Intrusion Prevention Systems are designed to protect information systems from unauthorized access, damage or disruption. IPS is to counteract the rapidly evolving threats presented by the latest generation of worms, software and network exploits. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology, but it is actually another form of access control, like an application layer firewall.
Intrusion Prevention is the act of dropping detected bad traffic in real-time by not allowing the traffic to continue to its destination, and is useful against denial of services floods, brute force attacks, vulnerability detection, protocols anomaly detection and prevention against unknown exploits.
How Intrusion Prevention System Works?
Currently network security components like Firewalls, Anti-Virus programs and Intrusion Detection Systems (IDS) cannot cope with the wide range of malicious attacks and zero day exploits on computer networks and systems.
Traditionally, firewalls and anti-virus programs try to block attacks and IDS tries to identify attacks as it occurs. Such techniques are critical to a defense in depth approach to security, but have limitations. A firewall can stop services by blocking certain port numbers but it does little to evaluate traffic that uses allowed port numbers. IDS can evaluate traffic that passes through these open ports but cannot stop it. IPS can proactively block attacks.
A basic distinction is that the IDS is an out of band technology whereas the IPS sits in-line on the network. The IPS monitors the network much like the IDS but when an event occurs, it takes action based on prescribed rules. Security administrator can define such rules so the systems respond in the way they would.
Intrusion prevention system can be achieved through three main approaches:
1. Building systems with no vulnerability,
2. Taking perfect remediation steps to uncover vulnerabilities and patch them.
3. Detecting the exploit attempts and blocking them before serious damage is done.
IPS operates on the In-line mode i.e. the sensor is placed directly in the network traffic path, inspecting all traffic at wire speed as it passes through the assigned port pair. In-line mode enables the sensor to run in a protection/prevention mode, where packet inspection is performed in real time, and intrusive packets are dealt with immediately, the sensor can drop malicious packets. This enables it to actually prevent an attack reaching its target.
IPS technologies are differentiated from IDS technologies by one characteristic. IPS technologies can respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which can be divided into the following groups.
· The IPS stops the attack itself
· The IPS changes the security environment
· The IPS changes the attack’s content
The IPS stops the attack itself: Terminate the network connection or user session that is being used for the attack
Block access to the target from the offending user account, IP address, or other attacker attribute. Block all access to the targeted host, service, application, or other resource.
The IPS changes the security environment: The IPS could change the configuration of other security controls to disrupt an attack. Common examples are reconfiguring a network device such as firewall, router, and switch to block access from the attacker.
The IPS changes the attack’s content: IPS technologies can remove or replace malicious portions of an attack to make it benign. An example is an IPS that acts as a proxy and normalizes incoming requests, which means that the proxy repackages the payloads of the requests, discarding header information or removing an infected file attachment from an e-mail and then permitting the cleaned email to reach its recipient.
Approaches to Intrusion Prevention System
There are different types of approaches is used in the IPS to secure the network.
Signature-based IPS is the commonly used by many IPS solutions. Signatures are added to the devices that identify a pattern that the most common attacks present. That’s why it is also known as pattern matching. These signatures can be added, tuned, and updated to deal with the new attacks.
Anomaly-Based approach IPS is also called as profile-based. It attempts to discover activity that deviates from what an engineer defines as normal activity. Anomaly-based approach can be statistical anomaly detection and non-statistical anomaly detection. The statistical approach is about the traffic patterns on the network itself, and the non-statistical method is about information coded by the solution vendor.
Policy-based is more concerned with enforcing the security policy of the organization. Alarms are triggered if activities are detected that violate the security policy coded by the organization. With this type approaches security policy is written into the IPS device.
Protoco-analysis-based is similar to signature based approach. Most signatures examines common settings, but the protocol-analysis-based approach can do much deeper packet inspection and is more flexible in finding some types of attacks.
Host-Based Intrusion Prevention System (HIPS)
Host-based IPS is a software program that resides on individual systems such as servers, workstations or notebooks. Traffic flowing into or out of that particular system is inspected and the behavior of the applications and operating system may be examined for indications of an attack.
These host system-specific programs or agents may protect just the operating system, or applications running on the host as well as web servers. When an attack is detected, the Host IPS software either blocks the attack at the network Interface level, or issues commands to the application or operating system to stop the behavior initiated by the attack.
It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.
One potential disadvantage with this approach is that, given the necessarily tight integration with the host operating system, future operating system upgrades could cause problems.
Benefits of Host IPS
· Protects mobile systems from attack when attached outside the protected network. Roaming laptop computers are a primary vector for introducing worms into a protected network.
· Prevents internal attack or misuse on devices located on the same network segment, Network IPS only provides protection for data moving between different segments. Attacks launched between systems located on the same segment can only be countered with Host IPS.
· Protects against encrypted attacks where the encrypted data stream terminates at the system being protected. Host IPS examines data and/ or behavior after encrypted data has been decrypted on the host system.
Network-Based Intrusion Prevention System (NIPS)
Network-Based Intrusion Prevention System (NIPS) is software or dedicated hardware system that connects directly to a network segment and protects all of the systems attached to the same or downstream network segments.
Network IPS devices are deployed in-line with the network segment being protected. All data that flows between the protected segment and the rest of the network must pass through the Network IPS device. As the traffic passes through the device, it is inspected for the presence of an attack. When an attack is identified, the Network IPS discards or blocks the offending data from passing through the system to the intended victim thus blocking the attack.
The Network IPS combines features of standard IDS, an IPS and a firewall, and is sometimes known as an In-line IDS or Gateway IDS. As with a typical firewall, the NIPS has at least two network interfaces, one designated as internal and one as external. As packets appear at the either interface they are passed to the detection engine, at which point the IPS device functions much as any IDS would in determining whether or not the packet being examined poses a threat.
If NIPS detects a malicious packet, it will raise an alert and discard the packet and mark that flow as bad. As the remaining packets that make up that particular TCP session arrive at the IPS device, they are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination.
Benefits of Network IPS
· Easy deployment as a single sensor can protect hundreds on systems.
· A single control point for traffic can protect thousands of systems located down stream of the device.
· Network IPS provides a measure of protection for all devices, no matter what the operating system or application.
· Protects non-computer based network devices. Not all attacks are directed against systems that run operating systems supported by Host based IPS examples routers, firewalls, VPN and print servers etc.
· Protects against network DoS, DDos attacks and SYN flood etc.
Both HIPS & NIPS approaches have their strengths and their weaknesses and are better at protecting against some types of threats than others. Due to the dynamic nature of network intrusion threats, deploying a mixture of both technologies will provide the greatest level of protection for critical assets.