NIPS
Dec 31, 2015
NIPS
NIPS
NIPS essentially breaks down into two categories:
Chokepoint devices
Intelligent switches
In addition to these architectural classes, NIPS designers make a choice
between two types of technology:
General-purpose CPUs
Application-specific integrated circuits (ASICs).
How Chokepoint NIPS Work
A chokepoint NIPS could be located outside of your firewall or on your screened
subnet in front of a device you want to protect, such as your web server.
They will often be configured without an IP address on either of the chokepoint
interfaces to minimize their impact on the network's architecture.
Traffic that originates from the Internet is passed through the NIPS to your
corporate firewall and beyond if it does not generate any alerts.
In IPS mode, traffic that does generate an alert can be dropped or rejected by the
NIPS and never delivered inside your network.
These can also be run in IDS mode, where a report is generated but the packet is
not dropped. These tend to either be a "firewall plus something" or an "IDS plus
something."
Firewall Plus Something
Firewalls fall into three major categories, listed in increasing security protection: packet
filter, stateful, and proxy or application gateway.
The overwhelming majority of deployed firewalls are stateful. Firewalls are the original IPS.
To be credible as an IPS, the firewall needs to add additional functionality, such as the
ability to run IDS-type rules.
The next logical progression for many firewall vendors is to add intrusion detection capacity
to their firewalls.
Because the firewall must collect and retransmit each packet that flows through it, a logical
advancement would be to allow policy to define whether traffic identified as malicious
should generate an alert and be forwarded to the destination or whether it should generate
an alert and be dropped, thereby preventing the attack from being successful
Check Point FireWall-1 NG
Check Point's central product is FireWall-1, which is the best-known example of
a "firewall plus something" positioned as a NIPS.
Check Point FireWall-1 NG has the following IPS features:
Attack protection with "Application Intelligence," a rudimentary content-
inspection capability that blocks many well-known, well-defined attacks.
Access control based on stateful inspection, the capability this firewall is best
known for.
Choice of software and appliance deployments. The software is available on
a number of platforms to balance needs versus costs. The high end is based on
the high-performance, secure, and expensive Nokia appliance.
Check Point and OPSEC
The OPSEC Alliance was founded in April of 1997. OPSEC has since grown to
over 350 partners, making it the leading platform alliance by far for integrated
Internet security solutions. Programmers find the interface very workable, which
is probably the reason for the large number of partners.
OPSEC has enabled FireWall-1 to be extended into a number of areas outside of
Check Point's core competency, including the following:
1. Authentication
2. Authorization
3. Content security
4. Intrusion detection and protection
5. Wireless
Modwall
Modwall was developed by Bill Stearns and is available from
http://www.stearns.org/modwall.
Modwall is a set of firewall/IPS modules that can be inserted into an existing
IPTables firewall on Linux.
Rather than focusing on the normal "allow this kind of traffic from here to here"
firewall rules, modwall focuses on illegal packet traffic, which includes invalid
or unassigned source or destination IP addresses, invalid TCP flag
combinations, and packets that have been intentionally fragmented.
Modwall then allows the administrator to define what action to take, including
dropping the traffic, logging it, and blocking traffic from the source for a limited
amount of time.
IDS Plus Something
The "IDS plus something" classification for IPS products refers to those
vendors who have traditionally had strong IDS tools and have added active
functionality to stop the activity that generates an alert before it is delivered
on the network or executed on a host.
An IDS plus something style IPS would generally be referred to as a NIPS,
where blocking is done at the network level.
IntruShield
IntruShield is an example of a commercial IDS plus something style of NIPS.
In 2002, McAfee (McAfee was formerly named Network Associates) acquired
the IPS company Entercept for integration into its product line.
The Entercept product line merged with the IDS products previously available
from Network Associates to offer both NIPS appliances and a host-based IPS
suite of products to protect desktops and servers.
IntruShield is a chokepoint architecture that uses classic IDS signature and
anomaly techniques to identify attacks.
The standard product is shipped with a base rule set that can be customized.
IntruShield
You can enable or disable features to best meet the demands of your
network. A lot of work has been put into the IntruShield user interface, and it
is easy to switch between IDS (passive) mode and IPS (active) mode.
NFR Sentivist
A NIPS that is directly positioned against IntruShield is NFR's Sentivist
appliance. Intrusion prevention is designed and built with a focus on three
distinctive areas in this "IDS plus something" NIPS technology:
NFR detection engine
Fine-grained blocking
Resistance to self-inflicted DoS
HogWash and Snort-Inline
HogWash was originally developed by Jed Haile and was the first to use Snort
rules in a security gateway device.
This development effort seems to have stalled, and the work is being continued
by Snort-Inline.
