Intrusion Defense - Part 4

Intrusion prevention technology has the capability to detect attacks, both known and unknown, and to automatically prevent those attacks from resulting in a significant adverse impact on your business.  As with intrusion detection, there are two primary deployment methods - network intrusion prevention systems (NIPS) and host-based intrusion prevention systems (HIPS).

A NIPS device combines deep packet inspection technology with firewall traffic control.  Like a firewall, a NIPS is placed inline with the data.  In the example depicted in Figure 1, all packets that pass to and from sources outside the perimeter are evaluated.  All packets passing to and from Segment B, the

home of the organization's most critical systems, are also checked.

Through deep packet inspection, each packet is checked to see if it contains information that is indicative of an attack.  Packets can also be evaluated in terms of open sessions.  Any traffic that displays unusual behavior, or behavior that is clearly malicious, is immediately blocked by the NIPS. 

When planning the purchase and implementation of a NIPS solution, you should consider the following:

• Inline Operation - Inline operation provides for the discard of suspect packets.  It also allows for blocking the remaining packet flow associated with the potential attack.  Since it's inline, the NIPS is capable of stopping attacks without reconfiguring firewalls or routers.  Inline operation of NIPS devices has been made possible by significant improvements in processing power.

• Reliability and Availability - In order to provide continuous protection, the device you choose should function at a high level of performance with an acceptable mean time between failures (MTBF).   You might also want to consider redundant devices so that if one fails, traffic will still flow through the other.  In any case, if your inline device does fail, you want to ensure that the data continues to flow through the affected network segment.  For example, if the NIPS protecting Segment B in Figure 1 fails closed, Segment B is effectively removed from the network.  If the data on a segment is highly sensitive, you may want it isolated when no NIPS protection is available.  In most cases, however, you'll want the capability of configuring the NIPS environment to allow the continuation of traffic.

• Accuracy - Ensure that the vendor from whom you purchase your solution provides regular detection updates.  Their application should be accomplished quickly with no interruption of information flow or protection.  You should also check reliable third party sources to verify the vendor's claims about the rates at which false positives and false negatives occur.  Finally, the device should be intelligent enough to thwart attempts by criminals to use its blocking capability to create a DoS attack.

• Alerting and Analysis Capabilities - All information collected by the various NIPS placed around your network should be sent to a central console for evaluation.  From this console, you should be able to run reports that provide information relative to investigations.  The console application should also send alerts when an attack, or a potential attack condition, is recognized by one or more NIPS.  Consider outsourcing to a MSSP the aggregation and correlation of collected activity information
  
  

• Highly Granular Configuration and Control Capabilities - When configuring and tuning your IPS devices, you should have the capability to define what attacks to detect and what policy violations to look for on specific network segments or on specific servers and workstations.

• Adequate Level of Performance - Each NIPS should be powerful enough to assess network activity without hindering the flow of information across your network.  In other words, they shouldn't create any bottlenecks.  There should also be enough spare processing power in the devices to allow for growth during their life expectancy.

Proper placement of a NIPS can provide protection to a large number of network devices.  In addition to servers and workstations, NIPS can protect firewalls, routers, VPN concentrators, etc.  It isn't platform dependent.

Host-based intrusion prevention is designed to intercept and block behavior deemed prohibited or suspect by the business rules configured in your HIPS management system.  It does this in two ways.  First, it inspects all packets flowing in and out of a protected end user device or server.  The methods used to inspect packets and network behavior at the system level are the same as those used by a NIPS - signature and anomaly recognition.

Second, it prevents one or more of the following activities associated with human or malware intrusions:

1. Copying files
2. Deleting files
3. Writing files to certain folders
4. Registry changes

The deployment considerations for HIPS are similar to NIPS:

1. Reliability and availability
2. Accuracy
3. Alerting and analysis capabilities
4. Highly granular configuration and control capabilities
5. Adequate level of performance

In addition, HIPS must also:

1. Be capable of running your off-the-shelf applications when initially installed.  Because a HIPS implementation blocks many activities on your workstations and servers, you must ensure that it doesn't prevent normal application execution.
2. Support user defined business rules and centralized device management.  It isn't practical to attempt management of hundreds of end user devices, for example, when rolling out new or modified business rules.  You should also have the capability of viewing alerts and system status from a central console.

HIPS deployment

HIPS is typically deployed as an agent on the device you want to protect.  Your security team configures the agent through the use of centralized management software.  Figure 2 shows the relationship between the management system and the agents.

In this example, management software is running on a server.  The person responsible for configuring and monitoring the HIPS environment accesses management functions via a management console.  The management system sends business rules to the agents. These rules govern how the agents behave when dealing with activities on the systems where they reside.  The agents send business rule violation alerts and system status back to the management system.  This method of deployment allows an organization to effectively deploy HIPS to any number of systems.

In Part 5, we see how to combine intrusion and detection solutions.

See other articles in this series...