INTRUSION PREVENTION SYSTEM(IPS)

OUTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall

INTRODUCTION

Intrusion A set of actions aimed to compromise the Integrity,

confidentiality, or availability, of a computing and networking resource.

Exploits against operating systems, application etc Buffer overflows, cross site scripting, other

vulnerabilities

o Intrusion prevention systems (IPS) Also known as intrusion detection and prevention

systems (IDPS), are network security appliances that monitor network and system activities for malicious or harmful activity.

OBJECTIVESo The main objectives of intrusion

prevention systems are:

Identification of malicious activity

Log information about said activity

Attempt to block/stop harmful activity

Report malevolent activity.

IPS’S DETECTION METHODS

The majority of intrusion prevention systems utilize one of two detection methods: Signature-based Detection

This method of detection utilizes signatures of attack patterns that are preconfigured and predetermined.

A signature-based intrusion prevention system monitors the network traffic for matches to these signatures.

Once a match is found the intrusion prevention system takes the appropriate action.

Statistical anomaly-based or Knowledge-

based Detection A statistical anomaly-based IDS determines

normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other .

It alert the administrator or user and prevent malicious contents when anomalous(not normal) traffic is detected

Protocol Analysis Detection:

Protocol analysis detection is based on the anomalies specific to protocol

This model is integrated into the ips model recently

It identifies TCP/IP protocol specific flaws in the network

The pace at which the malicious signature attacker is growing is incredibly fast .But the network protocol, in comparison, is well defined and changing slowly. Therefore, the signature database must be updated frequently to detect attack

Protocol analysis detection systems are easier to use because they require no signature updates

The best way to present alarms is to explain which part of the state system was compromised. For this the ips operators have to have thorough knowledge of the protocol design; the best way is the documentation provided by the IDS

 

CLASSIFICATIONS

Intrusion prevention systems can be classified into four different types:

o Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by

analyzing protocol activity.  In a NIPS, sensors are located at network borders of the

network. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic and prevents them.

Example: Snort (Snort is a free and open source network intrusion prevention system (NIPS) created by Martin Roesch in 1998.Snort is now developed by Sourcefire.)

CONTINUE… Host-based intrusion prevention system (HIPS):

It is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Example:  OSSEC ( OSSEC is a free, open source host-based intrusion Prevention system (IDS). It provides intrusion Prevention for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows OS.)

Log file monitoring(LFM): Log file monitor monitoring log files created by network services. LFM IDS searches through the logs and identifies malicious activity. IN similar manner to NIDS, these system looks for pattern in the log files

that suggest an intrusion

File integrity checking(FIC): These mechanism checks for Trojan horse, or files that have otherwise been

modified , indicating an intruder has already ben there

HOW IDS WORKS ? IDS works with a copy of the traffic. It can

detect an attack and send an alert (and take other actions), but it cannot prevent the attack because it does not operate on traffic inline in the forwarding path.

HOW IPS WORKS ? IPS device operates in inline mode i.e.

because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet).

IPS VS. IDS IDS typically record information related to

observed malicious events, notify security administrators of important observed events, and produce reports.

IPS is considered an extension of intrusion detection system because they both monitor network traffic and system activities for malicious activity. 

But unlike intrusion detection systems, intrusion prevention systems are able to actively prevent/block intrusions that are detected.

Detection –Alarm or alert Prevention– Stop before it gets into the

network

IPS VS. FIREWALL IPS monitors the system for unwanted entry

and reports or alerts the same to the user and prevents the connection .

A firewall monitors the system based on the rules that are set by the user and regulates the activity between the system and the Internet.

Therefore, to protect the system from unwanted intrusions, it is always recommended to use firewalls in conjunction with Intrusion Prevention Systems (IPS).

This is also why the majority of internet security systems comes with both firewall and IPS.

IPS VS. FIREWALL The Firewall has static rules The IPS learns and creates rules (or gets them added

with updates from the manufacturer). You want the FW, because if all packets were allowed

on the network the IPS would be overwhelmed so you can't just do an IPS (e.g. if you had a 1000 people in your house the security guard inside couldn't watch them all)  But you want the IPS to add a second layer of intelligence beyound the rules enforced at the FW (e.g. someone looking for shady behavior in the house gives a better level of security).