Feeds

Detection systems guard against network intrusion

Prevention is better than cure

7 Elements of Radically Simple OS Migration

How do the different types of intrusion prevention system (IPS) work?

Inline systems sit on the network like layer-two bridges, passing traffic along as they receive it. Host-based systems sit on the server, watching the traffic that it sends and receives.

Both check packets for any suspicious activity, often using the most basic method of detection: signatures, or rules. If traffic passing through the network intrusion detection system matches a certain pattern, it can be blocked; traffic already identified as malicious doesn’t make it through.

Legible signatures

That traffic could fit a predefined suspicious pattern, such as aggressive port scanning, operating system fingerprinting, server message block probes, or even simple operations such as trying to login to telnet as root.

And, of course, emails with particular characteristics or strings can also be rolled into signature lists.

The biggest problem with signatures is that they are generally retroactive. They stop attacks that have already been documented, and are not so good at spotting those that have not yet appeared in the wild.

Statistical anomaly-based detection works differently. It begins by learning what normal behaviour on a network looks like, then uses it as a baseline to spot irregular activity.

This method has several advantages over signature-based detection. The first is that the system improves over time. The more traffic it is able to sample, the more knowledgeable it becomes about what constitutes acceptable activity.

The statistical anomaly method also does a better job of detecting zero-day attacks. Even though no signatures exist for these, the system often picks them up because they push traffic patterns outside what is considered “normal”.

Breaking and entering

On the downside, however, a statistical system doesn't understand the traffic it is analysing, and cannot make judgement calls about whether it is malicious or not. It simply looks for patterns outside those that regularly occur.

A wily attacker could introduce just enough of an attack pattern into the network to make the intrusion prevention system consider it normal. For example, small, non-aggressive port scans could be used to raise the system's tolerance.

There is a third method for detecting and preventing malicious traffic: stateful protocol analysis (aka deep packet inspection), which combines the best of both the other methods. It can be used to identify anomalies, so it has a better chance of detecting attacks without a particular signature.

Suspicious movements

It also understands the traffic it is analysing and can make more intelligent decisions about whether a pattern is suspicious, rather than simply detecting an anomaly and handing the whole tangled mess to an administrator to analyse.

These systems work by understanding what is expected during a particular application-layer session. For example, the system might know what response to expect back from a server during a particular authentication session. If that response does not arise (or a different one does) then it might raise an alert.

This approach can look for unexpected command sequences (such as a command issued to a server without a specific preceding command). It can also look for malformed protocols that might otherwise crash a system or cause a buffer overflow error.

The downside to this kind of analytical detection is that it often requires bigger computing resource.

Administrators need to tune devices to make them more effective

So, what kind of system should you buy? Ideally, you should have one that uses several approaches. The term “defence in depth” is more suited to the IPS product category than to anything else.

But however good it is, it won’t make your network watertight. NSS Labs, an organisation which tests security equipment without vendor funding, ran a group test of IPS products late last year. It found that out of the box, security effectiveness averaged about 62 per cent (with the lowest product scoring just 31 per cent). Performance decreased overall compared with a year previously.

Perhaps the most revealing result was that administrators need to tune the devices to make them more effective. When configured to an administrator's own preferences, average security efficiency rose to 83 per cent.

The moral? Don't expect these things to protect you entirely straight out of the box. Come to that, don't expect them to shield your backside even when you spend time helping them to understand your network better. A few nasties, it seems, will always get through. ®

Build a business case: developing custom apps

More from The Register

next story
Nice computers don’t need to go to the toilet, says Barclays
Bad computers might ask if you are Sarah Connor
4K video on terrestrial TV? Not if the WRC shares frequencies to mobiles
Have your say with Ofcom now, before Freeview becomes Feeview
PEAK LANDFILL: Why tablet gloom is good news for Windows users
Sinofsky's hybrid strategy looks dafter than ever
YES, iPhones ARE getting slower with each new release of iOS
Old hardware doesn't get any faster with new software
You didn't get the MeMO? Asus Pad 7 Android tab is ... not bad
Really, er, stands out among cheapie 7-inchers
Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
Cheapest models given new processors, more RAM
VMware builds product executables on 50 Mac Minis
And goes to the Genius Bar for support
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Microsoft stands on shore as tablet-laden boat sails away
Brit buyers still not falling for Windows' charms
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?