Stopping the enemy at the gate

Intrusion prevention systems

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Over the past few years, security vulnerabilities have spiralled, writes Bloor Research analyst Fran Howarth. The CERT Co-ordination Centre, a federally-funded R&D centre operated by the Carnegie Mellon University in the US, publishes statistics of security vulnerabilities that are reported to it on an annual basis. In 1995, just 171 such incidences were brought to its attention; by 2003, that figure had risen to 3,784.

This increase in vulnerabilities is causing many companies headaches: there are just too many patches to install; users are often not adhering to policy; fast-spreading worms can create havoc in corporate networks; automated hacking tools are spreading in use; and corporates are increasingly demanding 24/7 connectivity.

Security vulnerabilities can be caused by hackers, worms and viruses attempting to exploit vulnerabilities in systems - and not only have the number of such attacks increased, but also their severity. Technology vendor Microsoft states that, whereas it previously had a timeframe of weeks to provide a patch for a system vulnerability that a hacker has exposed, it now has just a matter of hours to fix the problem. And the problem does not stop there - the SQL Slammer worm unleashed recently exploited a vulnerability for which Microsoft had already created a patch and then went on to infect more than 120,000 within days of being released, as well as disabling a network of ATM machines.

To defend against such attacks, companies are realising that a managed firewall alone does not provide adequate levels of security for business. Rather, they are looking for a complete security approach that includes a firewall, correctly set routers, anti-virus products, security policy, high-speed processors and solutions for preventing intruders.

Intrusion prevention systems (IPS) are not really a new technology, but are more an evolution from existing security technologies, including intrusion detection systems (IDS). IDSs are actually electronic surveillance products that monitor traffic patterns and compare them against known attacks. In a way similar to anti-virus products, they use signatures to recognise traffic patterns, but those signatures must be kept up to date and upgraded when new attacks are identified.

Problems with IDSs include their inability to read encrypted traffic and, with switches being increasingly deployed on networks, the extent of traffic that each IDS can monitor. As a result, companies will be obliged to vastly increase the number of IDSs deployed in order to monitor traffic on all sectors of the network. They are also plagued by the high number of false positives that are generated as they monitor traffic looking for suspicious activity.

Where IPS products come into their own is when automated remediation capabilities are added to the IDS products in use to proactively block attacks before any damage is done. IPSs do this by analysing packets of information within normal network traffic, stopping any traffic from entering the network that shows signs of suspicious activity. In this way, they act rather like deadbolts, preventing unauthorised access to a company's applications.

Within the emerging IPS market, there are two main categories of available products: host-based IPSs and network-based IPSs.

Host-based IPSs

Host-based IPSs protect servers and workstations via software agents that are placed between applications and the operating system's kernel. Based on predetermined rules that are set by an organisation based upon known attacks, they intercept system activity and either allow traffic through or block it, dependent on whether or not it conforms to the rules set. Such activities can include net network connection requests, attempts to read or write to memory, or access to specific applications.

Whilst IDSs can only protect against known attacks, host-based IPSs may be used to monitor the environment around applications, such as file locations and Registry settings, to look for types of attacks that are unknown and for which no signature of 'acceptable behaviour' has yet been written.

However, there are many downsides to host-based IPSs. Since they must be deployed on every server that is to be protected from attack, they are costly to implement and cumbersome to maintain. They must also be constantly updated to ensure that signatures have been written for all known attacks, including new worms, viruses and other vulnerabilities as they become known. Also, since they are installed on individual parts of the network, they cannot be used to prevent an organisation-wide attack aimed at the network in general, such as a denial of service attack.

Other problems are that they may block legitimate traffic if a signature has not been developed for a particular type of activity that was previously unknown. Also, since they must be installed on particular parts of the network that a company wishes to protect, they are not particularly effective at preventing attacks originating inside a network - something of particular concern to organisations.

Network-based IPSs

Network-based IPSs - sometimes known as inline IPSs - work like a typical firewall in that they are designed to prevent a network from being attacked. They intercept all network traffic, scanning it for suspicious activity and either blocking it or passing it along. Different network-based IPSs use different techniques, from scanning signatures to look for suspicious strings of bytes to looking for protocol anomalies by detecting where a packet of data is trying to perform a command not normally permitted by its data transmission protocol.

Some systems will search for suspicious activity, such as a hacker trying to enter through an open port, and will send a specially coded and tagged response - which will also identify the hacker should they try to repeat the attack. Another particular feature of such IPSs is that they can be used to scrub packets of information, rewriting the offending packet so that it will not be able to carry out its attack. This can be performed without the attackers knowledge, enabling a company to tag activity and gather evidence against a particular attacker.

Since network-based IPSs sit inline, all data packets crossing the network will need to pass through them, making them more effective than host-based IPSs for preventing attacks originating inside an organisation. However, this fact that all network traffic must pass through the IPS means that implementation of such a system may negatively impact the network's performance. As a result, some organisations are moving towards the use of appliances that support gigabit speeds, rather than software. Both hardware and software inline IPS devices are available on the market. There is also the danger that legitimate traffic that is not recognised may be blocked - potentially shutting down a customer connection and losing a company business.

The future of IPSs

Since IPSs are a relatively new technology, it is not yet certain how it will evolve. Some commentators are looking to next-generation firewall products that allow deep inspection of data packets. One of the reasons for this is that the IPSs on the market today require a great deal of effort in configuring and updating policies and signatures, leading many to doubt their usefulness. The goal for organisations is to implement a single technology that acts as a gateway to the organisation, applying security policies and protecting networks and applications from any attacks.

© IT-Analysis.com

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.