Intrusion Prevention Fundamentals - page 41

Summary

In this chapter, you learned that HIPS products have management infrastructure and agent components . HIPS agents act like security guards and decide whether to allow or deny a person access to a building resource. The guards use an access control process to make the decision and identify the resource the person attempts to access. They continue and gather data about the operation, determine the state of the system, consult the security policy, and finally take action.

HIPS products tackle each phase of the access control process differently. This chapter examined the different approaches in detail. Real HIPS products were used as examples in some cases.

In the first phase of the access control process, the agent identifies the resource being accessed. Commonly identified resources include the following:

Network
Memory
Application execution
Files
System configuration

The next phase is the data gathering phase. HIPS products gather data using one or more of the following methods :

Kernel modification
System call interception
Virtual OSs
Network traffic analysis

HIPS products also determine the state of the system. States in common use include the following:

Location state
User state
System state

The data that was gathered about the resource access attempt and system state is compared to one or more of the following policy types:

Anomaly-based
Atomic rule-based
Pattern-based
Behavioral
Access control matrix

The access control process concludes when the HIPS takes action based on the results of the access attempt to policy comparison.

This chapter also addressed the management center and interface components of the management infrastructure. The management center portion was divided into database, event and alert handling, and policy management components. The properties and approaches to each component were discussed. Lastly, the various types of management interface client and management interface security considerations were addressed.

Part III: Network Intrusion Prevention

Chapter 7 Network Intrusion Prevention Overview

Chapter 8 NIPS Components

Chapter 7. Network Intrusion Prevention Overview

Network Intrusion Prevention provides a proactive component that effectively integrates into your overall network security framework. Combining Network Intrusion Prevention with other security components , such as a Host Intrusion Prevention System (HIPS), an Intrusion Detection System (IDS), and perimeter firewalls, provides a robust defense- in-depth network security solution.

An Intrusion Prevention System (IPS) provides a powerful addition to your overall network security solution, but it also has its limitations. This chapter focuses on the following topics:

Network Intrusion Prevention capabilities
Network Intrusion Prevention benefits
Network Intrusion Prevention limitations
Hybrid IPS/IDS systems
Shared IDS/IPS capabilities

Network Intrusion Prevention Capabilities

Intrusion Prevention technology enables you to stop intrusion traffic before it enters your network by placing the sensor as a Layer 2 (Ethernet layer) forwarding device in the network. This sensor has two interfaces connected to your network (see Figure 7-1). Any traffic that passes through the sensor can then be examined by the sensor's Intrusion Prevention software. [click here]

Figure 7-1. Intrusion Prevention Sensor Deployment

Forwarding Device

A switch is a common forwarding device on a network. It receives traffic on one of its ports and then passes that traffic to another one of its ports. Unlike routing at Layer 3, which rewrites the Ethernet header at each hop, Layer 2 forwarding simply passes the frame to the destination system without modification.

The main differentiator between an IDS and an IPS is the ability of an IPS to drop ( or modify) traffic it receives on one of its interfaces, preventing the original traffic from reaching its destination. For efficiency, dropping traffic is usually divided into the following categories:

Dropping a single packet
Dropping all packets for a connection
Dropping all traffic from a source IP

Dropping a Single Packet

The simplest form of Intrusion Prevention involves identifying a suspicious packet and dropping it. The bad packet does not reach the target system, so your network is protected; however, the attacker can repeatedly send the bad packets. For each packet, the IPS needs to analyze the network packets and determine whether to pass or drop the traffic, consuming resources on your IPS device.

Dropping All Packets for a Connection

Instead of dropping a single packet, your IPS can drop all traffic for a specific connection for a configured period of time. In this situation, when a suspicious packet is detected , it is dropped along with all subsequent packets that belong to the same connection. The connection is usually defined as traffic that matches the following parameters:

Source IP address
Destination IP address
Destination port
Source port (optional)

The advantage to the connection drop is that subsequent packets matching the connection can be dropped automatically without analysis. The drawback, however, is an attacker still has the ability to send traffic that does not match the connection being dropped ( for example, attacking another service or system on your network).

Dropping All Traffic from a Source IP

The final dropping mechanism is to drop all the traffic originating from a specific source IP address. In this situation, when the suspicious packet is detected, it is dropped, along with all traffic from the corresponding source IP address for a configured period of time. Because all traffic from the attacking host can be dropped with minimal examination, your IPS device uses very few resources. The main drawbacks are if attackers can spoof the source address and pretend to be an important system, such as a business partner, or if the initial signature is a false positive and valid traffic is denied access to your network.