Hybrid IPSIDS Systems

Hybrid IPS/IDS Systems

Deploying separate IDS and IPS devices is cumbersome. Protecting your network using hybrid IPS devices, though, enables you to obtain the benefits of both technologies from a single device because IDS and IPS are complimentary technologies.

Using the ongoing network configuration, a hybrid IPS device can provide the IPS protection to prevent an attack coming from or going to the Internet (see Figure7-5). Using IDS functionality, the same device also can watch for attacks going between two internal systems.

Figure 7-5. Hybrid IPS Device Providing IPS Protection

Shared IDS/IPS Capabilities

Although Intrusion Prevention provides some unique capabilities, you should also understand the capabilities shared by IDS and IPS systems, because these two technologies usually are deployed in unison. The combined IDS/IPS capabilities include the following:

  • Generating alerts

  • Initiating IP logging

  • Resetting TCP connections

  • Initiating IP blocking

Each of these items is examined in detail in the following sections.

Generating Alerts

You need to be able to monitor when your network is under attack. Your IDS or IPS should be able to generate alerts to indicate that an attack has been launched against your network even if the intrusion software prevented that attack from succeeding. These alerts enable you to correlate activity on your network between security devices such as IPS and IDS sensors, as well as other infrastructure equipment.

Initiating IP Logging

Sometimes, you want to record the traffic a potential attacker is sending against your network. By analyzing this captured information, you can gain insight into what the attacker is trying to do against your network. Other times, you might want to log traffic that is violating your defined security policy. By seeing which traffic violates the security policy, you can determine what the impact is if you decide to make the security policy mandatory by actively stopping offending traffic.

IP logging refers to the ability to capture the traffic traversing your network. It can be initiated either manually or automatically in conjunction with defined signatures. Most intrusion systems provide IP logging functionality that falls into several categories, such as the following:

  • Logging attacker traffic

  • Logging victim traffic

  • Logging traffic between attacker and victim

The benefits and limitations of these logging options are explained in the following sections.

Logging Attacker Traffic

The most logical logging option is logging traffic from an attacking system. In this situation, you want to monitor all the traffic originating from a specific source IP address. The benefit of logging all of the packets for a specific source IP address is you can examine all of the traffic attackers are launching against your network, not just the traffic to the specific system that initially initiated the logging. The drawback is that logging all the packets from attackers might make analysis more complicated. It also requires more memory or hard drive space to store the information, especially if the attackers are generating a lot of traffic, some of it invalid trying to hide the real attack traffic. Logging traffic from a single host also assumes that the attackers are using a single address from which to launch their attack.

Logging Victim Traffic

Instead of logging the attacker's traffic, you can log the traffic going to a specific target or victim system. In this situation, you focus on all traffic going to the target system, regardless of the source IP address. The advantage of this approach is if the attackers are coming from multiple source IP addresses, you capture all the traffic being sent to the victim machine, not just the traffic from the initial source IP address that initiated the logging. The drawback is, again, the amount of traffic you might capture. If the target system is a large server, you might capture a large amount of information, making it difficult to distinguish attack traffic from normal user traffic.

Logging Traffic Between Attacker and Victim

Another logging option most systems include is the ability to capture all the traffic being sent between two specific systems. This limits the information captured to only the traffic being sent from the attacking system to the victim system and traffic being sent from the victim system to the attacking system. The advantage of this approach is the traffic logged is limited to the IP addresses of the traffic that initially triggered the logging action. The drawback is your captured information provides a limited view of the traffic being sent to the victim as well as a limited view of the traffic being sent from the attackers to your network.

Resetting TCP Connections

One of the original responses incorporated into IDS solutions was the ability to reset a TCP connection, sending a packet with the RST flag set to both systems involved in a TCP connection. By resetting the TCP connection, the attackers lose their TCP session to the victim system. At that point, the attackers need to establish another TCP session to the victim system to continue the attack. This response is particularly effective if the connection is reset before the attackers complete the entire attack, because the attack is never allowed to complete. The drawback is if the attack is already complete by the time the connection is reset, the attackers might have access to the system via a mechanism that is not detected by your security devices, such as a back door opened by the attack. Furthermore, this action is limited to attacks that use TCP-based protocols.

Initiating IP Blocking

IPS devices have the capability to stop traffic before it reaches the target system. IDS devices, on the other hand, passively monitor network traffic by analyzing a copy of the actual traffic. To enable IDS devices to block traffic from attacking systems, they utilize existing infrastructure devices to deploy access control lists (ACLs) on the network. Blocking traffic in this fashion, however, is reactive in that the initial attack traffic has already been sent to the victim system before IP blocking is initiated. If this initial attack traffic succeeds in creating a back door on the victim system, the attackers can easily access this back door undetected from any system. It might not necessarily be the same system used to launch the attack.

An intrusion system usually provides the following IP blocking options:

  • Block a specific connection

  • Block a specific attacking system

When you are using both of these blocking options, your IPS device needs to know when to remove the blocking action. Automatic blocking actions are performed only for a configured length of time. When the time period expires, your IPS removes the block and traffic from the blocked host is again allowed into the network. IP blocking is not meant to permanently prevent a system from accessing your network. The blocking action simply gives you time to analyze the situation and take the appropriate action to protect your network.

Automatic Blocking

Automatic blocking refers to blocking actions that are initiated in response to the triggering of an IPS signature. Most IPSs also enable you to manually initiate blocking actions. With manual blocking actions, your security operator applies a manual block after analyzing the situation and determining that a specific system (or systems) should be blocked from the network.

One of the downsides of IP blocking is IP spoofing. When using IP blocking, you need to make sure that an attacker cannot use your IP blocking response to deny traffic from valid systems. User Datagram Protocol (UDP) traffic, for example, is connectionless. Many UDP messages are one-way and do not elicit a reply from the destination system. If you configure a UDP-based signature to initiate IP blocking, an attacker using IP spoofing can pretend to be another system. Then, when your IDS blocks the address detected, it is actually blocking traffic from a valid system, maybe one of your business partners.

IP Spoofing

Sending packets with another system's source IP address is known as IP spoofing. Connectionless protocols, such as UDP and the Address Resolution Protocol (ARP), are especially prone to spoofing attacks. By filtering the traffic entering your network (using ACLs and unicast reverse path filtering [uRPF]), you can prevent an external attacker from spoofing traffic that appears to come from systems on your internal network. On some Cisco switches, you can also utilize Layer 2 protections, such as port security and IP source guard, to prevent spoofing at the switch port itself.

Address Resolution Protocol

On Ethernet networks, data is sent between hosts using Ethernet frames. Hosts tend to send data based on IP addresses. Therefore, a mechanism is needed to translate IP addresses to physical Ethernet addresses. The ARP handles this conversion. ARP provides only the address for the next hop that the packet needs to go through. An IP packet might have to go through several hops before it reaches its final destination. The final destination is determined by the destination IP address of the packet. The designers of ARP did not even consider security during its development, and it is highly susceptible to spoofing attacks; however, attacks are limited to systems with access to the local Layer 2 segment. For more information on ARP, refer to RFC 826, "An Ethernet Address Resolution Protocol."

Numerous programs enable attackers to create packets from any source IP address that they choose. When attackers identify traffic that initiates an IP blocking response, they can then attempt to generate spoofed traffic from a legitimate IP addressyour business partners, for exampleto see if they can block valid systems from accessing your network.