Evolution of Attack Mitigation | Intrusion Prevention Fundamentals

The attack examples in the previous section and Figure 1-3 show how, over the last two decades, attacks have become more dangerous and difficult to defeat. They have more effective delivery mechanisms, are more complex, hit more targets, and do more damage. Furthermore, today's attacks are developed very rapidly and take advantage of vulnerabilities in commonly used communication mechanisms and required services.

Figure 1-3. Attack Timeline

This rapid evolution had the attack mitigation tools that existed prior to IPS straining to keep up. They were not evolving as quickly as the attacks they were expected to handle. The gaps between their capabilities and the capabilities of attacks were growing. IPS was designed to fill these gaps.

You have essentially two types of IPSs: Network and Host. Network IPS analyzes network activity. Host IPS examines activities on each individual computer. This section illustrates the deficiencies of the host- and network-based technologies that prompted the development of IPSs.

Host

A wide variety of technologies can mitigate attacks at a host level. Each of the following technologies has weaknesses for which Host IPS was designed to compensate:

Antivirus
Personal firewalls
Host-based Intrusion Detection

Antivirus

Antivirus is the most widely deployed security technology in the world. It identifies and eliminates viruses by scrutinizing the content of files and comparing what it finds with a database of known virus patterns (see the Chapter 2 section, "Signature Types" for more information about pattern matching). When the antivirus identifies a virus in a file, it is usually able to clean, delete, or quarantine the file.

This approach works well for viruses that are known and exist in the pattern database. It's practically useless if the virus isn't in the database or the target's database is out-of-date. Anti-virus administrators must depend on the product vendor to add virus patterns to the database quickly. After the database has been updated by the vendor, administrators must obtain the update and distribute it to all of their hosts.

The update process often takes a long time. The vendor has to obtain and analyze a sample of the virus, update the virus database, make it available to customers, and then the customers have to download and distribute it to all of their hosts. Each step adds minutes, hours, or days to the process.

Unfortunately, today's attacks propagate so quickly that the signature database cannot be updated in time. Slammer, for example, took 10 minutes to infect 75,000 hosts. You have almost no way to protect a host with a new virus signature in less than 10 minutes. Slammer demonstrated that technologies that rely on updates to protect a system from attack are not sufficient.

Personal Firewalls

Personal firewalls also use pattern-matching except that they match the signatures with data arriving via the network rather than files. If content in the data stream matches an attack in the signature database, the data is discarded. In that sense, personal firewalls rely on updates just like antivirus. They cannot stop an attack for which they do not have a signature, and the signature update process sometimes takes too long to be effective.

Personal firewalls combine the signature approach with the ability to block unauthorized network connections. If an attack relies on a network connection to propagate, the firewall can block its connection. Network connection blocking is also able to prevent an infected host from infecting other hosts by blocking the infection's outbound connection attempts.

The trouble with connection blocking is made clear by worms like Nimda, Loveletter, and Slammer. Nimda and Loveletter used e-mail as a delivery mechanism. You could configure your personal firewall to block e-mail connections, but then your e-mail would be useless. The same goes for the Microsoft database connections that Slammer used to propagate. The propagation of the Slammer worm could have been limited by blocking all database connections, but then you would have killed regular access to your database servers as well.

When attacks propagate using authorized network connections, security professionals are faced with a very tough decision. Do I use my personal firewall to block the connection and lose money by denying service to the database or e-mail, or do I allow the machine to be infected? Neither decision is particularly palatable.

Host-Based Intrusion Detection

Host-based Intrusion Detection System (HIDS) products monitor system and network resources to detect when they are being used inappropriately. It is a useful counterpart to port blocking firewalls because it is able to detect malicious activity even after an authorized connection has been permitted by the firewall. When malicious activity is detected, the HIDS notifies the appropriate IT personnel.

Knowing what malicious activity has occurred is certainly valuable. However, if the attack the HIDS detected damaged the system, the damage is done and now must be undone. That can be expensive. Worms like CIH and Nimda are capable of doing so much damage that many IT security staff came to the conclusion that detecting an attack is nice but preventing it from doing damage is critical.

Network

Analyzing the operation of your network is important for optimum performance as well as for detecting attacks against your network. Detecting attacks on your network evolved through the following stages:

System log analysis
Promiscuous monitoring
Inline prevention

System Log Analysis

The simplest way to monitor your network is by analyzing the log files generated by the devices on your network. The problem with analyzing log file information is that it provides a limited view of the attacks being launched against your network. Analyzing logs (to produce useful information) is also a very time-consuming task. Furthermore, by the time that you analyze the logs, the attack has already been conducted.

Promiscuous Monitoring

Instead of relying on log file information, early Intrusion Detection Systems (IDSs) started to promiscuously monitor the traffic on your network. By examining the actual traffic on the network, these IDSs could identify a wide range of attacks against your network. To respond to attacks, these systems provided various response mechanisms, including the following response mechanisms:

Generating alarms
Resetting TCP connections
IP blocking
Logging traffic

Automated Response

Although IDSs have always provided some form of automated response to various attacks, many deployments used that functionality only sparingly. Instead of an automated response,!many deployments chose to require human intervention. The IDS monitored the network, generating alarms when attacks were detected. It was then up to the operator to take the appropriate response.

Although Intrusion Detection could react to intrusive traffic, the actions that it provided were still reactive and allowed the initial attack traffic to reach the target system.

Inline Prevention

IPSs expanded on the functionality provided by Intrusion Detection by enabling you to prevent attacks against your network. Attack prevention is possible with IPSs because the IPS device acts a Layer 2 forwarding device. This enables the IPS device to drop traffic that is considered intrusive before it reaches the target system.

Open Systems Interconnection Model

Computer systems communicate with each other across the network using protocols. The Open Systems Interconnection (OSI) model divides the functions of a protocol into a series of layers, with each layer only directly communicating with the layer above and below it. The OSI model establishes the following layers:

Layer 1 Physical layer (an example is the physical cables)
Layer 2 Data link layer (an example is Ethernet)
Layer 3 Network layer (an example is IP)
Layer 4 Transport layer (an example is TCP)
Layer 5 Session layer (an example is SMB)
Layer 6 Presentation layer (an example is ASCII)
Layer 7 Application layer (an example is HTTP)