IPS (Intrusion Prevention System) IPS (Intrusion Prevention System) is definitely the next level of security technology with its capability to provide security at all system levels from the operating system kernel to network data packets. It provides policies and rules for network traffic along with an IDS for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also some unknown attacks due to its database of generic attack behaviours. Thought of as a combination of IDS and an application layer firewall for protection, IPS is generally considered to be the "next generation" of IDS. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. Classifications of IPS Intrusion prevention systems can be classified into four different types: Network-based intrusion prevention system (NIPS) A network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the network from threats, such as denial of service (DoS) and unauthorized usage. NIPS hardware may consist of a dedicated Network Intrusion Detection System (NIDS) device, an Intrusion Prevention System (IPS), or a combination of the two such as an Intrusion Prevention and Figure 1 IPS (Intrusion Prevention System)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IPS (Intrusion Prevention System)
IPS (Intrusion Prevention System) is definitely the next level of security technology with its capability to
provide security at all system levels from the operating system kernel to network data packets. It
provides policies and rules for network traffic along with an IDS for alerting system or network
administrators to suspicious traffic, but allows the administrator to provide the action upon being
alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap
over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also
some unknown attacks due to its database of generic attack behaviours. Thought of as a combination of
IDS and an application layer firewall for protection, IPS is generally considered to be the "next
generation" of IDS.
An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP
sequencing issues, and clean up unwanted transport and network layer options.
Classifications of IPS
Intrusion prevention systems can be classified into four different types:
Network-based intrusion prevention system (NIPS)
A network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as
protect the confidentiality, integrity, and availability of a network. Its main functions include protecting
the network from threats, such as denial of service (DoS) and unauthorized usage.
NIPS hardware may consist of a dedicated Network Intrusion Detection System (NIDS) device, an
Intrusion Prevention System (IPS), or a combination of the two such as an Intrusion Prevention and
Figure 1 IPS (Intrusion Prevention System)
IPS (Intrusion Prevention System)
Detection System (IPDS). Note that while an NIDS can only detect intrusions, an IPS can pro-actively stop
an attack by following established rules, such as changing firewall settings, blocking particular Internet
protocol (IP) addresses or dropping certain packets entirely. The software components of an NIPS
consists of various firewall, sniffer and antivirus tools in addition to dashboards and other data
visualization tools.
Wireless Intrusion Prevention Systems (WIPS)
A wireless intrusion prevention system (WIPS) is a dedicated security device or integrated software
application that monitors a wireless LAN network's radio spectrum for rogue access points and other
wireless threats.
The following types of threats can be prevented by a good WIPS:
1. Rogue AP – WIPS should understand the difference between Rogue AP and External (neighbor’s)
AP
2. Mis-configured AP
3. Client Mis-association
4. Unauthorized association
5. Man in the Middle Attack
6. Ad hoc Networks
7. MAC-Spoofing
8. Honeypot / Evil Twin Attack
9. Denial of Service (DoS) Attack
WIPS configurations consist of three components:
1. Sensors: These devices contain antennas and radios that scan the wireless spectrum for packets
and are installed throughout areas to be protected
2. Server: The WIPS server centrally analyzes packets captured by sensors
3. Console: The console provides the primary user interface into the system for administration and
reporting
Network behavior analysis (NBA)
Network behavior analysis (NBA) is a way to enhance the security of a proprietary network by
monitoring traffic and noting unusual actions or departures from normal operation. Conventional
intrusion prevention system solutions defend a network's perimeter by using packet inspection,
signature detection and real-time blocking. NBA solutions watch what's happening inside the network,
aggregating data from many points to support offline analysis.
After establishing a benchmark for normal traffic, the NBA program passively monitors network activity
and flags unknown, new or unusual patterns that might indicate the presence of a threat. The program
IPS (Intrusion Prevention System)
can also monitor and record trends in bandwidth and protocol use. Network behavior analysis is
particularly good for spotting new malware and zero day exploits.
Host-based intrusion prevention system (HIPS)
A host-based intrusion prevention system (HIPS) is a system or a program employed to protect critical
computer systems containing crucial data against viruses and other Internet malware. Starting from the
network layer all the way up to the application layer, HIPS protects from known and unknown malicious
attacks. HIPS regularly checks the characteristics of a single host and the various events that occur
within the host for suspicious activities.
