Use a Combination of NIPS and NIDS Where Appropriate

advertisement
NIPS
NIPS
NIPS essentially breaks down into two categories:
 Chokepoint devices
 Intelligent switches
In addition to these architectural classes, NIPS designers make a choice
between two types of technology:
 General-purpose CPUs
 Application-specific integrated circuits (ASICs).
How Chokepoint NIPS Work
 A chokepoint NIPS could be located outside of your firewall or on your
screened subnet in front of a device you want to protect, such as your web
server.
 They will often be configured without an IP address on either of the
chokepoint interfaces to minimize their impact on the network's architecture.
 Traffic that originates from the Internet is passed through the NIPS to your
corporate firewall and beyond if it does not generate any alerts.
 In IPS mode, traffic that does generate an alert can be dropped or rejected
by the NIPS and never delivered inside your network.
 These can also be run in IDS mode, where a report is generated but the
packet is not dropped. These tend to either be a "firewall plus something" or
an "IDS plus something."
Firewall Plus Something
 Firewalls fall into three major categories, listed in increasing security
protection: packet filter, stateful, and proxy or application gateway.
 The overwhelming majority of deployed firewalls are stateful. Firewalls are
the original IPS.
 To be credible as an IPS, the firewall needs to add additional functionality,
such as the ability to run IDS-type rules.
 The next logical progression for many firewall vendors is to add intrusion
detection capacity to their firewalls.
 Because the firewall must collect and retransmit each packet that flows
through it, a logical advancement would be to allow policy to define whether
traffic identified as malicious should generate an alert and be forwarded to
the destination or whether it should generate an alert and be dropped,
thereby preventing the attack from being successful
Check Point FireWall-1 NG
Check Point's central product is FireWall-1, which is the best-known example of
a "firewall plus something" positioned as a NIPS.
Check Point FireWall-1 NG has the following IPS features:
 Attack protection with "Application Intelligence," a rudimentary contentinspection capability that blocks many well-known, well-defined attacks.
 Access control based on stateful inspection, the capability this firewall is
best known for.
 Choice of software and appliance deployments. The software is available on
a number of platforms to balance needs versus costs. The high end is
based on the high-performance, secure, and expensive Nokia appliance.
Check Point and OPSEC
 The OPSEC Alliance was founded in April of 1997. OPSEC has since grown
to over 350 partners, making it the leading platform alliance by far for
integrated Internet security solutions. Programmers find the interface very
workable, which is probably the reason for the large number of partners.
 OPSEC has enabled FireWall-1 to be extended into a number of areas
outside of Check Point's core competency, including the following:
1. Authentication
2. Authorization
3. Content security
4. Intrusion detection and protection
5. Wireless
Modwall
 Modwall
was
developed
by
Bill
Stearns
and
is
available
from
http://www.stearns.org/modwall.
 Modwall is a set of firewall/IPS modules that can be inserted into an existing
IPTables firewall on Linux.
 Rather than focusing on the normal "allow this kind of traffic from here to
here" firewall rules, modwall focuses on illegal packet traffic, which includes
invalid or unassigned source or destination IP addresses, invalid TCP flag
combinations, and packets that have been intentionally fragmented.
 Modwall then allows the administrator to define what action to take,
including dropping the traffic, logging it, and blocking traffic from the source
for a limited amount of time.
IDS Plus Something
 The "IDS plus something" classification for IPS products refers to those
vendors who have traditionally had strong IDS tools and have added active
functionality to stop the activity that generates an alert before it is delivered
on the network or executed on a host.
 An IDS plus something style IPS would generally be referred to as a NIPS,
where blocking is done at the network level.
IntruShield
 IntruShield is an example of a commercial IDS plus something style of
NIPS.
 In 2002, McAfee (McAfee was formerly named Network Associates)
acquired the IPS company Entercept for integration into its product line.
 The Entercept product line merged with the IDS products previously
available from Network Associates to offer both NIPS appliances and a
host-based IPS suite of products to protect desktops and servers.
 IntruShield is a chokepoint architecture that uses classic IDS signature and
anomaly techniques to identify attacks.
 The standard product is shipped with a base rule set that can be
customized.
IntruShield
 You can enable or disable features to best meet the demands of your
network. A lot of work has been put into the IntruShield user interface, and it
is easy to switch between IDS (passive) mode and IPS (active) mode.
NFR Sentivist
A NIPS that is directly positioned against IntruShield is NFR's Sentivist
appliance. Intrusion prevention is designed and built with a focus on three
distinctive areas in this "IDS plus something" NIPS technology:
 NFR detection engine
 Fine-grained blocking
 Resistance to self-inflicted DoS
HogWash and Snort-Inline
 HogWash was originally developed by Jed Haile and was the first to use
Snort rules in a security gateway device.
