superiorsecurity Intrusionpreventionsystems: are a number of ways - PDF document

September฀2007฀ device in order to maximise coverage. traffic at wire speed. There are two strat- allows the diversion and duplication of network tap – a piece of hardware which from a switch span port or by using a that they gain access to traffic streams Stand-alone systems are arranged so power is removed. the device into a piece of wire once include a ‘fail open’ relay which turns work should the IPS device fail. Many be given to the behaviour of the net- its effectiveness. Consideration must also Placement of the IPS becomes crucial to design must force traffic through the powers. The IPS can send TCP RST approach requires that the network be completely effective. However, this advantage that blocking actions will IPS decides to stop traffic, this has the must pass through them. When the tems are placed so that network traffic In-line intrusion prevention sys- ‘in line’ or stand alone on the network. whether the device was designed to sit strategies were employed depending on of this new market. Various blocking offerings also appeared to take advantage blocking capability, while whole new egies employed to give the IPS blocking (reset) messages that cause open con- to emerge that blocked attacks. Some maintenance and upgrades. IPS ing IP addresses and filtering ports. destination values. Originally, network security seemed to be as simple as block- apply any further filtering on the traffic beyond IP and service port source or the authorised traffic, filter the rest. The majority of purebred firewalls do not ous types of firewall, but essentially they all work in the same way: allow in Today, most networks are protected by firewall technology. There are numer- Tom Rowan, security consultant, Magirus superior฀security฀ Intrusion฀prevention฀systems:฀ are a number of ways in which an IPS Whichever the deployment model, there Signatures฀vs฀rules operating systems, and will require nections to end suddenly. Or credentials ning, may not be compatible with all hosts, will use up resources when run- software must be deployed to multiple is simply one of implementation. The cious traffic directly. The disadvantage In this case, the IPS can block mali- installed on each host to be protected. IPS a software-only system, which is A third alternative is to provision the block traffic – scary stuff! switch access control lists to dynamically to control firewalls and modify router or can be supplied which empower the IPS existing products were enhanced with became prevention, and products started Network฀Security many botnets available for hire is also that the majority of network traffic does open, acquiescent interior. This means a well protected exterior shell with an to out-of-date best practices, dictating Networks are still often built according been quoted over recent years. 1, 2 Figures between 70% and 95% have from inside the network perimeter. a large percentage of attacks originate rity vendors are constantly explaining, As research organisations and secu- firewall. far beyond the remit of a traditional service attacks launched from one of the ‘deep packet inspection’ and ‘application awareness. Protecting against denial of the traffic streams to gain application it is necessary to look deeper into walls. To protect against these attacks legitimate connections through fire- These attacks all make use of otherwise neering techniques such as phishing. development errors, and social engi- tion flaws, buffer overflows, application denial of service, protocol implementa- any number of attack vectors, including However, complex modern attacks use 11 not pass across a firewall; even advanced aware’ firewalls cannot check traffic that removed. In about 1998, detection these claims, the technology served to The main limitation of IDS was soon prevention Detection฀became฀฀ that฀blocked฀attacks.” products฀started฀to฀emerge฀฀ became฀prevention,฀and฀฀ “In฀about฀1998,฀detection฀ of network attacks as never before 3 . bacteria, IDS showed the characteristics Leeuwenhoek’s microscope had done for agement community. Like Antony Van security issues amongst the network man- increase awareness of complex network door once the horse has bolted. Despite does not traverse their interfaces. taking action was akin to shutting the Many argued that monitoring without rather than blocking it. these systems reported specious traffic, cious traffic on their networks. Initially, could be alerted to the presence of mali- was found, the network administrator traffic patterns. When a specific pattern natures which aimed to match malicious 1990s. The majority were based on sig- systems (IDS) appeared in the mid systems known as intrusion detection The first breed of application aware Tom฀Rowan

12 of a holy grail in the IPS world, because alerted whenever a specific type of traf- administrators might be interested to be rather than just attacks. For example, match any other interesting traffic Signatures can also be provided to although not all future zero day attacks! some senses avoiding zero day attacks, cific vulnerability will not succeed – in any possible future attacks using a spe- once a suitable rule is downloaded, What is meant by these claims is that for further signature (or rule) updates. if this were true, there would be no need stop a zero-day attack. This is somewhat portmapper traffic (port 111) on a truly further and vendors offer the ability to Sometimes, these claims are taken attack class has been foiled. showing exactly which variant of the administrators the luxury of a report each variant anyway, allowing network vendors produce a specific signature for original update. Interestingly, many This is released as a replacement to the on a cure to the vulnerability itself. ant, while vendor labs frantically work are often issued which fix a single vari- attack evolves, initial signature updates fic is seen on a network: perhaps UNIX homogenous Windows network. This tures rather than rules, but this is just be picked up by signatures or rules. Figure฀1:฀The฀difference฀between฀signatures฀and฀rules. of a distributed denial of service attack This is particularly noticeable in the case mate connections too. approach may also deny any new legiti- a defined level. However, this simplistic be noticed and dropped once it reaches superfluous volumes of traffic, this will resource thresholds. If a host is generating fic volumes below bandwidth and server tect against flood attacks by keeping traf- requests allowed into a network will pro- Limiting the number of connection course, legitimate looking traffic will not might not signify an attack – there may able bandwidth and server resources. Of traffic to flood a network, using all avail- often uses otherwise perfectly legitimate service (DoS) attacks. This class of attack is particularly effective against denial of apply connection rate limits. This method which does not rely on signatures is to Another way to protect the network Connection฀rate฀limiting of unauthorised software. nify mis-configuration or the installation portmapper traffic itself – but may sig- be nothing ‘wrong’ or malicious in the semantic. In reality, when a major new Confusingly, they mostly discuss signa- Network฀Security฀฀ signatures and rules. These are alike, but a brick in flight, and an inbound high- would match a person with a hammer, ing signature-based IPS for the window thrown brick or a bullet. A correspond- number of ways, including a hammer, a glass window. This can be broken in any understood using this analogy. Consider a There is a subtle difference which can be fies the use of a known vulnerability. a specific known attack. A rule identi- A signature is a pattern that identifies of the deployment. fundamentally control the effectiveness There are two subdivisions of the term: and block each of these attacks when against the shape of a known attack. within the network traffic is matched to network administrators. A pattern akin to the antivirus signatures familiar of some kind. These are almost exactly all, of IPS products include signatures to proceed. The majority, although not Signatures are the most common way traffic rates and anomaly detection. into three main categories: Signatures, network traffic. These may be grouped can detect the presence of unwanted September฀2007 velocity round. The IPS would recognise presented exactly. An attack that uses a block the vulnerability not the variant. fracture of the glass. In other words, any- Most tier one IPS vendors claim to Zero฀day฀blocked? order to compromise a system. the worm would need to exhibit in behaviour that all possible variants of than the exploit would look for the A rule based on the vulnerability rather B, but allow variant C straight through. the IPS to block worm variants A and scenario might relate to the ability of In a computer network, the signature hit the window would be blocked. thing heavy or speedy which is about to has sufficient momentum to produce a fire extinguisher would not be recognised match any massive inbound object which attack. This means that the rule would to the fragility of the window to percussive itself. In this case, the vulnerability relates rules to block against the vulnerability A rule-based IPS, however, would have order฀to฀compromise฀a฀system.” worm฀would฀need฀to฀exhibit฀in฀ that฀all฀possible฀variants฀of฀the฀ would฀look฀for฀the฀behaviour฀ ability฀rather฀than฀the฀exploit฀ “A฀rule฀based฀on฀the฀vulner-฀ – and would consequently succeed. IPS