Intrusion Protection System (IPS) - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Intrusion Protection System (IPS)

Description:

Effective against internal attacks. 11/9/09. Taoho Wei. 8. IDS contd. ... concentrate on exploiting TCP/IP attacks launched by sophisticated attackers. 11/9/09 ... – PowerPoint PPT presentation

Number of Views:184
Avg rating:3.0/5.0
Slides: 32
Provided by: cso7
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Protection System (IPS)


1
Intrusion Protection System (IPS)
  • Taoho Wei

2
Security Components
  • Firewalls
  • Anti-Virus Programs
  • Intrusion Detection System (IDS)
  • Intrusion Prevention System (IPS)

3
Firewall
  • The first line of defense
  • Provide protection against
  • Unauthorized external access
  • Compromising authentication
  • Spoofing
  • Session stealing
  • Tunneling
  • Flooding

4
Firewall contd.
  • Types of firewalls
  • Static packet filtering firewalls
  • Filter packets according to allow/deny rules
  • Stateful packet filtering firewalls
  • Using state table and client/server
    request/response to by passing firewall rules to
    optimizing the screening process.
  • Stateful inspection firewalls
  • Examines the payload and selectively opens and
    closes ports on the fly as per the protocol.
  • Proxy firewalls
  • Brdak up a client/server connection to examine
    the protocols syntax.

5
Firewall contd.
  • Problems
  • Its anything but a wall or a gate guard.
  • Cannot prevent internal attacks.
  • Initial set up cost is huge
  • Need human interaction to update the set of
    rules
  • Cannot counter new (unknown) attack techniques.
  • Only scan packets for source/destination
    addresses and port number, not actual data.

6
Anti-Virus Programs
  • A Clean-up programs
  • Using Pattern matching
  • Similar to a cop watching out for a criminal
  • Problems
  • Signatures need to be updated
  • Passive, cannot detect unknown attack signatures.
  • Can only detect and clean knowen viruses.

7
Intrusion Detection System (IDS)
  • Second layer of defense
  • Detects the presence of attacks within traffic
    that flows in through the holes punched into the
    firewall.
  • The process of monitoring the events occurring in
    a computer system or network and analyzing them
    for signs of intrusions.
  • Effective against internal attacks

8
IDS contd.
  • Identify evidence of intrusion, either while in
    progress or after the fact.
  • Monitoring, profiling and analysis of system
    events and user behaviors.
  • When used in conjunction with firewalls, a better
    strategy for defending against attacks is made
    available.

9
IDS contd.
  • Types of IDS (by alarm triggering mechanism)
  • Anomaly detection based IDS (compare normal
    range)
  • Misuse detection based IDS (pattern matching)
  • Types of IDS (by data source/monitoring
    location)
  • Network based IDS (NIDS) (monitor packets)
  • Host based IDS (HIDS) (collect system logs/audit
    trails)

10
IDS contd.
  • Problems
  • IDS dose not block attacks, it only reports
    attacks took place like an alarm with no lock.
  • Increased analysis of data often comes decreased
    performance, especially when resource is limited.
  • NIDS cannot review encrypted data.
  • Do not guard effectively against complex evasion
    techniques that concentrate on exploiting TCP/IP
    attacks launched by sophisticated attackers

11
Why IPS?
  • Firewall can block ports, but how about allowed
    ports?
  • Anti-virus Programs only deal with known virus
    and worms, but how about unknown attacks such as
    scanning and probing etc?
  • IDS only detect and report attacks patterns, but
    how to stop them?
  • IPS proactively detects both known and unknown
    attacks, and also stop them in real-time.

12
Intrusion Prevention System IPS
  • Prevent the attacks from being successful. Stop
    attacks in real-time before they cause harm.
  • Harm could be prevented by
  • Protecting system resources
  • Stopping privilege escalation exploits
  • Preventing buffer overflow exploits
  • Prohibit access to e-mail contact list
  • Prevent directory traversal

13
IPS contd.
  • IPS Approaches
  • Software based heuristic approach
  • Similar to IDS anomaly detection using neural
    networks
  • Sandbox approach
  • Quarantine mobile code (i.e. ActiveX, Java
    applets) in a sandbox.
  • Hybrid approach
  • On NIPS, including various detection methods.
  • Kernel based protection approach
  • On HIPS, restrict access to system resources.