 This development effort seems to have stalled, and the work is being
continued by Snort-Inline.
 Rob Mcmillen was the next to lead the effort, hosted at http://snortinline.sourceforge.net/.
 With Snort 2.3, Snort-Inline became part of the Snort distribution
 Three new advancement were: drop (standard IPTables drop and log),
sdrop (silent drop, no logging), and reject, the noisiest rule (drop, log, forge
a TCP reset or "ICMP Port Unreachable" message, as appropriate).
LaBrea Technologies Sentry
Switch-Type NIPS
 Another classification of NIPS is an intelligent switch you plug your network
in to.
 This is probably the most effective of the NIPS products available on the
market place today, making the best use of firewalls, IDS tools, and
routers/switches, ideally in a single parallel-processing, high-performance,
low-latency device.
 These switches have enough processing power to do more than just
enhance the performance of a network by preventing Ethernet collisions.
 Expect to see antivirus, traffic-shaping, load-balancing, and intrusion
prevention in the network itself.
Switch-Type NIPS
 Of course, this next generation of switches that use massive arrays of
parallel ASICs to connect the internal and external segments of your
network together are going to be expensive. By using many of the
techniques employed by advanced NIDS tools,
 The NIPS device can identify events on the network that are hostile.
Because of its position (inline with the traffic of your entire network), the
NIPS device can stop the hostile activity from ever being delivered to the
target system. This also strongly enhances anomaly detection and network
learning because all the traffic passes through the switch.
Protocol Scrubbing, Rate Limiting, and
Policy Enforcement
 A NIPS device can be used to clean garbage from the traffic stream, thus
reducing the overall network load.
 Another feature of switch-type NIPS devices is the ability to use rate limiting
to apply Quality of Service (QoS) mechanisms to network traffic.
 Because the NIPS device is already classifying traffic based on application,
administrators can use this functionality to enforce organizational policy to
drop traffic from unauthorized applications.
Environmental Anomaly Analysis
 What is anomalous with a given application or protocol in one environment
may not be anomalous in the next environment.
 One of the immediate benefits of this capability is the support of an active
change control program. NIDS and NIPS tools alike can detect a new
version of an operating system or application and raise an alert, or even
modify the rule set to take the new information into account.
 This could help the operations administrators manage unauthorized change.
Obviously, you can only process so many alerts, so this would be managed
by the analyst or administrator to help determine where appropriate
thresholds should be set.
Environmental Anomaly Analysis
 Because the NIPS device is simultaneously tracking connection state for
thousands or even millions of connections, it can take a "broad perspective"
view to detect anomalies that involve many connections across an entire
enterprise.
NIPS Challenges
In order for NIPS devices to be deployed as reliable, effective devices, they
must overcome several challenges:
1.Detection capabilities
2.Evasion resistance
3.Stable performance
4.High throughput
5.Low-latency, built-in security
6.The ability to passively determine operating systems and application versions
Security
 The NIPS device must be secured against compromise because a
compromised NIPS would give an attacker the ability to establish a man-inthe-middle attack against all the traffic entering or leaving the network.
 This is typically performed by configuring the NIPS without IP or MAC
addresses on data interfaces, using a hardened operating system that
resists common attacks, and using a secured management interface that
strictly defines who is permitted to connect to and administer the system.
 Attackers will seek opportunities to break NIPS, whether using denial of
service or to circumvent the protection the NIPS provides, so the NIPS
device must be able to withstand any direct attacks.
Passive Analysis
 In order to help the NIPS identify false-positive traffic, vendors make use of
passive analysis techniques to identify host operating systems, network
architecture, and what vulnerabilities are present on the network.
 Three of the most well-known standalone tools for this purpose are P0f
(available at http://www.stearns.org), RNA by SourceFire, and NeVO from
Tenable Security, and they should be available to some extent on every
NIPS.
 Figure next provides a sample analysis using the NeVO system. Once this
information is gathered, the NIPS can use it to classify attacks against
internal systems based on their operating system and vulnerabilities.
Increased Security Intelligence in the Switch
Products
 Switch-based, "bump in the wire" NIPS is a fast growing market segment,
and there is no possible way to predict what all the players will do.
 TippingPoint, Enterasys, and Radware. All our efforts to get Cisco to share
its plans have failed; however, between the existing Cisco Security Agent,
the Network Admissions Program, and educational efforts to help network
administrators get more security out of their existing IOS products, it seems
certain Cisco will be a player.
 A subset of these products includes the true NIPS devices, which are
categorized as wire-speed switches, have IPS capability, and, in general,
are based on parallel ASICs. These products include TippingPoint's
UnityOne IPS and TopLayer Attack Mitigator.
TippingPoint's UnityOne IPS
 TippingPoint's UnityOne IPS product was currently the overwhelming
market leader for a switch-type NIPS.
