as simple as deleting a file on disk
or deleting registry keys but is
now an involved process of
file neutering, correlation or
driver-based removal and
even dynamic conditional
removal. As the threat complexity has increased, so too
has the cost for repair and
support. Since the global
Jupiterimages
market for malware-laden
software shows no signs of relenting, the need for
improved security tools such as IDS and IPS will only
increase in the near future.
Intrusion Detection Grows Up
The evolution of intrusion detection has grown from a
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
rudimentary audit-trial analysis in the 1970s, to rules
based expert systems in the 1980s, to an explosion of
available IDS/IDP systems in 1990s and today. We have
seen the emergence of active IDS; Intrusion Detection
and Prevention and Intrusion Prevention Systems (IPS)
as well as convergence of technologies such as
Firewalls + Anti-Virus + IDP to Appliances and security
switches. Intrusion Detection provides layered security
at multiple locations from the network perimeter down
to the individual host.
When deployed at the perimeter of the enclave, an
Intrusion Detection/Prevention System inspects connections and evaluates both the content type as well as
the origin of the connection, to decide if the traffic
should even be permitted into the protected enclave.
Traditionally, IDS would log suspicious connections, or
report them in real time to a Security Information
Monitor (SIM) or other control system. Today, IPS integration into the perimeter layer allows for the active
blocking of known malicious attacks as well as protocol
anomaly attacks. For example, a computer trying to initiate an HTTP connection to an eMarketing server
would not be considered suspect. The same machine
trying to scan every available port on the web server
could be automatically terminated, and prevented from
future connections.
As deployed within the enclave, IDS would be
deployed in front of designated resources: web servers,
email and file services, database engines, all of the
content repositories as well as key infrastructure components such as authentication and domain controllers.
The key here is protection against internal attacks, from
compromised machines and unauthorized users/programs. Since these threats are often both more uncommon and more surreptitious, IDS systems are often chosen. The passive reporting of IDS ensures high availability to enterprise systems is not compromised, while
providing an extensive audit trail for human and SIMbased response.
The IDS also analyzes audit trails and log files sent to it
by hosts as well as processes and systems running on
the network hosts themselves. IPS at the network layer
allows for an "Active" defense by allowing for rule
enforcement to shutdown network connections. IPS
also allows for "Integration" to firewalls and thus the
ability to disable threat vectors. Finally, IPS allows "data
mining" to summarize events and generate reports.
13
Finally, at the individual host, IDP runs as a trusted
application in charge of the network protocol stack. IDP
active prevention is at its best here, as an application
server is in the optimum position to know best what
specific connection types and requests are appropriate
to its function. The host can also identify attacks specific to its operating system and application suite. Recent
advances in intrusion prevention allow the system to
perform protocol and stack enforcement as well as file
checksum monitoring to protect against the exploitation of software vulnerabilities via buffer overflow or
protocol anomaly.
Intrusion Detection vs. Intrusion
Prevention
Intrusion detection serves the function of a camera on
the premises while intrusion prevention serves the function of a security guard or a guard dog on the premises. While the notion of blocking an attack when it happens sounds logical and useful it has some significant
drawbacks such as false positives, denial of service
(DoS) and latency. False positives lend to the blocking
of normal traffic while denial of service leads to blocking of spoofed hosts and finally latency in blocking limits it's overall effectiveness. The evolution of technology
and the merging of firewall and IDP functionality into a
cohesive system is mitigating many of the above stated
problems. With the advent of specialized hardware
such as Application Specific Integrated Circuits (ASICs),
Field Programmable Gate Arrays (FPGAs) and network
processors, IPS can be effectively implemented as part
of the network fabric instead of a passive IDP like
implementation.
Features important in the selection of a good IDP system include application-level encryption protection,
security policy enforcement, denial of service detection,
network attack detection, network reconnaissance
detection, buffer overflow detection and web application protection. The deployment considerations for IDP
will generally involve sensor selection based on network media, performance analysis and network environment. Sensor placement is also crucial, as total enterprise wide deployment should consider Internet,
extranet, remote-access and intranet boundaries as well
as servers and desktops. Sensor management considerations such as out-of-band management versus in-band
are also of significance as out-of-band management
provides greater security and isolation but at a higher
©2007, Jupitermedia Corp.
Your Network Is a Sitting Duck Without IDP
cost, while in-band management provides for a cheaper but somewhat less secure sensor management.
Signatures Are Key in IDP—Atomic or
Stateful
For an IDP system, atomic signatures which examine a
single packet, activity or event to determine if a positive match should trigger a signature action or not are
the simplest types of signatures. Stateful signatures,
unlike atomic signatures, generate an event based on a
sequence of specific events that requires the IPS device
to maintain state. Currently, IDPs incorporate pattern
detection, anomaly-based detection and behaviorbased detection as the main triggering mechanisms to
generate an action. While pattern detection is the simplest to implement all three mechanisms lead to one or
more of the following signature actions: Generating an
alert, dropping or preventing the activity, logging the
activity, resetting the TCP connection, blocking future
activity or allowing the activity.
As attacks get more sophisticated and companies have
more of their assets on their corporate network, the
coverage provided by an IDP is essential to maintaining
the data integrity of the enterprise. ■
Manish Parks is a senior security consultant specializing
in DoD system certification and accreditation. He has
more than ten years experience in developing networking and security solutions for corporate and academic
environments. Contact him at
manish.parks@gmail.com.
14
©2007, Jupitermedia Corp.
Download