Introduction
One of the most common threats that enterprises face today is the intrusion of their networks and systems by external hackers. Misuse of computing resources by internal employees is also on the rise. An intrusion event begins a process of harm to an organisation’s computing resources and brings potential legal liabilities. Deployment of perimeter firewalls for protection of networks has become a very common practice nowadays. However, the average firewall is designed only to explicitly deny unwanted traffic and allow only what is required. Firewalls have proven effective against many types of intrusions. Unfortunately, organisations cannot use a firewall to simply block everything from passing through. Attackers will learn to exploit any entry left open. Application-based attacks, denial-of-service (DoS) attacks, etc. get through most firewall deployments.
Most firewalls today are based on stateful packet filtering technology, and attacks on application level protocols (HTTP and HTTPS) cannot be identified and prevented by these firewalls. Also, many take advantage of weaknesses in the very protocols that are allowed through our perimeter firewalls. Once a server has been compromised, it can be used as a launch pad for additional attacks on other servers. To reduce the risks from such attacks, we need additional protection mechanisms, which will complement the existing one’s (like firewall) already in place.
Fig. 1: A typical attack scenario
Difference between IDS and IPS
Intrusion Detection Systems (IDSs) are the computer world’s equivalent to the burglar alarm in real life. Intrusion detection, as the name goes, only detects when an intrusion has occurred. Most IDS tend to be reactive than proactive. They often wait until something has actually happened before raising an alert. Intrusion Prevention Systems (IPSs) however are proactive, and designed to stop intrusions by blocking the malicious traffic before any damage is done.
IDS Disadvantages
No Prevention: IDS sits on a network/host and silently monitors the traffic/logs, only alerting when an attack is detected. It cannot stop or even slow down an attack in progress. Some network IDS have features like integrating with firewall and changing the rule base of the firewall to stop malicious traffic. However, it is a slow process and the malicious packets would already have passed through the firewall in the meantime. Some Host IDS also contains features such as blocking known attacks like worms. But, it has proven ineffective in case of unknown attacks. Furthermore, given the large number of false positives generated by the IDS, nobody would want it to drop data packets without a manual confirmation of an attack.
Large Number of False Positives: IDS sometimes simply mistakes legitimate traffic for an attack and will start sending alerts. These mistakes often require considerable time to inspect the packets in question and determine that the IDS has invoked a false-positive response. Other times, the IDS correctly identifies a particular traffic pattern matching a signature – but the pattern turns out to be normal for that particular organisation. Such ‘false alarm’ alerts can cause a security administrator to temporarily block legitimate traffic being mistaken for an attack. Even worse, false alarms can desensitise people to real intrusions.
Excessive Generation of Logs: An IDS will generate logs containing reports of anomalous or questionable network/system activity. Security administrators must spend time reviewing these logs, as well as network traces and other diagnostic methods, to sort out what has happened and what must be done. The problem here is that out of every million alerts generated, only a handful require remediation.
Lengthy Time for Mitigation: The need for manual intervention, coupled with voluminous data to go through, results in a slow response to an attack or intrusion event. For effective protection, immediate action is required to minimise the damage.
Deployment Issues: IDS solutions must be placed at proper points at all entries to the organisation’s networks. They should be properly configured and constantly updated. In practice, it is undeniable cumbersome and expensive. This results in additional work time to administer the sensors, as well as lower performance from a poor configuration.
Poor Results: Even as vendors have improved IDS through several generations of products and compiled vast libraries of attack signatures, even known common attacks continue to occur and succeed. Most importantly, new attacks have moved so quickly that tremendous damage has been done before the security administrator can take any action.
IPS Advantages
Compared to intrusion detection systems, intrusion prevention systems offer the following advantages:
Intrusion Prevention in Real-time: Intrusion prevention systems are proactive and will prevent an illegal activity by blocking the malicious traffic. By stepping in at the moment of detection, an IPS rapidly ends the intrusion and minimises the overall time before the network is back to normal.
Accurate and Reliable Detection: Through using multiple detection methods and utilising its position in the line of network traffic, the IPS can detect attacks and intrusions more accurately and reliably. By relying less on signatures and more on intelligent methods of detection, the IPS generates far fewer false alarms. Furthermore, an attack missed by NIPS can be prevented by an HIPS agent sitting on the host machine itself. Hence, the organisation’s time and effort is only focused on true threats.
