Intrusion Prevention Systems

1
Intrusion Prevention Systems

• Christopher Harrington

2
What is IPS?

• Intrusion Prevention System
• A system located on the network that monitors the
  network for issues like security threats and
  policy violations, then takes corrective action.
• While there are both Host and Network based IPS,
  term is usually associated with Network based
  IPS.

3
What can an IPS do?

• IPS can detect and block
• OS, Web and database attacks
• Spyware / Malware
• Instant Messenger
• Peer to Peer (P2P)
• Worm propagation
• Critical outbound data loss (data leakage)

4
IPS Types

• IPS can be grouped into 3 categories
• Signature Based
• Anomaly Based (NBAD)
• Hybrid

5
Signature Based

• Use pattern matching to detect malicious or
  otherwise restricted packets on the network
• Sample signature
• alert tcp EXTERNAL_NET any - HOME_NET 8
  (msg"BLEEDING-EDGE CURRENT Possible W32.Nugache
  P2P Botnet Communication INBOUND Initial Packet"
  flowestablished,to_server dsize
  content"00 02" offset0 depth2
  classtypetrojan-activity referenceurl,www.sarc.
  com/avcenter/venc/data/w32.nugache.a_at_mm.html r
  rev3)

6
Signature Based Products

• Sourcefire / Snort
• StillSecure
• NFR
• Cisco

7
Signature Pros Cons

• Pros
• Very flexible.
• Well suited to detect single packet attacks like
  SQL Slammer.
• Cons
• Relatively little Zero Day protection.
• Generally requires that the attack is known
  before a signature can be written.

8
Anomaly Based

• Anomaly based IPS look for deviations or changes
  from previously measured behavior like
• Substantial increase in outbound SMTP traffic
• Existence of IRC communications where there was
  none before
• New open ports or services

9
Anomaly Based Products

• Mazu Networks
• Arbor Networks
• Q1 Labs
• Top Layer

10
Anomaly Pros Cons

• Pros
• Better protection against Zero Day threats
• Better detection of low and slow attacks
• Cons
• Cannot protect against single packet attacks like
  SQL slammer
• Cannot analyze packets at layers 5 7 of the OSI
  model

11
Hybrid IPS

• Hybrid IPS combine Signature Based IPS and
  Anomaly Based IPS into a single device

12
Hybrid Products

• Juniper
• NitroSecurity
• TippingPoint
• McAfee

13
Hybrid Pros Cons

• Pros
• Superior protection for both known and Zero Day
  threats
• Each plays off the weakness of the other
• Cons
• Generally more expensive than either Anomaly or
  Signature based products
• Can be slower depending on architecture

14
Architecture Software vs. Hardware

• Software based
• Generally runs Linux or a BSD variant
• EG Snort / Sourcefire, NitroSecurity,
  StillSecure
• Hardware based
• Uses ASIC / FPGA technology
• EG TippingPoint, Top Layer, McAfee

15
Software Pros Cons

• Pros
• More flexible
• Generally easier to add major functionality
• Cheaper
• Generally has more functionality
• Cons
• Usually slower than hardware
• Latency is usually higher than hardware

16
Hardware Pros Cons

• Pros
• Speed, Speed, Speed
• Lower latency than software
• Less moving parts to fail
• Cons
• Expensive
• Not easily upgradeable
• Major upgrades usually mean new ASIC chips

17
What about UTM?

• Unified Threat Manager
• All-in-one devices that can do
• Firewall
• Antivirus
• IPS
• VPN
• Etc.
• This is being discussed because vendors
• very often push UTM devices when
• customers are looking for IPS solutions

18
UTM Products

• Fortinet
• Radware
• Cisco (ASA appliance)
• Juniper

19
UTM Pros Cons

• Pros
• Cost effective for remote branch offices where
  other capabilities like Firewall are also needed
• Cons
• Usually a limited subset of IPS functionality and
  signatures as compared to stand alone IPS products

20
Thinking about an IPS?

• Why?
• What problem are you trying to solve?
• What other problems may be solved?
• What problems may arise?
• If Networking is a different group than Security,
  do you have their buy in?

21
Tips when selecting an IPS

• Prepare an RFP
• You can get a sample one from eWeek
• Do an on-site eval of your top choices
• Its vital to see how the device works in your
  network.
• Make sure you test their support, especially if
  you are going to buy 24x7
• Look for products certifications
• ICSA, NSS Group, Neohapsis

22
What to consider when buying

• Speed / latency
• Will the device perform under load?
• Is the latency acceptable?
• Very important if you have VOIP!
• Accuracy
• How many attacks did it miss?
• How many false attacks did it block?
• Signature Updates
• Absolutely critical. How often the signatures are
  updated is a key indicator of how serious they
  are about selling IPS
• High Availability
• Will it do Active-Passive, Active-Active?
• "Fail Open
• Will the device pass traffic in the event of a
  device failure?

23
IPS Testing and Certifications

• Testing certifications are done by
• ICSA Labs
• NSS Group
• Neohapsis
• ICSA is the newest
• NSS is arguably the most respected, for now.
• The IPS should have at least one certification

24
Where is IPS going?

• Commoditizing
• IPS Functionality in Switches
• EG. Foundry, Consentry
• Can do IPS per port
• Network Access Control
• Post-connect NAC
• Agentless NAC

25
Questions?
26
Thank You