 It offers an inline NIDS that provides multigigabit performance, low latency,
and multiple mechanisms to detect known and unknown attacks on the
network. In addition to providing IPS features, UnityOne provides the ability
to traffic-shape or rate-limit traffic for QoS measures.
 It also provides policy enforcement by blocking applications that are
prohibited by your organization's acceptable-use policy (such as peer-to-
peer apps, web mail, or instant messaging).
TippingPoint's UnityOne IPS
When the UnityOne device identifies malicious activity or activities that violate
policy rules, the engine uses one of four available response mechanisms:
1.Monitor The UnityOne device monitors the activity, generating a log for later
analysis.
2.Report The UnityOne device simply reports the event without detailed logging
data.
3.Limit The UnityOne device restricts the throughput or rate of the malicious
activity.
4.Block The UnityOne device simply drops the traffic before it is delivered to the
destination
TopLayer Attack Mitigator
 In the days before true gigabit IDS, TopLayer gained fame as the solution
for high-bandwidth monitoring via load balancing.
 Like TippingPoint's product, this is a very fast box with high availability, hotswappable components, parallel ASICs, and a price tag to match the
performance.
 Attack Mitigator's roots are more from suppressing distributed denial of
service resource exhaustion and protocol anomaly attacks than a true IPS,
but it certainly has the chassis to build on and, like FireWall-1, is very good
at well-known, well-understood attacks.
 TopLayer calls its inspection technology TopInspect.
Switch NIPS Deployment Recommendations
 Deploying a NIPS solution is a major project, Start off with reporting-only
mode, study the false positives and negatives for your chosen solution
carefully, invest the time in creating a sustainable process for configuration
management, make sure Operations is a full partner in the process of NIPS
deployment, and remember that your NIDS is still a valuable source of
information.
Begin Budgeting Now
 You will probably be strongly considering the next generation of switches
with security intelligence sometime in the next two years. This is going to be
expensive, so speak to your manager and see what can be done to plan for
this expense in a technology refresh cycle.
Switch NIPS Deployment Recommendations
Review Products in Report-Only Mode
 Before you start using a NIPS device to start blocking attacks on your
network, run the device in report-only mode. Use this information to identify
what events the NIPS would have dropped on your network, and what the
impact would have been to the network.
Work with Vendors Identifying Test Procedures for False Positives and
False Negatives
 Ask your vendor to detail its testing procedure for new rules and anomaly
analysis techniques. Ensure the vendor uses a combination of "live" and
"attack" scenarios at rates that are appropriate for your network
environment before shipping you updates. Ask your vendor what techniques
it uses to eliminate false-positive traffic, and how it exercises auditing to
ensure it isn't missing attacks.
Switch NIPS Deployment Recommendations
Be Wary of Absence of Auto-Update Mechanisms
 consider the purchase of expensive switch NIPS is worm management, this
makes being able to keep the device up to date with the latest signatures
critical.
Be Wary of Auto-Update Mechanisms
 Auto-update mechanisms ease the implementation and deployment of NIPS
products but can assert a new set of challenges on your organization. Ask
your vendor to support a mixed-reporting mechanism, where new rules are
placed in report-only mode for a specified amount of time. This way, the
organization can take advantage of existing functionality in the NIPS while
the analyst has the ability to identify false-positive alerts or performance
burdens that affect throughput and latency on the network.
Switch NIPS Deployment Recommendations
Document a Change-Management Mechanism
 Identify who should be responsible for managing updates to NIPS software,
and how often the software should be updated. Include information about
how the organization should react to updates based on new Internet threats,
such as a new worm or other exploitative threat. Having this policy in place
before a new threat emerges will define how well your organization will be
able to leverage NIPS technology.
Switch NIPS Deployment Recommendations
Expect the NIPS to Be Blamed for All Problems
 A new product like a NIPS is potentially invasive toward network operations.
At some point, someone in the organization is bound to experience a
problem and cast blame on the NIPS device. The best way to mitigate this
problem is to clearly document the use and functionality of the NIPS device
and utilize the logging features that come with the NIPS to identify traffic
that is dropped, shaped, or altered in any way.
Switch NIPS Deployment Recommendations
Use a Combination of NIPS and NIDS Where Appropriate
 NIDS investments don't go out the window after a NIPS device is deployed.
We can still leverage the technology of NIDS devices to aid in assessing
threats, baselining attack statistics, and troubleshooting network problems
with the addition of a NIPS device. After deploying a NIPS tool, many
organizations focus their NIDS tools to monitor internal networks, to aid in
identifying attacks that make it past the NIPS device, and to identify insider
threats. We don't expect NIDS technology to go away anytime soon;
instead, we expect the technology to continue to mature and add value to
organizations that take full advantage of the functionality available.
Download