Active Prevention: While IDS alerts the presence of suspicious or anomalous traffic, an IPS can instigate a variety of response mechanisms. This reduces the costs of administering network security, and minimises the risk of the organisation suffering damage or loss due to attacks. Similar to IDS, IPS products tend to fall under mainly two categories: Host IPS (HIPS) and Network IPS (NIPS).
Network Intrusion Prevention Systems
The network intrusion prevention system is designed in such a way that it blocks the malicious traffic before any damage is done. It achieves this by sitting directly inline (network traffic has to pass through the device) with the network traffic. A network port accepts traffic from a network, while another transmits it to another network after being checked for anomalies or suspicious content. Malicious packets and all subsequent ones from the same data flow can simply be discarded within the NIPS appliance.
NIPS Architecture
A typical architecture of NIPS is shown in Fig. 2.
Fig. 2: NIPS architecture
The architecture consists of a network sensor, which sits inline with the network traffic, analyses the packets, takes action depending upon the policies configured on it, and sends alerts to the management server. The management server is used for remote management (configuring policies, rule customisation and upgrading) and deployment of the network sensors. Network sensor is normally an appliance with multiple interfaces in order to monitor several network paths. The basic requirement is for two interfaces – one for data and the other for management. Placed inline in a critical data path, the NIPS detection engine examines packets as they pass through the device. It processes them in a similar manner as IDS to determine which packets are suspicious in nature. If a suspicious packet is detected, it can be dropped immediately (as per policy), and all subsequent packets from that particular data stream can be discarded without further processing. NIPS will also raise an alert in the same manner as IDS, and this allows the IPS to operate in traditional IDS mode. The security administrator can tune the device before finally operating it in the prevention mode.
Host Intrusion Prevention Systems
HIPS is similar to an antivirus product but actively responds to any observed intrusion activity. Generally, HIPS sits between the kernel of the operating system and application or utility software issuing requests to the kernel. Some activities can be determined as an intrusion with high certainty. In such cases, the HIPS software blocks the request, denying access to the kernel. The system resides adjacent to the operating system and intercepts system calls prior to their execution. If the call is identified as an attack, HIPS blocks the call, otherwise, it permits the call to proceed normally.
Fig. 3: The HIPS architecture
HIPS Architecture
The architecture consists of a HIPS agent, which sits on the critical host and monitors for malicious activities. Host IPS products rely on agents installed directly on the host system being protected, and which interacts closely with the underlying operating system and resident services in order to detect and prevent malicious system calls. If any malicious activity is detected, it blocks the activity and sends an alert to the management server, which in turn can be viewed on the management console in real-time. Similar to NIPS, the management server is used for remote management and deployment of the agent software for large server installations.
Implementation and Deployment
The implementation of intrusion prevention systems is one of the major challenges for any enterprise today. This is because these devices are proactive and prevent intrusions in real-time, hence chances of blocking legitimate or normal traffic are rather high.
IPS Requirements
Accuracy: As mentioned earlier, a significant problem with IDS products to date has been the numerous false results generated by the detection methods. While this is extremely problematic in IDS, it is absolutely unacceptable in an IPS. Inaccurate detection can result in response mechanisms blocking legitimate traffic, and thereby creating problems for authorised users.
Performance: Unlike NIDS, NIPS is an integral part of the network since it is placed inline to the network traffic. The device should be able to handle the network traffic load. It must have good performance, reliability and high availability. Performance describes the ability of the IPS to keep the traffic flowing on the network. Poor performance in a heavy traffic environment will result in slow network performance. Reliability refers to the NIPS’s ability to perform its functions properly without interfering with other systems on the network. Availability is the amount of downtime of the product, due to shutdown, crashes, or maintenance. Similarly, an HIPS agent should not be highly process intensive, which might actually affect the performance of the system itself. Also, it should be accurate enough to block only malicious activities on the system.
Effective Security Focused Management: IPS gives the network security administrator many options, since it is capable of not only detecting attacks and intrusions, but also directly affecting network traffic through limiting or blocking. It must give the administrator an easy interface for setting and changing configurations on the devices. Furthermore, a true IPS solution should operate as an integral part of a security integrated management suite, ultimately cooperating with firewall, IDS, antivirus, and vulnerability-assessment products and functions.
