The attack examples in the previous section and Figure 1-3 show how, over the last two decades, attacks have become more dangerous and difficult to defeat. They have more effective delivery mechanisms, are more complex, hit more targets, and do more damage. Furthermore, today's attacks are developed very rapidly and take advantage of vulnerabilities in commonly used communication mechanisms and required services. Figure 1-3. Attack TimelineThis rapid evolution had the attack mitigation tools that existed prior to IPS straining to keep up. They were not evolving as quickly as the attacks they were expected to handle. The gaps between their capabilities and the capabilities of attacks were growing. IPS was designed to fill these gaps. You have essentially two types of IPSs: Network and Host. Network IPS analyzes network activity. Host IPS examines activities on each individual computer. This section illustrates the deficiencies of the host- and network-based technologies that prompted the development of IPSs. HostA wide variety of technologies can mitigate attacks at a host level. Each of the following technologies has weaknesses for which Host IPS was designed to compensate:
AntivirusAntivirus is the most widely deployed security technology in the world. It identifies and eliminates viruses by scrutinizing the content of files and comparing what it finds with a database of known virus patterns (see the Chapter 2 section, "Signature Types" for more information about pattern matching). When the antivirus identifies a virus in a file, it is usually able to clean, delete, or quarantine the file. This approach works well for viruses that are known and exist in the pattern database. It's practically useless if the virus isn't in the database or the target's database is out-of-date. Anti-virus administrators must depend on the product vendor to add virus patterns to the database quickly. After the database has been updated by the vendor, administrators must obtain the update and distribute it to all of their hosts. The update process often takes a long time. The vendor has to obtain and analyze a sample of the virus, update the virus database, make it available to customers, and then the customers have to download and distribute it to all of their hosts. Each step adds minutes, hours, or days to the process. Unfortunately, today's attacks propagate so quickly that the signature database cannot be updated in time. Slammer, for example, took 10 minutes to infect 75,000 hosts. You have almost no way to protect a host with a new virus signature in less than 10 minutes. Slammer demonstrated that technologies that rely on updates to protect a system from attack are not sufficient. Personal FirewallsPersonal firewalls also use pattern-matching except that they match the signatures with data arriving via the network rather than files. If content in the data stream matches an attack in the signature database, the data is discarded. In that sense, personal firewalls rely on updates just like antivirus. They cannot stop an attack for which they do not have a signature, and the signature update process sometimes takes too long to be effective. Personal firewalls combine the signature approach with the ability to block unauthorized network connections. If an attack relies on a network connection to propagate, the firewall can block its connection. Network connection blocking is also able to prevent an infected host from infecting other hosts by blocking the infection's outbound connection attempts. The trouble with connection blocking is made clear by worms like Nimda, Loveletter, and Slammer. Nimda and Loveletter used e-mail as a delivery mechanism. You could configure your personal firewall to block e-mail connections, but then your e-mail would be useless. The same goes for the Microsoft database connections that Slammer used to propagate. The propagation of the Slammer worm could have been limited by blocking all database connections, but then you would have killed regular access to your database servers as well. When attacks propagate using authorized network connections, security professionals are faced with a very tough decision. Do I use my personal firewall to block the connection and lose money by denying service to the database or e-mail, or do I allow the machine to be infected? Neither decision is particularly palatable. Host-Based Intrusion DetectionHost-based Intrusion Detection System (HIDS) products monitor system and network resources to detect when they are being used inappropriately. It is a useful counterpart to port blocking firewalls because it is able to detect malicious activity even after an authorized connection has been permitted by the firewall. When malicious activity is detected, the HIDS notifies the appropriate IT personnel. Knowing what malicious activity has occurred is certainly valuable. However, if the attack the HIDS detected damaged the system, the damage is done and now must be undone. That can be expensive. Worms like CIH and Nimda are capable of doing so much damage that many IT security staff came to the conclusion that detecting an attack is nice but preventing it from doing damage is critical. NetworkAnalyzing the operation of your network is important for optimum performance as well as for detecting attacks against your network. Detecting attacks on your network evolved through the following stages:
System Log AnalysisThe simplest way to monitor your network is by analyzing the log files generated by the devices on your network. The problem with analyzing log file information is that it provides a limited view of the attacks being launched against your network. Analyzing logs (to produce useful information) is also a very time-consuming task. Furthermore, by the time that you analyze the logs, the attack has already been conducted. Promiscuous MonitoringInstead of relying on log file information, early Intrusion Detection Systems (IDSs) started to promiscuously monitor the traffic on your network. By examining the actual traffic on the network, these IDSs could identify a wide range of attacks against your network. To respond to attacks, these systems provided various response mechanisms, including the following response mechanisms:
Although Intrusion Detection could react to intrusive traffic, the actions that it provided were still reactive and allowed the initial attack traffic to reach the target system. Inline PreventionIPSs expanded on the functionality provided by Intrusion Detection by enabling you to prevent attacks against your network. Attack prevention is possible with IPSs because the IPS device acts a Layer 2 forwarding device. This enables the IPS device to drop traffic that is considered intrusive before it reaches the target system.
|