Intrusion Prevention Systems - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Intrusion Prevention Systems

Description:

McAfee. Hybrid Pro's & Con's. Pro's. Superior protection for both known and Zero Day threats ... TippingPoint, Top Layer, McAfee. Software Pro's & Con's. Pro's ... – PowerPoint PPT presentation

Number of Views:2675
Avg rating:3.0/5.0
Slides: 27
Provided by: chris992
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Prevention Systems


1
Intrusion Prevention Systems
  • Christopher Harrington

2
What is IPS?
  • Intrusion Prevention System
  • A system located on the network that monitors the
    network for issues like security threats and
    policy violations, then takes corrective action.
  • While there are both Host and Network based IPS,
    term is usually associated with Network based
    IPS.

3
What can an IPS do?
  • IPS can detect and block
  • OS, Web and database attacks
  • Spyware / Malware
  • Instant Messenger
  • Peer to Peer (P2P)
  • Worm propagation
  • Critical outbound data loss (data leakage)

4
IPS Types
  • IPS can be grouped into 3 categories
  • Signature Based
  • Anomaly Based (NBAD)
  • Hybrid

5
Signature Based
  • Use pattern matching to detect malicious or
    otherwise restricted packets on the network
  • Sample signature
  • alert tcp EXTERNAL_NET any - HOME_NET 8
    (msg"BLEEDING-EDGE CURRENT Possible W32.Nugache
    P2P Botnet Communication INBOUND Initial Packet"
    flowestablished,to_server dsize
    content"00 02" offset0 depth2
    classtypetrojan-activity referenceurl,www.sarc.
    com/avcenter/venc/data/w32.nugache.a_at_mm.html r
    rev3)

6
Signature Based Products
  • Sourcefire / Snort
  • StillSecure
  • NFR
  • Cisco

7
Signature Pros Cons
  • Pros
  • Very flexible.
  • Well suited to detect single packet attacks like
    SQL Slammer.
  • Cons
  • Relatively little Zero Day protection.
  • Generally requires that the attack is known
    before a signature can be written.

8
Anomaly Based
  • Anomaly based IPS look for deviations or changes
    from previously measured behavior like
  • Substantial increase in outbound SMTP traffic
  • Existence of IRC communications where there was
    none before
  • New open ports or services

9
Anomaly Based Products
  • Mazu Networks
  • Arbor Networks
  • Q1 Labs
  • Top Layer

10
Anomaly Pros Cons
  • Pros
  • Better protection against Zero Day threats
  • Better detection of low and slow attacks
  • Cons
  • Cannot protect against single packet attacks like
    SQL slammer
  • Cannot analyze packets at layers 5 7 of the OSI
    model

11
Hybrid IPS
  • Hybrid IPS combine Signature Based IPS and
    Anomaly Based IPS into a single device

12
Hybrid Products
  • Juniper
  • NitroSecurity
  • TippingPoint
  • McAfee

13
Hybrid Pros Cons
  • Pros
  • Superior protection for both known and Zero Day
    threats
  • Each plays off the weakness of the other
  • Cons
  • Generally more expensive than either Anomaly or
    Signature based products
  • Can be slower depending on architecture

14
Architecture Software vs. Hardware
  • Software based
  • Generally runs Linux or a BSD variant
  • EG Snort / Sourcefire, NitroSecurity,
    StillSecure
  • Hardware based
  • Uses ASIC / FPGA technology
  • EG TippingPoint, Top Layer, McAfee

15
Software Pros Cons
  • Pros
  • More flexible
  • Generally easier to add major functionality
  • Cheaper
  • Generally has more functionality
  • Cons
  • Usually slower than hardware
  • Latency is usually higher than hardware

16
Hardware Pros Cons
  • Pros
  • Speed, Speed, Speed
  • Lower latency than software
  • Less moving parts to fail
  • Cons
  • Expensive
  • Not easily upgradeable
  • Major upgrades usually mean new ASIC chips

17
What about UTM?
  • Unified Threat Manager
  • All-in-one devices that can do
  • Firewall
  • Antivirus
  • IPS
  • VPN
  • Etc.
  • This is being discussed because vendors
  • very often push UTM devices when
  • customers are looking for IPS solutions

18
UTM Products
  • Fortinet
  • Radware
  • Cisco (ASA appliance)
  • Juniper

19
UTM Pros Cons
  • Pros
  • Cost effective for remote branch offices where
    other capabilities like Firewall are also needed
  • Cons
  • Usually a limited subset of IPS functionality and
    signatures as compared to stand alone IPS products

20
Thinking about an IPS?
  • Why?
  • What problem are you trying to solve?
  • What other problems may be solved?
  • What problems may arise?
  • If Networking is a different group than Security,
    do you have their buy in?

21
Tips when selecting an IPS
  • Prepare an RFP
  • You can get a sample one from eWeek
  • Do an on-site eval of your top choices
  • Its vital to see how the device works in your
    network.
  • Make sure you test their support, especially if
    you are going to buy 24x7
  • Look for products certifications
  • ICSA, NSS Group, Neohapsis

22
What to consider when buying
  • Speed / latency
  • Will the device perform under load?
  • Is the latency acceptable?
  • Very important if you have VOIP!
  • Accuracy
  • How many attacks did it miss?
  • How many false attacks did it block?
  • Signature Updates
  • Absolutely critical. How often the signatures are
    updated is a key indicator of how serious they
    are about selling IPS
  • High Availability
  • Will it do Active-Passive, Active-Active?
  • "Fail Open
  • Will the device pass traffic in the event of a
    device failure?

23
IPS Testing and Certifications
  • Testing certifications are done by
  • ICSA Labs
  • NSS Group
  • Neohapsis
  • ICSA is the newest
  • NSS is arguably the most respected, for now.
  • The IPS should have at least one certification

24
Where is IPS going?
  • Commoditizing
  • IPS Functionality in Switches
  • EG. Foundry, Consentry
  • Can do IPS per port
  • Network Access Control
  • Post-connect NAC
  • Agentless NAC

25
Questions?
26
Thank You
Write a Comment
User Comments (0)
About PowerShow.com