Hybrid IPS/IDS Systems
Deploying separate IDS and IPS devices is cumbersome. Protecting your network using hybrid IPS devices, though, enables you to obtain the benefits of both technologies from a single device because IDS and IPS are complimentary technologies.
Using the ongoing network configuration, a hybrid IPS device can provide the IPS protection to prevent an attack coming from or going to the Internet (see Figure7-5). Using IDS functionality, the same device also can watch for attacks going between two internal systems.
Figure 7-5. Hybrid IPS Device Providing IPS Protection
Shared IDS/IPS Capabilities
Although Intrusion Prevention provides some unique capabilities, you should also understand the capabilities shared by IDS and IPS systems, because these two technologies usually are deployed in unison. The combined IDS/IPS capabilities include the following:
Each of these items is examined in detail in the following sections.
You need to be able to monitor when your network is under attack. Your IDS or IPS should be able to generate alerts to indicate that an attack has been launched against your network even if the intrusion software prevented that attack from succeeding. These alerts enable you to correlate activity on your network between security devices such as IPS and IDS sensors, as well as other infrastructure equipment.
Initiating IP Logging
Sometimes, you want to record the traffic a potential attacker is sending against your network. By analyzing this captured information, you can gain insight into what the attacker is trying to do against your network. Other times, you might want to log traffic that is violating your defined security policy. By seeing which traffic violates the security policy, you can determine what the impact is if you decide to make the security policy mandatory by actively stopping offending traffic.
IP logging refers to the ability to capture the traffic traversing your network. It can be initiated either manually or automatically in conjunction with defined signatures. Most intrusion systems provide IP logging functionality that falls into several categories, such as the following:
The benefits and limitations of these logging options are explained in the following sections.
Logging Attacker Traffic
The most logical logging option is logging traffic from an attacking system. In this situation, you want to monitor all the traffic originating from a specific source IP address. The benefit of logging all of the packets for a specific source IP address is you can examine all of the traffic attackers are launching against your network, not just the traffic to the specific system that initially initiated the logging. The drawback is that logging all the packets from attackers might make analysis more complicated. It also requires more memory or hard drive space to store the information, especially if the attackers are generating a lot of traffic, some of it invalid trying to hide the real attack traffic. Logging traffic from a single host also assumes that the attackers are using a single address from which to launch their attack.
Logging Victim Traffic
Instead of logging the attacker's traffic, you can log the traffic going to a specific target or victim system. In this situation, you focus on all traffic going to the target system, regardless of the source IP address. The advantage of this approach is if the attackers are coming from multiple source IP addresses, you capture all the traffic being sent to the victim machine, not just the traffic from the initial source IP address that initiated the logging. The drawback is, again, the amount of traffic you might capture. If the target system is a large server, you might capture a large amount of information, making it difficult to distinguish attack traffic from normal user traffic.
Logging Traffic Between Attacker and Victim
Another logging option most systems include is the ability to capture all the traffic being sent between two specific systems. This limits the information captured to only the traffic being sent from the attacking system to the victim system and traffic being sent from the victim system to the attacking system. The advantage of this approach is the traffic logged is limited to the IP addresses of the traffic that initially triggered the logging action. The drawback is your captured information provides a limited view of the traffic being sent to the victim as well as a limited view of the traffic being sent from the attackers to your network.
Resetting TCP Connections
One of the original responses incorporated into IDS solutions was the ability to reset a TCP connection, sending a packet with the RST flag set to both systems involved in a TCP connection. By resetting the TCP connection, the attackers lose their TCP session to the victim system. At that point, the attackers need to establish another TCP session to the victim system to continue the attack. This response is particularly effective if the connection is reset before the attackers complete the entire attack, because the attack is never allowed to complete. The drawback is if the attack is already complete by the time the connection is reset, the attackers might have access to the system via a mechanism that is not detected by your security devices, such as a back door opened by the attack. Furthermore, this action is limited to attacks that use TCP-based protocols.
Initiating IP Blocking
IPS devices have the capability to stop traffic before it reaches the target system. IDS devices, on the other hand, passively monitor network traffic by analyzing a copy of the actual traffic. To enable IDS devices to block traffic from attacking systems, they utilize existing infrastructure devices to deploy access control lists (ACLs) on the network. Blocking traffic in this fashion, however, is reactive in that the initial attack traffic has already been sent to the victim system before IP blocking is initiated. If this initial attack traffic succeeds in creating a back door on the victim system, the attackers can easily access this back door undetected from any system. It might not necessarily be the same system used to launch the attack.
An intrusion system usually provides the following IP blocking options:
When you are using both of these blocking options, your IPS device needs to know when to remove the blocking action. Automatic blocking actions are performed only for a configured length of time. When the time period expires, your IPS removes the block and traffic from the blocked host is again allowed into the network. IP blocking is not meant to permanently prevent a system from accessing your network. The blocking action simply gives you time to analyze the situation and take the appropriate action to protect your network.
One of the downsides of IP blocking is IP spoofing. When using IP blocking, you need to make sure that an attacker cannot use your IP blocking response to deny traffic from valid systems. User Datagram Protocol (UDP) traffic, for example, is connectionless. Many UDP messages are one-way and do not elicit a reply from the destination system. If you configure a UDP-based signature to initiate IP blocking, an attacker using IP spoofing can pretend to be another system. Then, when your IDS blocks the address detected, it is actually blocking traffic from a valid system, maybe one of your business partners.
Numerous programs enable attackers to create packets from any source IP address that they choose. When attackers identify traffic that initiates an IP blocking response, they can then attempt to generate spoofed traffic from a legitimate IP addressyour business partners, for exampleto see if they can block valid systems from accessing your network.