Archive for the 'IDS' Category
An Intrusion Prevention System (IPS) is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. It is an in-line device that scans traffic and, based on a set of rules, determines whether data packets are legitimate or malicious. An IPS is based upon an Intrusion Detection System (IDS), with the added component of taking real time action to prevent an intrusion once detected by the IDS.
In case you are unfamiliar with IDSs, refer to my posts here:
http://www.bestinternetsecurity.net/19/
http://www.bestinternetsecurity.net/18/
IPS System
The term “Intrusion Prevention System” was coined by Andrew Plato, who was a technical writer and consultant for NetworkICE.1 While these systems were originally an extension of Intrusion Detection Systems (IDSs), which focus on detection only, today’s IPSs are designed to stop attacks and intrusions in real time, protecting valuable assets.
Attacks
An IPS won’t protect you against password attacks or Trojan horse attacks, such as screen capturing and keyloggers, etc. However, there are still many reasons you might want to use an IPS. Among these are extra protection from denial-of-service attacks and protection from many critical exposures found in software such as Microsoft Windows. An IPS device must utilize “Stateful Inspection” (a firewall technology) to perform advanced protection against new types of attacks, as well as defend against the growing frequency and scale of Distributed Denial of Service (DDoS) attacks. The IPS prevents a large amount of downtime that would occur if nonexistent, by stopping any damage that may have made its way to the databases from internal or even external attacks. The most significant advantage offered by inline IPS technologies is that attacks are detected as they occur.
IPS And Firewall
While some IPS products have the ability to implement firewall rules, this not a core function of the product. Also, some application layer firewalls have integrated IPS-style signatures into their products to provide real-time analysis and blocking of traffic. Other closely related terms include “Unified Threat Management” (UTM), sometimes called “Next Generation Firewalls.”
Commercial IPS Products
There are just a few examples of IPS systems on the market today:
Check Point IPS-1 is a hybrid IDS/IPS solution with management features that include the company’s Dynamic Shielding Architecture for vulnerability alerts and Confidence Indexing.
McAfee IntruShield is a purpose-built intrusion detection/prevention appliance performing up to 10 Gbps packet analysis, which will continue to be enhanced through the company’s risk management strategy including NAC integration. The company recently announced the availability of a Windows VMWare version of Strata Guard Free, a freeware version of its intrusion prevention system.
3Com’s TippingPoint IPS System provides Application Protection, Performance Protection, and Infrastructure Protection at gigabit speeds through total packet inspection.
IPS Technologies
A considerable improvement over firewall technologies, IPS can make access control decisions based on application content rather than IP addresses or ports, as traditional firewalls do. But that also implies that IPSs are slower in performance.
An IPS must also be a very effective Intrusion Detection System in order to enable a low rate of false positives. Just like IDSs, when deploying network-based IPSs (NIPSs), consideration should be given to whether the network segment is encrypted, since not as many products are able to support inspection of such traffic.
According to some news sources regarding a new breed of IPS – the “Distributed IPS” – an IPS’s automatic responses can range from throttling inappropriate traffic and/or blocking individual user/device access, assigning packets to a quarantine VLAN, or turning off the port.2
Customization and Performance Issues
The design and configuration of an IPS is a major part in the effective use of the hardware and software available on the market today. Therefore, I’ll address some key issues for an efficient IPS.
If the IPS fails the flow of packets stops and the network becomes unavailable, this is something which should not be allowed to occur. The solution is to make sure that the product selected is able to maintain signatures, and also provides a well built interface that is easy to understand and navigate. Network administrators should be able to minimize false positives and false negatives by thoroughly training the IPS, taking care to not only train during the initial installation phase, but also continuing to train the system as it is online.
As time goes by, faster IPSs will be created. In fact, most IPSs available today can handle up to a gigabit of traffic. Network administrators should be aware of the bandwidth capabilities of each IPS and be sure to choose one suitable for their level of network traffic.
1http://www.safensoft.com/security.phtml?c=587
2http://www.enterasys.com/company/press-release-item.aspx?id=748
Tags: DOS, Denial of Service Attack, Distributed Denial of Service Attack, false negative
Technorati Tags: Intrusion Prevention System, IPS, Intrusion Detection System, IDS, DDoS, Check Point IPS-1, McAfee IntruShield, 3Com’s TippingPoint IPS System, false positives, Distributed IPS, DOS, Denial of Service Attack, Distributed Denial of Service Attack, false negative
The accountability portion of security control refers to holding system users responsible for their actions by constantly monitoring all activities within the system.
Consistently logging and auditing activities are ways that we monitor the system to ensure proper tracking of computer misuse. For example, as part of the auditing process, the following activities should be logged for effective control and accountability:
- User identification information
- System access time
- Information on system objects being accessed
- Failure login attempts
- System warnings and error messages
- Repeated users’ mistakes
Considering that a system that ensures accountability requires a strong system of authentication, a good access control system should be implemented. If the system has no access control system, logging the above activities could become meaningless.
Keep in mind that system logging must take into account numerous daily network activities. These valid activities need to be distinguished from activities that appear suspicious. For this reason, an effective clipping mechanism should be in place. This mechanism, which includes setting clipping levels to define acceptable system activities, acts as a baseline for determining system violations.
The goal of monitoring, auditing, and clipping levels is to discover problems before major damage occurs, and to be alerted when a possible attack is underway. Theoretically, when the clipping mechanism detects that the baseline has been exceeded, an alarm is generated and the system records further information regarding the detected changes in activity. In other words, as soon as the system detects that activities are occurring that fall outside of the predefined acceptable threshold, it notifies the security administrator via e-mail or pager, and generates a log of further activity. This log can then be used to investigate the suspicious activity.
