NIPS NIPS NIPS essentially breaks down into two categories: Chokepoint devices Intelligent switches In addition to these architectural classes, NIPS designers make a choice between two types of technology: General-purpose CPUs Application-specific integrated circuits (ASICs). How Chokepoint NIPS Work A chokepoint NIPS could be located outside of your firewall or on your screened subnet in front of a device you want to protect, such as your web server. They will often be configured without an IP address on either of the chokepoint interfaces to minimize their impact on the network's architecture. Traffic that originates from the Internet is passed through the NIPS to your corporate firewall and beyond if it does not generate any alerts. In IPS mode, traffic that does generate an alert can be dropped or rejected by the NIPS and never delivered inside your network. These can also be run in IDS mode, where a report is generated but the packet is not dropped. These tend to either be a "firewall plus something" or an "IDS plus something." Firewall Plus Something Firewalls fall into three major categories, listed in increasing security protection: packet filter, stateful, and proxy or application gateway. The overwhelming majority of deployed firewalls are stateful. Firewalls are the original IPS. To be credible as an IPS, the firewall needs to add additional functionality, such as the ability to run IDS-type rules. The next logical progression for many firewall vendors is to add intrusion detection capacity to their firewalls. Because the firewall must collect and retransmit each packet that flows through it, a logical advancement would be to allow policy to define whether traffic identified as malicious should generate an alert and be forwarded to the destination or whether it should generate an alert and be dropped, thereby preventing the attack from being successful Check Point FireWall-1 NG Check Point's central product is FireWall-1, which is the best-known example of a "firewall plus something" positioned as a NIPS. Check Point FireWall-1 NG has the following IPS features: Attack protection with "Application Intelligence," a rudimentary contentinspection capability that blocks many well-known, well-defined attacks. Access control based on stateful inspection, the capability this firewall is best known for. Choice of software and appliance deployments. The software is available on a number of platforms to balance needs versus costs. The high end is based on the high-performance, secure, and expensive Nokia appliance. Check Point and OPSEC The OPSEC Alliance was founded in April of 1997. OPSEC has since grown to over 350 partners, making it the leading platform alliance by far for integrated Internet security solutions. Programmers find the interface very workable, which is probably the reason for the large number of partners. OPSEC has enabled FireWall-1 to be extended into a number of areas outside of Check Point's core competency, including the following: 1. Authentication 2. Authorization 3. Content security 4. Intrusion detection and protection 5. Wireless Modwall Modwall was developed by Bill Stearns and is available from http://www.stearns.org/modwall. Modwall is a set of firewall/IPS modules that can be inserted into an existing IPTables firewall on Linux. Rather than focusing on the normal "allow this kind of traffic from here to here" firewall rules, modwall focuses on illegal packet traffic, which includes invalid or unassigned source or destination IP addresses, invalid TCP flag combinations, and packets that have been intentionally fragmented. Modwall then allows the administrator to define what action to take, including dropping the traffic, logging it, and blocking traffic from the source for a limited amount of time. IDS Plus Something The "IDS plus something" classification for IPS products refers to those vendors who have traditionally had strong IDS tools and have added active functionality to stop the activity that generates an alert before it is delivered on the network or executed on a host. An IDS plus something style IPS would generally be referred to as a NIPS, where blocking is done at the network level. IntruShield IntruShield is an example of a commercial IDS plus something style of NIPS. In 2002, McAfee (McAfee was formerly named Network Associates) acquired the IPS company Entercept for integration into its product line. The Entercept product line merged with the IDS products previously available from Network Associates to offer both NIPS appliances and a host-based IPS suite of products to protect desktops and servers. IntruShield is a chokepoint architecture that uses classic IDS signature and anomaly techniques to identify attacks. The standard product is shipped with a base rule set that can be customized. IntruShield You can enable or disable features to best meet the demands of your network. A lot of work has been put into the IntruShield user interface, and it is easy to switch between IDS (passive) mode and IPS (active) mode. NFR Sentivist A NIPS that is directly positioned against IntruShield is NFR's Sentivist appliance. Intrusion prevention is designed and built with a focus on three distinctive areas in this "IDS plus something" NIPS technology: NFR detection engine Fine-grained blocking Resistance to self-inflicted DoS HogWash and Snort-Inline HogWash was originally developed by Jed Haile and was the first to use Snort rules in a security gateway device. This development effort seems to have stalled, and the work is being continued by Snort-Inline. Rob Mcmillen was the next to lead the effort, hosted