Rob Mcmillen was the next to lead the effort, hosted at
http://snort-inline.sourceforge.net/.
With Snort 2.3, Snort-Inline became part of the Snort distribution
Three new advancement were: drop (standard IPTables drop and log), sdrop
(silent drop, no logging), and reject, the noisiest rule (drop, log, forge a TCP reset
or "ICMP Port Unreachable" message, as appropriate).
LaBrea Technologies Sentry
Switch-Type NIPS
Another classification of NIPS is an intelligent switch you plug your network
in to.
This is probably the most effective of the NIPS products available on the
market place today, making the best use of firewalls, IDS tools, and
routers/switches, ideally in a single parallel-processing, high-performance,
low-latency device.
These switches have enough processing power to do more than just
enhance the performance of a network by preventing Ethernet collisions.
Expect to see antivirus, traffic-shaping, load-balancing, and intrusion
prevention in the network itself.
Switch-Type NIPS
Of course, this next generation of switches that use massive arrays of
parallel ASICs to connect the internal and external segments of your
network together are going to be expensive. By using many of the
techniques employed by advanced NIDS tools,
The NIPS device can identify events on the network that are hostile.
Because of its position (inline with the traffic of your entire network), the
NIPS device can stop the hostile activity from ever being delivered to the
target system. This also strongly enhances anomaly detection and network
learning because all the traffic passes through the switch.
Protocol Scrubbing, Rate Limiting, and Policy Enforcement
A NIPS device can be used to clean garbage from the traffic stream, thus
reducing the overall network load.
Another feature of switch-type NIPS devices is the ability to use rate limiting
to apply Quality of Service (QoS) mechanisms to network traffic.
Because the NIPS device is already classifying traffic based on application,
administrators can use this functionality to enforce organizational policy to
drop traffic from unauthorized applications.
Environmental Anomaly Analysis
What is anomalous with a given application or protocol in one environment
may not be anomalous in the next environment.
One of the immediate benefits of this capability is the support of an active
change control program. NIDS and NIPS tools alike can detect a new
version of an operating system or application and raise an alert, or even
modify the rule set to take the new information into account.
This could help the operations administrators manage unauthorized change.
Obviously, you can only process so many alerts, so this would be managed
by the analyst or administrator to help determine where appropriate
thresholds should be set.
Environmental Anomaly Analysis
Because the NIPS device is simultaneously tracking connection state for
thousands or even millions of connections, it can take a "broad perspective"
view to detect anomalies that involve many connections across an entire
enterprise.
NIPS Challenges
In order for NIPS devices to be deployed as reliable, effective devices, they
must overcome several challenges:
1.Detection capabilities
2.Evasion resistance
3.Stable performance
4.High throughput
5.Low-latency, built-in security
6.The ability to passively determine operating systems and application versions
Security
The NIPS device must be secured against compromise because a
compromised NIPS would give an attacker the ability to establish a man-in-
the-middle attack against all the traffic entering or leaving the network.
This is typically performed by configuring the NIPS without IP or MAC
addresses on data interfaces, using a hardened operating system that
resists common attacks, and using a secured management interface that
strictly defines who is permitted to connect to and administer the system.
Attackers will seek opportunities to break NIPS, whether using denial of
service or to circumvent the protection the NIPS provides, so the NIPS
device must be able to withstand any direct attacks.
Passive Analysis
In order to help the NIPS identify false-positive traffic, vendors make use of
passive analysis techniques to identify host operating systems, network
architecture, and what vulnerabilities are present on the network.
Three of the most well-known standalone tools for this purpose are P0f
(available at http://www.stearns.org), RNA by SourceFire, and NeVO from
Tenable Security, and they should be available to some extent on every
NIPS.
Figure next provides a sample analysis using the NeVO system. Once this
information is gathered, the NIPS can use it to classify attacks against
internal systems based on their operating system and vulnerabilities.
Increased Security Intelligence in the Switch Products
Switch-based, "bump in the wire" NIPS is a fast growing market segment,
and there is no possible way to predict what all the players will do.
TippingPoint, Enterasys, and Radware. All our efforts to get Cisco to share its
plans have failed; however, between the existing Cisco Security Agent, the
Network Admissions Program, and educational efforts to help network
administrators get more security out of their existing IOS products, it seems
certain Cisco will be a player.
A subset of these products includes the true NIPS devices, which are
categorized as wire-speed switches, have IPS capability, and, in general, are
based on parallel ASICs. These products include TippingPoint's UnityOne
IPS and TopLayer Attack Mitigator.
TippingPoint's UnityOne IPS
TippingPoint's UnityOne IPS product was currently the overwhelming
market leader for a switch-type NIPS.