Anticipation of Unknown Attacks and Easy Signature Update for New Attacks: An IPS must provide flexible methods to update new attack signatures, as well as capabilities to respond to entirely new classes of attacks. In addition, IPS systems should have methods that can respond to new attacks without requiring signature updates. Such methods may include inverse exclusion, where all requests, except those that are legal for a given destination, are dropped. Another method is protocol validation, where illegal request methods are dropped. Attack-independent-blocking is another method where hostile attackers are identified, and all traffic from the attacker is dropped, regardless of whether the attacks are known or not.
IPS Design and Implementation
Fig. 4 shows a typical implementation scenario. The organisation’s network is divided into six segments: external segment facing the internet; WAN segment from where WAN users connect to the network; LAN segment for LAN users; DMZ segment where internet facing servers are placed; inner segment where critical servers are placed; and finally the management segment where all security devices are being monitored.
Fig. 4: IPS implementation scenario
Any traffic coming from the internet, WAN, LAN, as well as the management segments has to pass through the firewall. Based on access rules, the firewall will allow or deny the traffic. This is the first level of defense.
Any traffic permitted by the firewall will pass through the inline NIPS sensors that will again analyse the packets, check for network-based intrusions/attacks based on signature comparison or anomaly detection techniques before deciding whether to allow or deny the traffic. This is the second level of defense mechanism that can be used.
Further, if the attacker manages to elude the firewall and NIPS, then the host intrusion prevention system agent installed on the critical servers can protect the server and prevent the intrusions. In all firewalls, NIPS and HIPS complement each other and will be more effective in preventing an intrusion when used together.
• NIPS Device Placement: The NIPS device should be able to access both incoming and outgoing traffic of the organisation’s network. The device can be placed in front of or behind existing firewalls. However, the following issues need to be considered. IPSs normally perform computationally intensive assessment. Through reducing the amount of traffic that the device has to assess, performance can be augmented significantly. By requiring the device to assess more traffic, the load on the device is increased considerably. It is suggested that the NIPS be placed in the trusted network just behind the perimeter firewall.
• Redundancy of the NIPS Device: As NIPS devices are normally inline devices, failure of the device can result in disruption of network service. Therefore, it is strongly recommended that the IPS be implemented in a redundant configuration that supports failover.
• HIPS Agent Software: The HIPS software comes with different agent kits for operating systems, databases and web servers. Identifying the right kind of agent software for the system is vital for effective protection of the system.
IPS Procurement Issues
When evaluating an NIPS device or HIPS product, the following issues should be considered:
Performance of the NIPS Device
The performance is defined as the throughput of the NIPS device when it is directly placed inline with the network traffic. It is the total throughput in Gigabit/sec when the device is inline; matching a percentage of data packets and those matches are recorded. It is difficult to compare product performance directly based on vendor performance figures. The reasons for this:
1. Due to the differences in internal workings of different devices, there is no clear relationship between the physical performance of the device and its effectiveness at reducing intrusions.
2. To carry out a quality performance test is very difficult as the configuration state of each machine is important, also since IPS is highly configurable and difficult to standardise.
The only real practical way to compare products with each other is to compare the performance of a number of products under the same input and operational conditions. Unless there is a large requirement of the devices to be installed, such tests could prove costly.
Load Balancing and Sharing
When load balancing is done, the following critical aspects must be observed. TCP session state must be maintained if the IPS has any way to do protocol normalisation or anomaly detection. The product itself or a third-party product can enforce this.
• Differentiation of Activities: An IPS, be it NIPS or HIPS, must be able to classify and differentiate between normal activity of network traffic or on a system and a deviation from the normal activity.
• IPS Hardware/Software Management: The console used for hardware/software management should be user-friendly and easy to use. All configuration and management of the IPS should be possible through the management console itself.
In addition to this, there should also be a facility to backup the configuration data. Configuration data that requires backup should include:
1. Configuration on an OS level
2. IPS software state
3. Rule configuration
4. Any modifications to the rules
• Initialisation: When the NIPS device is activated for the first time, several security concerns need to be addressed. First of all, there should be proper authentication mechanisms for connecting to the NIPS device. The device must not allow unauthorised users to connect to it during the initial setup period either with default credentials or without any.