Perhaps a more effective solution would be the use of software that automates the detection of a violation. The most common installation related to system violation is the Intrusion Detection System(IDS). IDS is software customized to collect and analyze system activities. It alerts system administrators of suspicious system activities by using a pre-installed database specifically built to record clipping levels and patterns of system misuse.
Any good system monitoring and auditing process should allow the user to work unimpeded. For security purposes, the user should not know what or how monitoring and auditing is being conducted. However, of course the issue of privacy should also be considered. The monitoring system should comply with local personnel and data privacy laws when carrying out monitoring activities. It is strongly advised that users be notified in advance of possible logging and analysis of their system activities.
Tags: Operations Security Control, Operations Security, Audit, IT Audit, System Auditing, Personnel Privacy Laws, Intrusion Detection System
Technorati Tags: accountability, monitoring, logging, auditing, authentication, access control, system logging, clipping mechanism, clipping levels, system violations, IDS, system monitoring, data privacy laws, Operations Security Control, Operations Security, Audit, IT Audit, System Auditing, Personnel Privacy Laws, Intrusion Detection System
Myth # 1
IDS can handle network attacks automatically
No. IDS can only assist a human being to investigate and detect any potential network attack undergoing in the network. Its still relies on the network administrator to hande the suspicious incidents.
Myth # 2
Network based IDS can effectively monitor all network traffic of the network segment under investigation.
No. As the modern network is getting faster and faster in bandwidth (considering Ethernet moving from 10Mb/s to now there are some networks running at 1000 Mb/s Ethernet speed), it is very unlikely an ordinary network tap can capture all network packets for analysis. Failing to do so actually leads to the potential overlooking of network abnormal traffic patterns.
Myth # 3
No Alarm means there is no intrusion
No. For sure, IDS could fail to detect intrusion activities for the following reasons:
1) It fails to capture ALL network traffic (Myth #2)
2) It fails to identify the suspicious traffic pattern (due to the lack of related traffic pattern information in the pattern file)
This phenomenon is “False Negative” (in which an actual intrusion is not detected)
Myth #4:
If there is alarm, there must be intrusions.
No. Like most other detecting devices, there could be cases for “False Positives” to happen. That is, IDS signals you there are intrusions but actually there is none. IDS can be too sensitive in detecting some network patterns that is unrelated to network attacks.
Related Topics: IDS, Intrusion Detection System,Myths of IDS, Network Mis-use, False Positive, False Negative
Technorati Tags: IDS, Intrusion Detection System, Myths of IDS, Network Mis-use, False Positive, False Negative
Intrusion Detection System (IDS), as its name suggests, is used to detect network anomalies.
It is nothing but a combination of software and hardware used to network and host monitoring. If you are a network administrator, and you have the habit of regularly checking your server log, workstation login details, and/or firewall access logs. Then you are already doing intrusion detection.
IDS is made to assist you in this process. It is divided into two types of devices : the Network Based and Hosted Based device.
Network Based IDS comprises of a sniffer engine as the component to capture network packets in a subnet. Sniffer is a network tap connected to a particular network segment using a network device in promiscuous mode. It captures and retains the packets to be sent to a analyzing engine for analysis.
A Network Based IDS can be comprised of many sniffer taps connected at various segments of your network. They collect the network packet information and send them all back to the analyzing engine for one-stop analysis.
The analyzing engine operates by comparing the packet information to known network misuse patterns and decide if they is any potential danger of network attacks.
IDS operates by basing on the network attack signature files that guide the analyzing engine to do the lookup. So it works like anti-virus program, if your pattern file is smart, it works smart. If it is dump, it does not work either. So you need to constantly update and refine the pattern file as per your unique network traffic pattern and usage.
Host Based Intrusion Detection device works by operating itself on a host (usually a server but you can use it on a particular suspicious workstation) and anlayse the host with the Host Based IDS software.
The drawback of Host Based IDS is, thus, the unavoidable modification of the host (because you have to install the IDS software to it) and you need different version of IDS software for different hosts of different OS.
But Host Based IDS can be made to conduct more precise monitoring on the host related suspicious activities and it also achieve a higher level of monitoring (on application level) than Network Based IDS.
There are many myths about IDS. Let’s talk more about this later.
Technorati Tags: Intrusion Detection System, IDS, network anomalies, network and host monitoring, Network Based IDS, sniffer, promiscuous mode, network misuse patterns, network attack signature, Host Based Intrusion Detection, myths about IDS
TagsAccess Control Asymmetric Encryption Authentication Authorization availability Beyond Fear Bruce Schneier Brute Force Attack Caesar Cipher Certificate Authority ciphertext Computer Security confidentiality Cryptographic Key Cryptography cryptology decryption DES encryption Firewall Google Hacking IDS Information Owner Information Risk Management Information Security Information Security Management integrity Intrusion Detection System Leon Battista Alberti Operations Security password management Physical Security Private Key Public Key Risk Management Risk mitigation single point of failure Thawte Threats TrueCrypt USB Data Encryption Verisign Vulnerabilities Vulnerability work factor
- November 2008 (1)
- October 2008 (1)
- September 2008 (5)
- August 2008 (6)
- July 2008 (3)
- June 2008 (2)
- May 2008 (6)
- April 2008 (6)
- March 2008 (13)
- August 2006 (3)
- July 2006 (8)
- June 2006 (4)
