Stopping the enemy at the gate

Intrusion prevention systems

  • alert
  • submit to reddit

Seven Steps to Software Security

Over the past few years, security vulnerabilities have spiralled, writes Bloor Research analyst Fran Howarth. The CERT Co-ordination Centre, a federally-funded R&D centre operated by the Carnegie Mellon University in the US, publishes statistics of security vulnerabilities that are reported to it on an annual basis. In 1995, just 171 such incidences were brought to its attention; by 2003, that figure had risen to 3,784.

This increase in vulnerabilities is causing many companies headaches: there are just too many patches to install; users are often not adhering to policy; fast-spreading worms can create havoc in corporate networks; automated hacking tools are spreading in use; and corporates are increasingly demanding 24/7 connectivity.

Security vulnerabilities can be caused by hackers, worms and viruses attempting to exploit vulnerabilities in systems - and not only have the number of such attacks increased, but also their severity. Technology vendor Microsoft states that, whereas it previously had a timeframe of weeks to provide a patch for a system vulnerability that a hacker has exposed, it now has just a matter of hours to fix the problem. And the problem does not stop there - the SQL Slammer worm unleashed recently exploited a vulnerability for which Microsoft had already created a patch and then went on to infect more than 120,000 within days of being released, as well as disabling a network of ATM machines.

To defend against such attacks, companies are realising that a managed firewall alone does not provide adequate levels of security for business. Rather, they are looking for a complete security approach that includes a firewall, correctly set routers, anti-virus products, security policy, high-speed processors and solutions for preventing intruders.

Intrusion prevention systems (IPS) are not really a new technology, but are more an evolution from existing security technologies, including intrusion detection systems (IDS). IDSs are actually electronic surveillance products that monitor traffic patterns and compare them against known attacks. In a way similar to anti-virus products, they use signatures to recognise traffic patterns, but those signatures must be kept up to date and upgraded when new attacks are identified.

Problems with IDSs include their inability to read encrypted traffic and, with switches being increasingly deployed on networks, the extent of traffic that each IDS can monitor. As a result, companies will be obliged to vastly increase the number of IDSs deployed in order to monitor traffic on all sectors of the network. They are also plagued by the high number of false positives that are generated as they monitor traffic looking for suspicious activity.

Where IPS products come into their own is when automated remediation capabilities are added to the IDS products in use to proactively block attacks before any damage is done. IPSs do this by analysing packets of information within normal network traffic, stopping any traffic from entering the network that shows signs of suspicious activity. In this way, they act rather like deadbolts, preventing unauthorised access to a company's applications.

Within the emerging IPS market, there are two main categories of available products: host-based IPSs and network-based IPSs.

Host-based IPSs

Host-based IPSs protect servers and workstations via software agents that are placed between applications and the operating system's kernel. Based on predetermined rules that are set by an organisation based upon known attacks, they intercept system activity and either allow traffic through or block it, dependent on whether or not it conforms to the rules set. Such activities can include net network connection requests, attempts to read or write to memory, or access to specific applications.

Whilst IDSs can only protect against known attacks, host-based IPSs may be used to monitor the environment around applications, such as file locations and Registry settings, to look for types of attacks that are unknown and for which no signature of 'acceptable behaviour' has yet been written.

However, there are many downsides to host-based IPSs. Since they must be deployed on every server that is to be protected from attack, they are costly to implement and cumbersome to maintain. They must also be constantly updated to ensure that signatures have been written for all known attacks, including new worms, viruses and other vulnerabilities as they become known. Also, since they are installed on individual parts of the network, they cannot be used to prevent an organisation-wide attack aimed at the network in general, such as a denial of service attack.

Other problems are that they may block legitimate traffic if a signature has not been developed for a particular type of activity that was previously unknown. Also, since they must be installed on particular parts of the network that a company wishes to protect, they are not particularly effective at preventing attacks originating inside a network - something of particular concern to organisations.

Network-based IPSs

Network-based IPSs - sometimes known as inline IPSs - work like a typical firewall in that they are designed to prevent a network from being attacked. They intercept all network traffic, scanning it for suspicious activity and either blocking it or passing it along. Different network-based IPSs use different techniques, from scanning signatures to look for suspicious strings of bytes to looking for protocol anomalies by detecting where a packet of data is trying to perform a command not normally permitted by its data transmission protocol.

Some systems will search for suspicious activity, such as a hacker trying to enter through an open port, and will send a specially coded and tagged response - which will also identify the hacker should they try to repeat the attack. Another particular feature of such IPSs is that they can be used to scrub packets of information, rewriting the offending packet so that it will not be able to carry out its attack. This can be performed without the attackers knowledge, enabling a company to tag activity and gather evidence against a particular attacker.

Since network-based IPSs sit inline, all data packets crossing the network will need to pass through them, making them more effective than host-based IPSs for preventing attacks originating inside an organisation. However, this fact that all network traffic must pass through the IPS means that implementation of such a system may negatively impact the network's performance. As a result, some organisations are moving towards the use of appliances that support gigabit speeds, rather than software. Both hardware and software inline IPS devices are available on the market. There is also the danger that legitimate traffic that is not recognised may be blocked - potentially shutting down a customer connection and losing a company business.

The future of IPSs

Since IPSs are a relatively new technology, it is not yet certain how it will evolve. Some commentators are looking to next-generation firewall products that allow deep inspection of data packets. One of the reasons for this is that the IPSs on the market today require a great deal of effort in configuring and updating policies and signatures, leading many to doubt their usefulness. The goal for organisations is to implement a single technology that acts as a gateway to the organisation, applying security policies and protecting networks and applications from any attacks.

© IT-Analysis.com

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.