at http://snortinline.sourceforge.net/. With Snort 2.3, Snort-Inline became part of the Snort distribution Three new advancement were: drop (standard IPTables drop and log), sdrop (silent drop, no logging), and reject, the noisiest rule (drop, log, forge a TCP reset or "ICMP Port Unreachable" message, as appropriate). LaBrea Technologies Sentry Switch-Type NIPS Another classification of NIPS is an intelligent switch you plug your network in to. This is probably the most effective of the NIPS products available on the market place today, making the best use of firewalls, IDS tools, and routers/switches, ideally in a single parallel-processing, high-performance, low-latency device. These switches have enough processing power to do more than just enhance the performance of a network by preventing Ethernet collisions. Expect to see antivirus, traffic-shaping, load-balancing, and intrusion prevention in the network itself. Switch-Type NIPS Of course, this next generation of switches that use massive arrays of parallel ASICs to connect the internal and external segments of your network together are going to be expensive. By using many of the techniques employed by advanced NIDS tools, The NIPS device can identify events on the network that are hostile. Because of its position (inline with the traffic of your entire network), the NIPS device can stop the hostile activity from ever being delivered to the target system. This also strongly enhances anomaly detection and network learning because all the traffic passes through the switch. Protocol Scrubbing, Rate Limiting, and Policy Enforcement A NIPS device can be used to clean garbage from the traffic stream, thus reducing the overall network load. Another feature of switch-type NIPS devices is the ability to use rate limiting to apply Quality of Service (QoS) mechanisms to network traffic. Because the NIPS device is already classifying traffic based on application, administrators can use this functionality to enforce organizational policy to drop traffic from unauthorized applications. Environmental Anomaly Analysis What is anomalous with a given application or protocol in one environment may not be anomalous in the next environment. One of the immediate benefits of this capability is the support of an active change control program. NIDS and NIPS tools alike can detect a new version of an operating system or application and raise an alert, or even modify the rule set to take the new information into account. This could help the operations administrators manage unauthorized change. Obviously, you can only process so many alerts, so this would be managed by the analyst or administrator to help determine where appropriate thresholds should be set. Environmental Anomaly Analysis Because the NIPS device is simultaneously tracking connection state for thousands or even millions of connections, it can take a "broad perspective" view to detect anomalies that involve many connections across an entire enterprise. NIPS Challenges In order for NIPS devices to be deployed as reliable, effective devices, they must overcome several challenges: 1.Detection capabilities 2.Evasion resistance 3.Stable performance 4.High throughput 5.Low-latency, built-in security 6.The ability to passively determine operating systems and application versions Security The NIPS device must be secured against compromise because a compromised NIPS would give an attacker the ability to establish a man-inthe-middle attack against all the traffic entering or leaving the network. This is typically performed by configuring the NIPS without IP or MAC addresses on data interfaces, using a hardened operating system that resists common attacks, and using a secured management interface that strictly defines who is permitted to connect to and administer the system. Attackers will seek opportunities to break NIPS, whether using denial of service or to circumvent the protection the NIPS provides, so the NIPS device must be able to withstand any direct attacks. Passive Analysis In order to help the NIPS identify false-positive traffic, vendors make use of passive analysis techniques to identify host operating systems, network architecture, and what vulnerabilities are present on the network. Three of the most well-known standalone tools for this purpose are P0f (available at http://www.stearns.org), RNA by SourceFire, and NeVO from Tenable Security, and they should be available to some extent on every NIPS. Figure next provides a sample analysis using the NeVO system. Once this information is gathered, the NIPS can use it to classify attacks against internal systems based on their operating system and vulnerabilities. Increased Security Intelligence in the Switch Products Switch-based, "bump in the wire" NIPS is a fast growing market segment, and there is no possible way to predict what all the players will do. TippingPoint, Enterasys, and Radware. All our efforts to get Cisco to share its plans have failed; however, between the existing Cisco Security Agent, the Network Admissions Program, and educational efforts to help network administrators get more security out of their existing IOS products, it seems certain Cisco will be a player. A subset of these products includes the true NIPS devices, which are categorized as wire-speed switches, have IPS capability, and, in general, are based on parallel ASICs. These products include TippingPoint's UnityOne IPS and TopLayer Attack Mitigator. TippingPoint's UnityOne IPS TippingPoint's UnityOne IPS product was currently the overwhelming market leader for a switch-type NIPS. It offers an inline NIDS that provides multigigabit performance, low latency, and multiple mechanisms to detect known and unknown attacks on the network. In addition to providing IPS features, UnityOne provides the ability to traffic-shape or rate-limit traffic for QoS measures. It also provides policy enforcement by blocking applications that are prohibited by your organization's acceptable-use policy (such as peer-to- peer apps, web mail, or instant messaging). TippingPoint's UnityOne IPS When the UnityOne device identifies malicious activity or activities that violate policy rules, the engine uses one of four available response mechanisms: 1.Monitor The UnityOne device monitors the activity, generating a log for later analysis. 