Being able to trust your corporate network to deliver information, services and support to whoever needs them is not only crucial to keeping your operations going – it’s a vital element in maintaining confidence in the reputation and integrity of your organization as a whole.
Unauthorized workloads and network traffic are directly opposed to this. So it’s essential both to be aware of any potential problems and to have measures in place to deal with them.
Fortunately, there’s a class of tools and policies dedicated to discovering and stopping unwanted intrusions into network operations and traffic flows.
Intrusion Prevention is…
A kind of ideological contrast to the workings of a traditional firewall, an intrusion prevention system or IPS is a network traffic control device that’s set up with a comprehensive policy of rules designed to exclude the passage of data packets that conform to the set of criteria included in this catalog.
An IPS is an active mechanism which sits in line between networks. Whenever an information packet arrives at the IPS, it is studied and compared to all the items on the “packet should be excluded because of this” listing. If no reason to deny the packet is found after running through the entire list, the intrusion prevention system allows the packet to go through.
Intrusion prevention occurs in the direct line of communication between a data source (e.g. an external system or network) and its destination (the network the IPS protects). Data traffic is analyzed and actions to control its flow are taken, in as close to real-time as possible. Typically, this will involve:
- Transmitting an alert to the network administrator, if a suspect packet is identified.
- Dropping any packets from the traffic flow which are designated as malicious.
- Identifying the source of these suspect packets, and blocking further traffic from that address.
- Resetting connections as required.
Intrusion Prevention – Better Than Cure?
Intrusion prevention systems are designed with vulnerability exploits in mind. These exploits typically manifest as malicious data input aimed at a network service or application which has been identified by the attackers as weak or susceptible, in some way.
Having used an exploit to get access to the targeted application or service (i.e. having successfully intruded into the network), the assailants may then go on to use the compromised machine or application to gain the network permissions and administrative rights associated with it. In other cases, the intrusion may be the first wave of a sustained attack that overloads the network, and effectively locks out its designated users or clients.
Recovering from an exploit-based or Denial of Service (DoS) attack can be an expensive and time-consuming process. So being aware of potential vulnerabilities within a network and having rules in place to govern an intrusion prevention system that sifts traffic actively and blocks it before it can cause trouble is the preferred option.
Being an inline mechanism that’s required to react to its own observations in real or near real time, an IPS must be designed to work without imposing unnecessary loads capable of degrading the network’s performance. So high throughput, high availability, and device bypass capabilities are typically part of the IPS package.
As with anti-virus software, intrusion prevention systems employ a database of signatures associated with the unique coding pattern of known exploits. As new threats are discovered, their signatures are added to the database.
In addition to the signatures characteristic of specific exploits, the IPS may also monitor for signatures which indicate vulnerabilities within the host network itself. This may lead to “false positives”, but also has the potential to protect the network from new variants of exploit that emerge.
A comparative process known as statistical anomaly detection also aids intrusion prevention, by comparing random samples of network traffic against a baseline level which represents normal operating conditions.
Intrusion Detection is…
A passive monitoring and observation tool, an intrusion detection system or IDS sits on a tap or port span to the side of a network, studying data packets as they move through the network, and looking for unauthorized or anomalous activities that may be deemed suspicious. The IDS taps in at many points and gives network administrators and security engineers a deep look into the interior workings of their system.
In effect, an intrusion detection system serves as a visibility tool, allowing network security officers access to the information they can use to reveal a range of potential issues, such as:
- Users or systems handling data or running applications in violation of standing security policies.
- Viruses, Trojans, or malware infections that have gained full or partial control over internal resources or systems.
- Unauthorized data leaving the network, such as that pilfered by keyloggers and spyware, or the intended or unintentional activity of users.
- Incorrect security settings or poor configurations of network resources, that may pose a risk or impede performance.
- Unauthorized clients, servers, or applications that may be trying to gain network privileges and access.
Only Half of the Story?
A pure IDS requires a dedicated and knowledgeable security engineer with the analytical and reporting tools to make sense of all the information that the system gathers. Security policies and measures may then be established, based on these observations. It’s a passive system, that scans the network and flags any suspicious traffic and potential threats. For dealing with those threats, additional tools and functionality are required.
For an Ideal Mix…
In response to the limitations of pure IDS, many vendors now offer combined packages with some IDS scanning and visibility coupled with the intervention and network control functions of an IPS. These suites typically include a recognition engine for malware and attack vectors, the capability to identify and block attacks, and tools to increase network visibility.
Some manufacturers have attempted to combine the functions of intrusion prevention with a firewall, usually with a single Web-based administrative console. These so-called Unified Threat Management or UTM systems are a nice idea, but their implementation may fail due to the lack of a comprehensive set of management tools for the IPS part of the equation.
Whichever kind of system you choose, it’s important to fine-tune the policy of your IPS component, to suit the characteristic environment of your specific network. For effective intervention and packet blocking, its detection engine should be as robust as possible. For the IDS component, a management console with easy to read and interpret monitoring, analytical and reporting tools is a must.
Share this Post