When the device is managed over a secure network connection, the security administrator has to ensure that he/she is actually managing the correct device by confirming the signatures of the certificates/cryptographic keys presented during the connection.
In case of HIPS, the agent installed should be running in the detection mode initially. If the agent is immediately changed to prevention mode, it might actually prevent legitimate traffic. Some timeframe has to be set so that the agent understands the system activity which would assist in non-disruption of legitimate activity.
• Customisation: The NIPS and HIPS software should have the option for customising the policies and rules so that security administrators are able to develop their own rules specific to the environment.
• Reporting: The following outlines the basic reporting criteria for an IPS device:
1. It must be possible to query the event database for any arbitrary period of time for which data is available.
2. The format of the report must support at least on-screen reports and a format suitable for a paper print.
3. It should be possible to select a data set for reporting based on the following criteria:
- Sensor ID
- Date range
- Protocol type or port number
- Content
- Rule matched
- Alert type (classification)
- Source or destination IP
- Frequency of occurrence of any of the referenced criteria
There should also be at least the following default templates that display information to the daily analyst function:
- Top number of occurrences of:
a. Source/destination IP or port number
b. Protocol
c. Alert type (classification)
d. Sensor ID
- Most recent alerts
- Alerts in the last definable period
- Most frequent (upper limit configurable):
a. Source ports
b. Destination ports
c. Source IP
d. Destination IP
e. Alert type
- Reports should support the following graphing capability:
a. Alerts vs. time
b. Alert types vs. time
c. Source IP vs. time
d. Destination IP vs. time
e. Source port vs. time
f. Destination port vs. time
• Scalability
The scalability requirements relate to the ability for the management server to scale and manage a large number of devices/agents without introducing unacceptable new requirements like additional management hardware/software and operational requirements.
1. When adding additional sensors/agents to the IPS infrastructure, the security administrator should be able to manage them from a central management console.
2. The management console must be able to do at least the following:
a. Push configuration data to the device. This should include:
- Policies
- Signature updates
- Uninstall or upgrade the software/hardware
b. Poll for device and application status
c. Receive real-time alerts from the sensor/agent
3. Those aspects of configuration that might be applicable to more than one sensor must be manageable in grouped context.
IPS Deployment Issues
The following issues should be considered during the deployment of HIPS/NIPS products:
Remote Deployment
One of the major issues faced is the remote deployment of NIPS sensors/HIPS agents across an enterprise. The IPS software suite should have facility for remotely deploying NIPS sensors/HIPS agents.
State of the NIPS Device or HIPS Agent during Startup
The NIPS device can be in any of the following states during and after startup:
1. Do not evaluate and allow all traffic through: In this state, the NIPS will allow all traffic to pass through it without evaluating for legitimacy.
2. Do not evaluate and deny traffic through: This is a slightly more secure option but it will block all network traffic, and thereby disrupting the work of legitimate users.
3. Evaluate and drop unauthorised traffic: The most secure option which is recommended as it will evaluate the legitimacy of the traffic and block any malicious activity.
The HIPS agent can be in any of the following states during and after startup:
1. Operate in IDS mode: Here, the HIPS agent will operate in IDS mode. In this state, the HIPS agent will only detect malicious activity (like HIDS) on the system and raise an alarm.
2. Operate in IPS mode: This is the state where the HIPS agent operates in IPS mode. The HIPS will detect malicious activity and prevent it in real-time. It is best practice to operate the HIPS agent in IDS mode for a few days before changing the state to IPS.
IPS Management Issues
The following issues should be taken into consideration during management of IPS products:
False Positives Management
False positives are defined as legitimate data that is blocked by the IPS because it has been wrongly identified as unauthorised. An IPS should have a mechanism to classify and record events as false positives so that a historical record of them is kept. The identification of false positives is an ongoing activity that requires some expertise in understanding network protocols. Best practice in this field is to alert administrators against the risk of registering false positives associated with the activation of specific features and rules.
False Negatives Management
False negatives are defined attacks that managed to get through the IPS without being detected. There are several mechanisms to assess an IPS’s propensity to generate false negatives in a qualitative manner.