2.Report The UnityOne device simply reports the event without detailed logging data. 3.Limit The UnityOne device restricts the throughput or rate of the malicious activity. 4.Block The UnityOne device simply drops the traffic before it is delivered to the destination TopLayer Attack Mitigator In the days before true gigabit IDS, TopLayer gained fame as the solution for high-bandwidth monitoring via load balancing. Like TippingPoint's product, this is a very fast box with high availability, hotswappable components, parallel ASICs, and a price tag to match the performance. Attack Mitigator's roots are more from suppressing distributed denial of service resource exhaustion and protocol anomaly attacks than a true IPS, but it certainly has the chassis to build on and, like FireWall-1, is very good at well-known, well-understood attacks. TopLayer calls its inspection technology TopInspect. Switch NIPS Deployment Recommendations Deploying a NIPS solution is a major project, Start off with reporting-only mode, study the false positives and negatives for your chosen solution carefully, invest the time in creating a sustainable process for configuration management, make sure Operations is a full partner in the process of NIPS deployment, and remember that your NIDS is still a valuable source of information. Begin Budgeting Now You will probably be strongly considering the next generation of switches with security intelligence sometime in the next two years. This is going to be expensive, so speak to your manager and see what can be done to plan for this expense in a technology refresh cycle. Switch NIPS Deployment Recommendations Review Products in Report-Only Mode Before you start using a NIPS device to start blocking attacks on your network, run the device in report-only mode. Use this information to identify what events the NIPS would have dropped on your network, and what the impact would have been to the network. Work with Vendors Identifying Test Procedures for False Positives and False Negatives Ask your vendor to detail its testing procedure for new rules and anomaly analysis techniques. Ensure the vendor uses a combination of "live" and "attack" scenarios at rates that are appropriate for your network environment before shipping you updates. Ask your vendor what techniques it uses to eliminate false-positive traffic, and how it exercises auditing to ensure it isn't missing attacks. Switch NIPS Deployment Recommendations Be Wary of Absence of Auto-Update Mechanisms consider the purchase of expensive switch NIPS is worm management, this makes being able to keep the device up to date with the latest signatures critical. Be Wary of Auto-Update Mechanisms Auto-update mechanisms ease the implementation and deployment of NIPS products but can assert a new set of challenges on your organization. Ask your vendor to support a mixed-reporting mechanism, where new rules are placed in report-only mode for a specified amount of time. This way, the organization can take advantage of existing functionality in the NIPS while the analyst has the ability to identify false-positive alerts or performance burdens that affect throughput and latency on the network. Switch NIPS Deployment Recommendations Document a Change-Management Mechanism Identify who should be responsible for managing updates to NIPS software, and how often the software should be updated. Include information about how the organization should react to updates based on new Internet threats, such as a new worm or other exploitative threat. Having this policy in place before a new threat emerges will define how well your organization will be able to leverage NIPS technology. Switch NIPS Deployment Recommendations Expect the NIPS to Be Blamed for All Problems A new product like a NIPS is potentially invasive toward network operations. At some point, someone in the organization is bound to experience a problem and cast blame on the NIPS device. The best way to mitigate this problem is to clearly document the use and functionality of the NIPS device and utilize the logging features that come with the NIPS to identify traffic that is dropped, shaped, or altered in any way. Switch NIPS Deployment Recommendations Use a Combination of NIPS and NIDS Where Appropriate NIDS investments don't go out the window after a NIPS device is deployed. We can still leverage the technology of NIDS devices to aid in assessing threats, baselining attack statistics, and troubleshooting network problems with the addition of a NIPS device. After deploying a NIPS tool, many organizations focus their NIDS tools to monitor internal networks, to aid in identifying attacks that make it past the NIPS device, and to identify insider threats. We don't expect NIDS technology to go away anytime soon; instead, we expect the technology to continue to mature and add value to organizations that take full advantage of the functionality available.