.:|Syntensia - Security on Demand

SOLUTIONS : SOLUTION BY TECHNOLOGY : INTRUSION DETECTION AND PREVENTION

What is an Intrusion Prevention System?

An intrusion prevention system (a computer security term) is any device which exercises access control to protect computers from exploitation. "Intrusion prevention" technology is considered by some to be an extension of intrusion detection (IDS) technology, but it is actually another form of access control, like an application layer firewall. Intrusion prevention systems (IPS) were invented to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related. Intrusion prevention systems may also serve secondarily at the host level to deny potentially malicious activity. There are advantages and disadvantages to host-based IPS compared with network-based IPS. In many cases, the technologies are thought to be complementary. An Intrusion Prevention system must also be a very good Intrusion Detection system to enable a low rate of false positives. Some IPS systems can also prevent yet to be discovered attacks, such as those caused by a Buffer overflow. How is IPS different than IDS? IPS have many advantages over their legacy counterparts, intrusion detection systems (IDS). One advantage is they are designed to sit inline with traffic flows and prevent attacks in real-time. In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP which provides greater awareness. When deploying NIPS however, consideration should be given to whether the network segment is encrypted or not as many products are unable to support inspection of such traffic.

What are the different types of IPS? Host based

Host-based intrusion prevention systems (HIPS) run on the host itself and are software based. They have the advantage that they can operate on end-systems where the packets have already been decrypted and file-access, registry-access can be monitored granularly and accurately. They have the disadvantage that they need to be installed on every workstation/server in the network. Cisco Security Agent, while utilizing a central network server, is a HIPS because it monitors traffic on the hosts specifically.

Network

Network intrusion prevention systems (NIPS) are purpose built hardware/software plaforms that are designed to analyze, detect and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic.

Content based

Content based IPS (CBIPS) inspect the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attack such as worm infections and hacks. CBIPS vendors include Juniper Networks (NetScreen), McAfee (Intruvert), Symantec, ISS and TippingPoint.

Rate based

Rate based IPS (RBIPS) are primarily intended to prevent denial of service and Distributed Denial of Service attacks. They work by monitoring and learning normal network behaviors. Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second, packets per connection, packets to specific ports etc. Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics. Unusual but legitimate network traffic patterns may create false alarms. The system's effectiveness is related to the granularity of the RBIPS rulebase and the quality of the stored statistics. Once an attack is detected, various prevention techniques may be used such as rate-limiting pecific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).

Host-based vs. Network

	HIPS can handle all type of encrypted network and can analyze all code.
	The HIPS can often do better behavior analysis on the code running what it actually do on the client.
	NIPS dosn't take processor and memory on the client/end-point/host.

NIPS is a single point of falure; both good and bad. Easy administration, easy failure.

Summary White Knight performs intrusion detection by scanning inbound network traffic and uses pattern recognition technology to detect over 3000 types of probes, Denial of Service (DoS) attacks, and attempts to exploit application vulnerabilities. White Knight can also provide intrusion prevention by working with the firewall to immediately block incoming traffic associated with intrusions.