It offers an inline NIDS that provides multigigabit performance, low latency,
and multiple mechanisms to detect known and unknown attacks on the
network. In addition to providing IPS features, UnityOne provides the ability
to traffic-shape or rate-limit traffic for QoS measures.
It also provides policy enforcement by blocking applications that are
prohibited by your organization's acceptable-use policy (such as peer-to-
peer apps, web mail, or instant messaging).
TippingPoint's UnityOne IPS
When the UnityOne device identifies malicious activity or activities that violate
policy rules, the engine uses one of four available response mechanisms:
1.Monitor The UnityOne device monitors the activity, generating a log for later
analysis.
2.Report The UnityOne device simply reports the event without detailed logging
data.
3.Limit The UnityOne device restricts the throughput or rate of the malicious
activity.
4.Block The UnityOne device simply drops the traffic before it is delivered to the
destination
TopLayer Attack Mitigator
In the days before true gigabit IDS, TopLayer gained fame as the solution
for high-bandwidth monitoring via load balancing.
Like TippingPoint's product, this is a very fast box with high availability, hot-
swappable components, parallel ASICs, and a price tag to match the
performance.
Attack Mitigator's roots are more from suppressing distributed denial of
service resource exhaustion and protocol anomaly attacks than a true IPS,
but it certainly has the chassis to build on and, like FireWall-1, is very good
at well-known, well-understood attacks.
TopLayer calls its inspection technology TopInspect.
Switch NIPS Deployment Recommendations
Deploying a NIPS solution is a major project, Start off with reporting-only
mode, study the false positives and negatives for your chosen solution
carefully, invest the time in creating a sustainable process for configuration
management, make sure Operations is a full partner in the process of NIPS
deployment, and remember that your NIDS is still a valuable source of
information.
Begin Budgeting Now
You will probably be strongly considering the next generation of switches with
security intelligence sometime in the next two years. This is going to be
expensive, so speak to your manager and see what can be done to plan for
this expense in a technology refresh cycle.
Switch NIPS Deployment Recommendations
Review Products in Report-Only Mode
Before you start using a NIPS device to start blocking attacks on your network, run the
device in report-only mode. Use this information to identify what events the NIPS would
have dropped on your network, and what the impact would have been to the network.
Work with Vendors Identifying Test Procedures for False Positives and False
Negatives
Ask your vendor to detail its testing procedure for new rules and anomaly analysis
techniques. Ensure the vendor uses a combination of "live" and "attack" scenarios at
rates that are appropriate for your network environment before shipping you updates.
Ask your vendor what techniques it uses to eliminate false-positive traffic, and how it
exercises auditing to ensure it isn't missing attacks.
Switch NIPS Deployment Recommendations
Be Wary of Absence of Auto-Update Mechanisms
consider the purchase of expensive switch NIPS is worm management, this
makes being able to keep the device up to date with the latest signatures critical.
Be Wary of Auto-Update Mechanisms
Auto-update mechanisms ease the implementation and deployment of NIPS
products but can assert a new set of challenges on your organization. Ask your
vendor to support a mixed-reporting mechanism, where new rules are placed in
report-only mode for a specified amount of time. This way, the organization can take
advantage of existing functionality in the NIPS while the analyst has the ability to
identify false-positive alerts or performance burdens that affect throughput and
latency on the network.
Switch NIPS Deployment Recommendations
Document a Change-Management Mechanism
Identify who should be responsible for managing updates to NIPS software,
and how often the software should be updated. Include information about how
the organization should react to updates based on new Internet threats, such
as a new worm or other exploitative threat. Having this policy in place before a
new threat emerges will define how well your organization will be able to
leverage NIPS technology.
Switch NIPS Deployment Recommendations
Expect the NIPS to Be Blamed for All Problems
A new product like a NIPS is potentially invasive toward network operations.
At some point, someone in the organization is bound to experience a problem
and cast blame on the NIPS device. The best way to mitigate this problem is to
clearly document the use and functionality of the NIPS device and utilize the
logging features that come with the NIPS to identify traffic that is dropped,
shaped, or altered in any way.
Switch NIPS Deployment Recommendations
Use a Combination of NIPS and NIDS Where Appropriate
NIDS investments don't go out the window after a NIPS device is deployed.
We can still leverage the technology of NIDS devices to aid in assessing
threats, baselining attack statistics, and troubleshooting network problems with
the addition of a NIPS device. After deploying a NIPS tool, many organizations
focus their NIDS tools to monitor internal networks, to aid in identifying attacks
that make it past the NIPS device, and to identify insider threats. We don't
expect NIDS technology to go away anytime soon; instead, we expect the
technology to continue to mature and add value to organizations that take full
advantage of the functionality available.