14
IPS contd.
  • Types of IPS
  • Inline Network Intrusion Detection System
  • Layer Seven Switches
  • Application Firewalls/IDS
  • Hybrid Switches
  • Deceptive

15
IPS contd.
  • Inline Network Intrusion Detection System
  • Writing rules offers a way to catch new attacks
  • In the case of a protocol anomaly inline NIDS, it
    will be able to stop unknown attacks based on the
    protocols that it is able to decode, as well as
    the knowledge of those protocols.

16
IPS contd.
  • Inline Network Intrusion Detection System

17
IPS contd.
  • Inline Network Intrusion Detection System
  • Products
  • ISS Guard
  • Hogwash
  • NetScreen
  • TippingPoint
  • Intruvert

18
IPS contd.
  • Layer Seven Switches
  • Be able to inspect the URL to direct particular
    request to specific servers based on predefined
    rules with security features such as DoS and DDoS
    protection.
  • Can easily handle gigabit and multi-gigabit
    traffic.
  • Placing these devices in front of your firewalls
    would give protection for the entire network.
  • inspecting layer seven content for
    routing/switching decisions

19
IPS contd.
  • Layer Seven Switches

20
IPS contd.
  • Layer Seven Switches
  • Products
  • Redware
  • TopLayer
  • Foundry

21
IPS contd.
  • Application IPS/Firewalls
  • Protect against poor programming and unknown
    attacks.
  • Loaded on each server that is to be protected.
  • Profile a system or create policies to stop
    malicious actions from taking place.
  • Customizable to each application that they are to
    protect.
  • Dont look at packet level information, rather,
    look at
  • API calls
  • memory management (i.e. buffer overflow attempts)
  • how the application interacts with the operating
    system
  • how the user is suppose to interact with the
    application

22
IPS contd.
  • Application IPS/Firewalls

23
IPS contd.
  • Application IPS/Firewalls
  • Products
  • Okena StormWatch
  • McAfee Entercept

24
IPS contd.
  • Hybrid Switches
  • A cross between the host-based application
    firewall/IDS and the layer seven switch.
  • Hardware based in front of the servers
  • Use a policy similar to the application
    IDS/firewall
  • Inspect specific traffic for malicious content
    defined by the policy that is configured.
  • The hybrid switch can be combined with a layer
    seven switch to offer even higher performance.

25
IPS contd.
  • Hybrid Switches

26
IPS contd.
  • Hybrid Switches
  • Products
  • Appshild
  • Kavado

27
IPS contd.
  • Deceptive Applications
  • First, it watches all your network traffic and
    figures out what is good traffic, similar to the
    profiling phase of the application IPS/firewall.
  • Then, when it sees attempts to connect to
    services that do not exist or at least exist on
    that server, it will send back a response to the
    attacker.
  • The response will be marked with some bogus
    data so that when the attacker comes back and
    tries to exploit the server the IPS will see the
    marked data and stop all traffic coming from
    the attacker.

28
IPS contd.
  • Deceptive Applications

29
IPS contd.
  • Deceptive Applications
  • Products
  • Forescout

30
IPS contd.
  • Conclusion
  • IPS is an evolution of IDS technology. It adds to
    the defense in depth approach to security
  • Different environment needs different solutions.
  • Each type of IPS offers different level of
    protection. There is no one size fits all
    solution.
  • Using more than one type of the solutions.
  • A mix of firewall, anti-virus, and IPSs.

31
Reference
  • Bharat Goyal, Sriranjoni Staraman, Srinivasan
    Krishnamurthy, Intrusion Detection Systems An
    OverView, Department of Computer Science,
    University of Texas at Dallas
  • Dinesh Sequeira, Intrusion prevention systems
    securitys silver bullet?, GSEC V1.4B Option 1,
    SANS Institute, 2002.
  • Neil Desai, Intrusion Prevention System the
    Next Step in the Evolution of IDS, Feb 27, 2003.
    http//www.securityfocus.com/infocus/1670
  • Salma Abdul-Rahman, Network Intrusion Detection
    Systems, April 20, 2000, http//www.cs.utk.edu/a
    bdulrah/netsecurity/papaer.html
Write a Comment
User Comments (0)
About PowerShow.com