Responding to Network Traffic


After they identify potentially malicious activity or security policy violations, your IPS sensors perform specific configured actions. These actions are usually configured on a per signature basis and fall into the following categories:

  • Alerting actions

  • Logging actions

  • Blocking actions

  • Dropping actions

Alerting Actions

Alerts or alarms indicate that your IPS sensor has detected traffic that is either suspicious or violates your security policy. These alerts are informative, but they do not solely prevent the observed traffic from traversing your network. A good analogy is a burglar alarm (used by many businesses) that emits a loud noise when the alarm is activated (or sends an alert to a security company). The alarm itself does not prevent the burglar from stealing items from the business. The auditory alarm simply indicates that something suspicious is happening.

Alerts can be transmitted to a monitoring application that is specifically designed to monitor the operation of your IPS sensors. Many systems also enable you to transmit alerts using SNMP traps.

Logging Actions

Logging actions involve your IPS sensors maintaining a record of the traffic that is observed from an attacker after a specific signature triggers. For example, you might configure a specific signature to cause the IPS sensor to capture traffic from an attacking system whenever certain traffic is observed on the network. Logging is similar to using video cameras to visually record what is happening at your business. Similar to alert actions, logging actions do not prevent the attacker from attacking your network, but they do enable you to capture evidence on what the attacker is doing. This information might be helpful if you decide to prosecute the attacker who gained access to your network. It can also be used to determine whether an alert is a false positive, especially if your intrusion device logs the initial traffic that triggered the signature.

Blocking Actions

Blocking actions involve access control lists (ACLs) that block traffic coming into your network. Your IPS sensors do not directly perform the actual blocking of network traffic. Instead, your IPS sensors communicate with infrastructure devices on your network to establish the appropriate ACLs. These ACLs are applied for a configured amount of time, and then your IPS sensors communicate with the infrastructure devices to remove them.

Blocking actions originated with the original Intrusion Detection Systems (IDSs) because they passively examined network traffic searching for intrusive activity. The ability to block network traffic enables the IDS to react to attacks because it prevents traffic from an attacker for a specific period of time.

The drawback to blocking actions is that the initial traffic (before the ACL is applied) still reaches the target system. If the initial traffic that reaches the target system successfully exploits a vulnerability in the target system, the attack can exploit this opening after the ACL is removed or from a second system that has another IP address that is not being blocked.

Dropping Actions

With the addition of intrusion prevention, the ability to drop packets became an available action. This dropping action can successfully stop the initial traffic involved in an attack, which enables your intrusion system to truly prevent the attack traffic from reaching the target system.




Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net