HIPS can be implemented on various types of machines, including servers, workstations, and computers.
The list is far from complete, but more like a bare minimum of what your HIPS should be guarding:
1. Take control of other programs. For example sending a mail using the default mail client or
sending your browser to a certain site to download more malware.
2. Trying to change important registry keys, so that the program starts at certain events.
3. Ending other programs. For example your virus scanner.
4. Installing devices or drivers, so that they get started before other programs
5. Interprocess memory access, so it can inject malicious code into a trusted program.
Detection Methods
The majority of intrusion prevention systems utilize one of three detection methods: signature-based,
statistical anomaly-based and stateful protocol analysis.
1. Signature-Based Detection: Signature based IDS monitor packets in the Network and compares
with pre-configured and pre-determined attack patterns known as signatures.
2. Statistical Anomaly-Based Detection: A statistical anomaly-based IDS determines the normal
network activity like what sort of bandwidth is generally used, what protocols are used, what
ports and devices generally connect to each other- and alert the administrator or user when
traffic is detected which is anomalous (not normal).
3. Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by
comparing observed events with “predetermined profiles of generally accepted definitions of
benign activity.
IPS Techniques to defend against Attacks
Intrusion prevention sensors look at header and data portions of the traffic looking for suspicious traffic
that indicate malicious activity.
IPS/IDS solution have the ability to detect threats using a database of signatures, using anomaly
detection techniques looking for abnormal behaviour within protocols and can also use or integrate with
IPS (Intrusion Prevention System)
anti-virus for malware detection. Anomaly detection systems target traffic that isn't necessarily bad but
used with bad intentions such as lots of traffic to overwhelm a system. TCP Syn Flood attack is an
example.
IPS have the ability to take actions on defined policies such as blocking a connection, providing alerts,
logging the event, quarantining the host or a combination of these. Policies define the rules that specify
what should be detected and type of response required. Policies will include both signature based rules
and anomaly detection rules for learning typical network traffic and setting thresholds for these. DOS
and reconnaissance rules are based on traffic statistics.
IPS solutions also provide logging and alerting on recent attacks so it should be easy to understand and
trace an attack, and provide supporting tools that would aid in blocking attacks. Also clicking the attack
should provide detailed information about the attack and what can be done to resolve such an attack.
IPS and IDS systems have the ability to search for attacks using different characteristics of an attack such
as by attack name, impacted applications, attack ID and so on.
IPS and IDS systems should be configured to only use signatures they require and to protect the assets
required as using all signatures and pointing it to protect everything will use up much more resources
such as CPU, memory and bandwidth. So if it were web server that required protection then only
signatures for web servers should be utilised and protecting only the DMZ where web servers are
located. This can also be further defined to be protocols such as HTTP, RDP, or systems like Unix,
Windows or applications such as IIS and Adobe.
Attacks should have a severity level that ties to a response such as block, quarantine, log, notify or a
combination of these.
User Roles
The CLI supports four user roles: administrator, operator, viewer, and service. The privilege levels for
each role are different; therefore, the menus and available commands vary for each role.
Administrator: This user role has the highest level of privileges. Administrators have
unrestricted view access and can perform the following functions:
1. Add users and assign passwords
2. Enable and disable control of physical interfaces and virtual sensors
3. Assign physical sensing interfaces to a virtual sensor
4. Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent
5. Modify sensor address configuration
6. Tune signatures
7. Assign configuration to a virtual sensor
8. Manage routers
IPS (Intrusion Prevention System)
Operator: This user role has the second highest level of privileges. Operators have unrestricted
view access and can perform the following functions:
1. Modify their passwords
2. Tune signatures
3. Manage routers
4. Assign configuration to a virtual sensor
Viewer: This user role has the lowest level of privileges. Viewers can view configuration and
event data and can modify their passwords.
Service: This user role does not have direct access to the CLI. Service account users are logged
directly into a bash shell. Use this account for support and troubleshooting purposes only.
Unauthorized modifications are not supported and require the device to be reimaged to
guarantee proper operation. You can create only one user with the service role.
When you log in to the service account, you receive the following warning: