Intrusion Detection & Protection

Introduction

Intrusion Prevention Systems, a more advanced version of Intrusion Detection Systems, are now making their mark on the IT industry reaching a new level of network security. An IPS (Intrusion Prevention System) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful. Basically an IPS is a firewall which can detect an anomaly in the regular routine of network traffic and then stop the possibly malicious activity.

There are many reasons why someone would want to use an IPS, among these are extra protection from denial of service attacks and protection from many critical exposures found in software such as Microsoft Windows. The capabilities of IPSs are already in use by large organizations and in the near future we will more than likely see private home users utilizing a variation of IPS

Ethics

Ethical issues that should be addressed with Intrusion Prevention Systems are among most standard ethics that any network administrator would have to follow. There should be a standard set of ethic guidelines specifically for that companys network administrator, as this administrator has access to all data on any server databases where much confidential data is stored. Administrators have the ability to look through anyone's files; however in most generic codes of ethic it is listed, even though they do have permissions and access to other user files, they should only be going into those files with the knowledge and permission of the files owner. The IPS will require similar ethic codes to be followed as every packet of information that flows through that network will go through the IPS and be thoroughly inspected. If an anomaly or a signature is found within a packet and it is then looked through by the network administrator, that data could be confidential and should remain inaccessible to any public users. This means that all audit logs containing any anomalies or signatures that were red flagged, must be considered confidential data. If the audit logs are accessible to unauthorized users then the results of this could be very significant and damaging to that company depending on what data was being stored in the audit logs.

Ethics must be displayed at all times by network administrators; they must show good judgment and should contact a user before looking through their data. If a job process is stopped by an IPS, the administrator should notify the user if they are not yet aware, and then gain their permission to analyze that data to see what the anomaly was within the data. The administrator should not share any information that he may find within the inspection of that data and must be able to ensure the confidentially of that data. Ethics are important and guidelines should be set when using an IPS to ensure the security of any data that may be passing through an IPS. Ethical and moral issues such as privacy when embracing new applications are common ethical dilemmas network professionals have to face, but its more then just your ethical prospective. You might be confident in your personal ethics, but what about those of your department or company, it's important to maintain your company's code of ethics and make sure your end users and IT staff are aware and understand the code of ethics

IDS vs. IPS

While many in the security industry believe IPS is the way of the future and that IPS will take over IDS, it is somewhat of an apples and oranges comparison. The two solutions are different in that one is a passive detection monitoring system and the other is an active prevention system. The age-old debate of why you want to would be passive when you could be active comes into play. You can also evaluate the implementation of a more mature IDS technology, versus the younger, less established IPS solutions. The drawbacks mentioned regarding IDS can largely be overcome with proper training, management, and implementation. Plus, overall an IDS solution will be cheaper to implement. Many, however, look at the added benefits of the intuitive IPS systems and believing that IPS is the next generation of IDS choose to use the newer IPSs as opposed to the IDSs. Adding to the muddle, of course, will be your initial decision of choosing host-based or network-based systems for either IDS or IPS security solutions. Much like choosing between standard security devices like routers and firewalls, it is important to remember that no single security device will stop all attacks all the time. IPS and IDS work best when integrated with additional and existing security solutions.

Note :

IDS
Short for intrusion detection system.

IPS
Short for intrusion prevention system

What is Intrusion Prevention (IDS) ?

An intrusion detection system (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system, since the main function of an IDS product is to warn you of suspicious activity taking place − not prevent them. An IDS essentially reviews your network traffic and data and will identify probes, attacks, exploits and other vulnerabilities. IDSs can respond to the suspicious event in one of several ways, which includes displaying an alert, logging the event or even paging an administrator. In some cases the IDS may be prompted to reconfigure the network to reduce the effects of the suspicious intrusion. An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different worms or viruses and by tracking general variances which differ from regular system activity. The IDS is able to provide notification of only known attacks. Physical intrusion detection is the act of identifying threats to physical systems. Physical intrusion detection is most often seen as physical controls put in place to ensure CIA. In many cases physical intrusion detection systems act as prevention systems as well. Examples of Physical intrusion detections are:

· Security Guards

· Security Cameras

· Access Control Systems (Card, Biometric)

· Firewalls

· Man Traps

· Motion Sensors

What is Intrusion Prevention (IPS) ?

An intrusion prevention system is any device that exercises access control to protect computers from exploitation. "Intrusion prevention" technology is considered by some to be an extension of intrusion detection (IDS) technology, but it is actually another form of access control, like an application layer firewall.

Intrusion prevention systems (IPS) were invented to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS were originally a literal extension of intrusion detection systems, they continue to be related.

Intrusion prevention systems may also serve secondarily at the host level to deny potentially malicious activity. There are advantages and disadvantages to host-based IPS compared with network-based IPS. In many cases, the technologies are thought to be complementary. An Intrusion Prevention system must also be a very good Intrusion Detection system to enable a low rate of false positives. Some IPS systems can also prevent yet-to-be discovered attacks, such as those caused by a Buffer overflow. Due to the fact that a high amount of new security vulnerabilities are discovered on a daily basis, it can be a hassle for the end user to keep all their servers up-to-date with the latest patches. In many cases, the patches used to rectify the security holes can be delayed days, weeks, or even months.

In some critical environments, the installation of patches can break functionality and this can result in a direct loss for the customer if their production systems are not performing optimally due to a dysfunctional patch.

Steps in Intrusion Detection:

Step 1: – includes installation of IDS hardware, software

Install & database of user profiles or attack signatures

IDS

System

Step 2: – sensors placed throughout the network observe

Data passing packets, state of OS and files, etc.

Gathering

Step 3: – sensors detection software transmit:

1) event descriptors to IDS server (centralized IDS)

and then the server generates an alarm/alert, or

2) alert messages to IDS console (distributed IDS)

Sending

Alert

Messages

Step 4: – in addition to generating an alarm message, IDS

may also be configured to take level-one defense

actions, e.g. drop suspicious packet, stop suspicious

process

IDS

Responds

Step 5: – automated IDS response (Step 4) includes min

set of defensive measures; before more serious

actions are taken, system administrator must

make sure that the alarm is not a ‘false positive’

Administrator

Assesses

Damage

Step 6: – in the case of ‘true positive’, further defensive

measure may have to be taken, e.g. completely

block any further traffic from a particular host

Subsequent

Escalation

Procedure

Step 7: – enter the alert in IDS log file, in order to determine

whether a slow (over long-term) pattern of misuse

has been occurring, e.g. a series of log-on attempts

that occur only once every few days

Logging

and

Reviewing

the Event

Main Types of IDS/IPS:

Scope based IPS protection (or by location) *

Host-Based Intrusion Prevention System (HIPS).-

Network-Based Intrusion Prevention System (NIPS).-

Host Based IDS/IPS

* Host-based IPS is a software program that resides on individual systems such as servers, workstations or notebooks.

* Traffic flowing into or out of that particular system is inspected and the behaviour of the applications and operating system may be examined for indications of an attack.

* These host system-specific programs or agents may protect just the operating system, or applications running on the host as well as web servers.

* When an attack is detected, the Host IPS software either blocks the attack at the network Interface level, or issues commands to the application or operating system to stop the behaviour initiated by the attack.

* It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.

* One potential disadvantage with this approach is that, given the necessarily tight integration with the host operating system, future operating system upgrades could cause problems.

How Does Intrusion Prevention Work?

Intrusion Prevention is an advanced intelligent way of scanning the different layers for vulnerabilities. It consists of many techniques to ensure the optimal and most advanced security level. This includes:

Database updated multiple times daily for the latest signature definitions.

Traffic abnormalities are being identified and if consisting of dangerous content will be blocked.

When a port scan is being performed, an attack will most likely follow in a matter of minutes afterwards.

Denial of Service (DOS) attacks protection, because a successful DOS attack can cause your system to crash or be permanently damaged.

Protection for known buffer overflow attacks and or other exploits being launched.

Zero Day Protection, which is a module that protects for known and unknown Zero Day Vulnerabilities

Wide protection for webmail, ftp, Windows, Linux, BSD, UNIX, Routers, Firewalls, Databases such as DB2, Oracle, MySQL, MS SQL, PostgreSQL, and more.

Designing an intrusion detection system

AT&T assigns a team of experts who work with you to determine your network protection needs. These experts:

Identify the best locations in your WAN for placing intrusion detection sensors
Evaluate your network size, configuration and traffic to design a solution that will meet your bandwidth and budget requirements
Make online failover and server load balancing recommendations for backup to ensure that your traffic is continually scanned
Work to understand your network usage patterns to tune the detection system to meet your needs.

Pros and Cons

· Intrusion Prevention Systems do have weaknesses; however, the downsides can be balanced against the benefits of the systems overall performance. IPSs are a relatively new development, so there hasn't been a tremendous amount of time for IPSs to evolve into what one day they potentially could be. One of the most common problems with an IPS is the detection of false positives or false negatives, this occurs when the system blocks a activity on the network because it is out of the normal and so it assumes it is malicious, causing denial of service to a valid user, trying to do a valid procedure; or in the case of a false negative, allowing a malicious activity to go by. The main problem with IDS has been that they have produced a tremendous number of alerts one IDS user reported having 1.8 million alerts monthly. This issue has been addressed, but it is very difficult to completely eliminate it. There will almost always be false positives; however it should be one of the main goals of the network administrators and the manufacturers of IPSs to minimize this as much as they can. False positives are typically generated by systems that rely on a single detection method, and by ones that cannot be configured at different levels to fit into the operational environment. If an IPS uses multiple techniques to detect malicious activities and inspect the incoming packets there is lesser chance of having false positives/negatives. Network administrators should be able to minimize false positives and false negatives by thoroughly training the IPS, by training in the initial installation phase and also continuing to train the system as it is online. The network administrator must tell the IPS that certain jobs are non-malicious and should not be red flagged as well as continue to update the IPS for new malicious activities that it may not be aware of, such as new viruses.

· Unfortunately the detection of false positives are not the only downside to Intrusion Prevention Systems, for the best results you would want to have IPSs deployed in multiple spots on the network. If you are concerned with DDoS/Syn Flood type attacks, you'd probably put us close to the edge of the network, between the router and the firewall. If you are more concerned with attacks on your critical resources (server farms, e-mail, databases, etc.) you'd deploy us directly in front of those resources. The problem is that the IPS starts to be quite expensive, as each of these IPSs tend to run anywhere in between $25,000 and $80,000 depending on the amount of users that are being supported. If there are multiple IPSs on the network then every packet of data must make multiple stops from its original destination to get to the end user, this will cause loss of network performance, and this also causes another problem.

· In a typical location, the aggregated traffic on a switch's span port can nearly be a gigabit. Systems that cannot handle such traffic volumes start to lose packets. This in turn may result in false negatives. On top of the possibility of the network being slowed down by the IPS, if the IPS is over worked, and too many packets are coming in, it will drop packets, exposing a false negative if malicious traffic gets through this way. As time goes on faster IPSs will be created and in fact most IPSs available today can handle up to a gigabit of traffic, network administrators should be aware of the bandwidth capabilities of a IPS and be sure to find one suitable for their network traffic.

· All though today's IPSs have come a long way from where they originally started there are still issues that must be worked out; however, even with these downsides the benefits that we receive from IPSs lead us to a protection that any one other security method can not provide. It has the ability to act like antivirus software by detecting malicious signatures, stopping them and then auditing (showing capabilities of a honeypot) where they are coming from and where they are trying to go. IPSs can prevent exposures in many software programs that would allow hackers to damage data on a users system or cause an overflow of network traffic. This is one of the biggest advantages of the IPS, as it should give software manufacturers a significantly greater amount of time to look for any backdoors in their programs before hackers/malicious users have the opportunity to expose them. This is also beneficial to corporations or very large networks where not every computer has the most recent critical updates.

· The usefulness of an IPS becomes evident for many school university network administrators, where the most common issue that they would face are personal computers on their network with out antivirus software and outdated security patches. Something that we may begin to see more of is application level IPSs. These would be programs built into an operating system that are very similar to the hardware type IPS, however would only monitor flow on that client work station, or at a server. Disadvantages of this software would be similar to that of the hardware version, false positives, but this would be to a greater degree in the sense that the user may not be computer savvy and if a procedure they are trying to perform comes up as a malicious activity in the IPS and they are cut off, it becomes time consuming for the IT department to have to check on every computer that has a false positive scenario. If an application level IPS is installed on a client workstation it can be designed specifically for that person, which makes it an even more secure IPS than that of the hardware level IPS that would be placed to block all of the client computers. This means that there can be a more specific set of rules for that workstations IPS to follow, making it even harder for malicious activity to work its away around the IPS and lowering the amount of false positives.

