Feeds

Detection systems guard against network intrusion

Prevention is better than cure

Build a business case: developing custom apps

How do the different types of intrusion prevention system (IPS) work?

Inline systems sit on the network like layer-two bridges, passing traffic along as they receive it. Host-based systems sit on the server, watching the traffic that it sends and receives.

Both check packets for any suspicious activity, often using the most basic method of detection: signatures, or rules. If traffic passing through the network intrusion detection system matches a certain pattern, it can be blocked; traffic already identified as malicious doesn’t make it through.

Legible signatures

That traffic could fit a predefined suspicious pattern, such as aggressive port scanning, operating system fingerprinting, server message block probes, or even simple operations such as trying to login to telnet as root.

And, of course, emails with particular characteristics or strings can also be rolled into signature lists.

The biggest problem with signatures is that they are generally retroactive. They stop attacks that have already been documented, and are not so good at spotting those that have not yet appeared in the wild.

Statistical anomaly-based detection works differently. It begins by learning what normal behaviour on a network looks like, then uses it as a baseline to spot irregular activity.

This method has several advantages over signature-based detection. The first is that the system improves over time. The more traffic it is able to sample, the more knowledgeable it becomes about what constitutes acceptable activity.

The statistical anomaly method also does a better job of detecting zero-day attacks. Even though no signatures exist for these, the system often picks them up because they push traffic patterns outside what is considered “normal”.

Breaking and entering

On the downside, however, a statistical system doesn't understand the traffic it is analysing, and cannot make judgement calls about whether it is malicious or not. It simply looks for patterns outside those that regularly occur.

A wily attacker could introduce just enough of an attack pattern into the network to make the intrusion prevention system consider it normal. For example, small, non-aggressive port scans could be used to raise the system's tolerance.

There is a third method for detecting and preventing malicious traffic: stateful protocol analysis (aka deep packet inspection), which combines the best of both the other methods. It can be used to identify anomalies, so it has a better chance of detecting attacks without a particular signature.

Suspicious movements

It also understands the traffic it is analysing and can make more intelligent decisions about whether a pattern is suspicious, rather than simply detecting an anomaly and handing the whole tangled mess to an administrator to analyse.

These systems work by understanding what is expected during a particular application-layer session. For example, the system might know what response to expect back from a server during a particular authentication session. If that response does not arise (or a different one does) then it might raise an alert.

This approach can look for unexpected command sequences (such as a command issued to a server without a specific preceding command). It can also look for malformed protocols that might otherwise crash a system or cause a buffer overflow error.

The downside to this kind of analytical detection is that it often requires bigger computing resource.

Administrators need to tune devices to make them more effective

So, what kind of system should you buy? Ideally, you should have one that uses several approaches. The term “defence in depth” is more suited to the IPS product category than to anything else.

But however good it is, it won’t make your network watertight. NSS Labs, an organisation which tests security equipment without vendor funding, ran a group test of IPS products late last year. It found that out of the box, security effectiveness averaged about 62 per cent (with the lowest product scoring just 31 per cent). Performance decreased overall compared with a year previously.

Perhaps the most revealing result was that administrators need to tune the devices to make them more effective. When configured to an administrator's own preferences, average security efficiency rose to 83 per cent.

The moral? Don't expect these things to protect you entirely straight out of the box. Come to that, don't expect them to shield your backside even when you spend time helping them to understand your network better. A few nasties, it seems, will always get through. ®

The essential guide to IT transformation

More from The Register

next story
Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
Tip: Put the shades on and you'll look less of a spanner
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
One step closer to ROBOT BUTLERS: Dyson flashes vid of VACUUM SUCKER bot
Latest cleaner available for world+dog in September
Samsung Gear S: Quick, LAUNCH IT – before Apple straps on iWatch
Full specs for wrist-mounted device here ... but who'll buy it?
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Now that's FIRE WIRE: HP recalls 6 MILLION burn-risk laptop cables
Right in the middle of Burning Mains Man week
Apple's iWatch? They cannae do it ... they don't have the POWER
Analyst predicts fanbois will have to wait until next year
Tim Cook in Applerexia fears: New MacBook THINNER THAN EVER
'Supply chain sources' give up the goss on new iLappy
HUGE iPAD? Maybe. HUGE ADVERTS? That's for SURE
Noo! Hand not big enough! Don't look at meee!
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.