1. By performing periodic penetration tests and measuring how many of them were detected and stopped by the device.
2. By operating an IDS behind the IPS, and correlating the number of alerts generated by the IDS with the number of log entries generated by the IPS.
3. By correlating the number of penetration tests and the sophistication of those tests with the number reported by the IDS that penetrated the IPS, an opinion can be formed as to the posture of the IPS.
Database Administration
The following points are important to consider when the data management and retention policy is formed.
1. How long should the data be stored? (depends on an organisation’s policy)
2. In what format should the data be available (on magnetic disk or removable media)?
3. The state which the data should be kept in to satisfy forensic requirements.
The main objective is to store the data securely in a state where it cannot be tampered with or subjected to excessive degradation.
Disaster Recovery
All configuration changes must be backed up and moved to a secure location to allow recovery, if the device needs to be restored. Items that require backing up when they change are:
1. New rules that are added to the IPS software
2. Default device state changes
Rule Customisation Process
Most IPSs are based on signature-based rules. There should be provision for defining customised rules. Administrators should be able to make the following adjustments to their local default rule sets released by a vendor:
1. To activate or deactivate a rule.
2. To change the action of a rule when matched.
3. Custom rules must not be affected by any rule updates.
Signature Updates
Signature updates are critical to the effectiveness of the IPS and the following should be considered:
1. The product should be able to download and update the signatures automatically. It should also send an alert to the administrator to notify whether the update process was successful or not.
2. Software upgrades should be transparent over the previous working installation, and a recovery strategy must exist to recover from upgrade failures.
3. Vendors must provide some assurance that the upgrade process is tested and certified to be working for a number of preceding versions.
4. If there is no mechanism to test the upgrade (backup machine), then upgrades should be scheduled after working hours during scheduled maintenance periods.
5. Administrators must go through an upgrade process in which each new or revised rule is either activated, deactivated or configured to implement a less restrictive action (alert vs. drop) during an evaluation phase.
Integrating with Other Security Products
The IPS products should have the flexibility to integrate with other security products installed in the organisation’s IT infrastructure. An example is integration of NIPS and HIPS software with a security information management (SIM) product, where the NIPS and HIPS alerts and logs would be sent to the SIM product console.
Managed Security Service Providers
When outsourcing the IPS services to managed service providers, it is recommended that the following issues are considered:
1. The service level agreements with the MSSP must be such that real-time alerts are noted and resolved within a critical period of time.
2. A proper client contact list should be available so that the MSSP can contact the right person in the organisation to attend to the specific problem.
3. SLAs must also be sufficient that signatures which trigger false positives must be changeable within a brief period of time.
Vulnerability Correlation
Not all traffic dropped by the IPS represents dangerous traffic as no system might be vulnerable to specific exploits. Even though attackers might not be successful at exploiting vulnerabilities in an organisation’s network, the fact that they are trying is significant in itself. Vulnerability correlation is a good risk management process. It allows an organisation to rate the security risks involved by classifying all traffic in terms of the potential threat that it holds for the organisation. Assuming all alerts generated by the IPS is correlated with the vulnerability map, it indicates what hardware, software and services are in operation, and provides a better idea about the level of risk every alert possesses.
Conclusion
Intrusion prevention systems represent a new and promising technology in the field of information security. Intrusion prevention devices can automatically take action to stop attacks and intrusions. IPS offers protection that an IDS cannot. However, IPS has its own limitations and cannot be expected to detect and prevent 100 percent of all intrusions. Furthermore, IPS cannot completely replace a firewall, though it can complement one. In doing so, it can enhance and improve the security infrastructure of an organisation. Organisations looking for an IPS should pay special attention to the capabilities of the products. With the attack mitigation IPS, an organisation can finally realise the protection benefits that have been promised, but not delivered by the existing security infrastructure.
Roshan Dsouza is currently working as a security engineer at Wipro Technologies. He has over 4 years of experience in the IT field. Roshan’s experience in information security spans from drafting of security policies to designing a control framework, audits of large organisations, managed security services, implementation of security devices like Firewall and IDS, vulnerability assessment and penetration testing of large networks, application security audits and developing BCP/DR plans. Roshan is also a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).
|