Benefits of Host IDS/IPS

*Protects mobile systems from attack when attached outside the protected network.

* Prevents internal attack or misuse on devices located on the same network segment, Network IPS only provides protection for data moving between different segments.

* Protects against encrypted attacks where the encrypted data stream terminates at the system being protected.

Hybrid IDS

Hybrid IDS – combine features of HIDSs &

NIDSs to gain flexibility and

increase security

􀂕 advantage: monitor network as a whole

with NIDS sensors, and monitor attacks

on each individual computer with HIDS

sensors

􀂾 two systems compliments each other well

􀂕 disadvantage: complications in getting

various components to work together

􀂾 data gathered from two systems can be

difficult to absorb and analyze

Example: Centralized Hybrid IDS

Advantages: Simplicity and

Low Cost

There is only one management

system, and all reports appear

at one location.

Choosing Right IDPS Product

• Questions to Consider When Choosing a IDS

1) Is Product Sufficiently Scalable for Your Environment?

􀂕 some IDS cannot function in a large or widely distributed

enterprise networks

2) What is User Level of Expertise Targeted by Product?

􀂕 different IDS vendors target users with different level of

technical and security expertise

3) What Are Support Provisions for Product?

􀂕 Is technical support included? What is the cost?

􀂕 Are subscriptions to signature & software updates included?

􀂕 How quickly after a new attack is made public will the vendor

ship a new signature?

􀂕 How quickly will software updates & patches be issued after

a problem is reported to the vendor?

FINALLY..,

How do you protect your computer from viruses?

First, you should get a good anti-virus software (and keep it up-to-date) like F-Secure (my 1st choice), McAfee, or Norton Anti-Virus.

Second, don't open email attachments or visit websites from people you don't know. If you get an attachment and it looks suspicious, don't open it until you confirm that they did send it.

Third, disconnect your computer when you aren't using it. If you have DSL or Satelite, either turn off the computer or unplug the cable to the modem. Having a computer run all day with a connection is an invitation to hackers and viruses.

you can get antivirus prescriptions from avast! another way is to make sure you dont visit "dodgy websites" !!

To protect your computer from known virus threats you need to buy and implement antivirus software. A virus is a unique piece of code that has the ability to replicate and send itself to potential host through it current host. Or the computer that is already infected. Remember your computer is never completely safe but well built and up-to-date antivirus software will protect you from old and newly discovered threats.

An video explanation…

What is an Intrusion Prevention System?

http://www.youtube.com/watch?v=95_pNwtLX_o

What is a firewall?

http://www.youtube.com/watch?v=0_EVfWpL6L4

Conclusions

IPS is a powerful security system and it's proving to make a significant impact in information systems. As time goes on we will see IPSs expand out into more organizations as another defense in keeping data secure. IPSs capabilities range from being able to stop DDoS attacks, to protecting un-patched security exposures on workstations or zero day attacks. There are different forms of IPSs and we can anticipate more variations as more companies enter the IPS market. There are limitations of IPSs however these limitations for the most part can be worked around, the amount of users going through a IPS must be delegated and monitored, if too many users or too much network traffic is attempting to be processed by a IPS, packets can be lost allowing malicious activity to bypass the system.

IPSs have only been out in real world applications for a short time and in approximately five years they have already grown rapidly. The amount of network bandwidth that can be handled through IPS units has grown substantially from the initial IPSs as there are now units capable of supporting up to a gigabit per second; however a unit like this becomes quite costly. The biggest issue that network administrators and manufacturers of IPSs face is the matter of false positives and false negatives. These prove to be a significant problem as a false positive can end up causing a denial of service, something which the system is designed to prevent. We see in false negatives a need for a more strict set of rules for the IPS to follow, or we will see malicious activity working its way through our IPS. The major dilemma is how strict the IPS rules can be to the point that there are n amount of false positives to prevent n amount of false negatives.

In the end we see that IPSs are useful and have proven to make significant differences on large networks where many attacks are evident. We can expect to see different forms of IPSs evolving to match the needs of our business world, such as IPSs built into system applications. IPSs are another line of defense that we can count on to keep our data even more secure, however at this point in time, in order for a IPS to be necessary on a network, it would have to be protecting very valuable data, or ensuring the uptime of a very large and busy network, due to the high costs of a IPS.