The Future of IPS

Previous page
Table of content
Next page

The desire to become proactive instead of reactive has prompted most of the major improvements in IPS technology over the last few years. For example, movement of IPS devices into the data stream improves their ability to stop attacks before any damage can occur. The transition away from purely signature-based detection methods and into detection methods that can stop new and unknown attacks is another example. Refer to Chapter 1, "Intrusion Prevention OverviewIntrusion Prevention Overview," for more information about the historical evolution of IPS.

As time goes on, IPS will likely reach a threshold where it is as proactive as it needs to be. At that time, IPS developers will have to find other ways to improve the technology. This section gives three examples of improvements that might be the future of IPS:

  • Intrinsic IPS

  • Collaboration between layers

  • Automatic configuration and response

Intrinsic IPS

Chapter 7, "Network Intrusion Prevention Overview," covers some of Network IPS' limitations. One of the limitations covered there is that a NIPS device cannot inspect traffic it doesn't see. For a NIPS to be effective, it must bridge or capture the traffic between the attacker and the victim. Host IPS has the same problem in that it cannot protect a device that it is not installed on (see Chapter 5, "Host Intrusion Prevention Overview"). Therefore, it is likely that in the future, IPS will transition away from a network or host add-on and become an intrinsic part of your network or endpoint.

In the case of Network IPS, this means that it will be built into every device that powers your network. Firewalls, routers, switches, and practically any other device through which network traffic passes will have the capability to inspect and act on that traffic. The only traffic that will escape inspection is that which passes directly from host to host with no intermediary.

On the host side, HIPS will run on a wider variety of operating systems and endpoints like IP phones, mobile phones, personal digital assistants (PDAs), and any other device that can connect to the network. It might be that product vendors will ship their products with built-in HIPS. Also, mechanisms that check for the presence of a HIPS before granting network access will become more foolproof and sophisticated.

Eventually, IPS might cease to exist as a standalone technology. If it's built into everything, it might become a standard feature rather than an add-on.

Collaboration Between Layers

Traditionally, each layer of protection operates separately from all of the others. A few exceptions exist, but for the most part, firewalls do not communicate with the NIPSthe NIPS does not talk to the HIPS, the HIPS does not interface with antivirus, and so on. Each layer has weaknesses for which other layers can make up. In the future, the layers will collaborate together, and the whole will be greater than the sum of the parts. This collaboration will result in

  • Enhanced accuracy

  • Better detection capability

  • Automated configuration and response

Enhanced Accuracy

In the near future, accuracy enhancing interfaces between HIPS and NIPS will appear. When NIPS sees a malicious event, HIPS can corroborate it and vice versa. For example, if a HTTP service attack is detected by a NIPS device, it can ask the HIPS running on the target if a web service is running. If a web service is running, the attack is corroborated. If no web service is running, the attack is marked as a false alarm.

Another example would be the case where HIPS sees anomalous network activity on a host. The HIPS will consult with the NIPS to see if the activity is dangerous or benign. The NIPS can report back that the host from which the activity originated was recently identified as an attacker. The HIPS then knows that the anomalous activity is an actual attack and can respond appropriately.

Currently, CS-MARS is a Cisco product that can read syslogs, application logs, and IPS events and correlate them together to help to perform attack research and also mitigate and isolate attacks. You can find out more information on the MARs product at http://www.cisco.com/go/mars. The result of MARs event correlation is less false positive events from security devices and a much better understanding of what the various security event messages mean when looked at as a collective picture of the state of your network.

Better Detection Capability

An attack has a much harder time avoiding detection if all of the layers through which it has to pass share information with each other. Think of a suspicious-looking person passing through a series of manned checkpoints. If the checkpoints do not communicate, the guard at each stop might think the person looks "funny" but not have enough supporting evidence to take action. However, if the guards communicated, they would all agree that the person is suspicious-looking and should be stopped and questioned.

The same concept will be applied to computer security. In the future, each countermeasure will share information with all of the others. For example, a firewall, a NIPS, and a HIPS all detect suspicious, but potentially not dangerous, reconnaissance activity originating from a single host. They all report their findings to a single collection and correlation device. The device sees three similar reports and sends a message to all three devices indicating that a reconnaissance effort is underway and that the attacking host should be shunned.

The same function might take the form of a "tag" applied to network traffic as it passes through defensive layers. If a firewall detects traffic that is anomalous it adds a "potentially dangerous" flag to the traffic. An IPS sees the flag and knows that the firewall thinks the traffic is strange. If the IPS also determines that the traffic is suspicious, it drops the traffic based on its suspicion and the firewall's tag.

Automated Configuration and Response

In the future, security countermeasures will be able to take collaborative, rather than individual, action during an incident. As it stands, when an IPS detects an attack it takes action according to its configuration settings. Moving forward, when the IPS detects an attack originating from an internal host, it can take its usual action and also configure the network to contain the attack. Routers, switches, and firewalls will be reconfigured by the IPS to make sure the attack cannot propagate throughout the network.

HIPS and NIPS can also work together to configure each other. For example, if a HIPS sees an attack against a protected host, it can notify the NIPS. The NIPS can take that notification and reconfigure itself to take more stringent action against traffic from the attacker. Furthermore, if IPS functionality is integrated into many different devices on the network (such as firewalls and routers), all of these devices can participate collaboratively to maintain a strong security posture on your network.



Previous page
Table of content
Next page
Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115
Authors: Earl Carter, Jonathan Hogue
BUY ON AMAZON
MySQL Cookbook
Twisted Network Programming Essentials
Microsoft VBScript Professional Projects
PMP Practice Questions Exam Cram 2
What is Lean Six Sigma
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy