Information about Intrusion Prevention System
An intrusion prevention system is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology. The term "Intrusion Prevention System" was coined by Andrew Plato who was a technical writer and consultant for *NetworkICE.
Intrusion prevention systems (IPS) were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related.
The first commercial/retail IPS was the BlackICE product from NetworkICE Corporation. It debuted in 1998 with a business and personal version of the product. It provided host and in-line network IPS capabilities using protocol analysis as its core detection technique. The first products were BlackICE Desktop (a host-IPS for end-user systems) BlackICE Guard (an in-line network IPS) and BlackICE Sentry (a passive, IDS solution). Enterprise users managed BlackICE agents from the ICEcap Management Console. The BlackICE product included a firewall that could respond, in real-time to intrusions and block attackers. NetworkICE was purchased in June 2000 by Internet Security Systems (ISS) which was in turn purchased by IBM in 2006. The BlackICE engine is still used in most ISS products, including IBM's Proventia line of products.
Intrusion prevention systems may also serve secondarily at the host level to deny potentially malicious activity. There are advantages and disadvantages to host-based IPS compared with network-based IPS. In many cases, the technologies are thought to be complementary.
An Intrusion Prevention system must also be a very good Intrusion Detection system to enable a low rate of false positives. Some IPS systems can also prevent yet to be discovered attacks, such as those caused by a Buffer overflow.
An IPS is typically designed to operate completely invisibly on a network. IPS products do not have IP addresses for their monitoring segments and do not respond directly to any traffic. Rather, they merely silently monitor traffic as it passes. While some IPS products have the ability to implement firewall rules, this is often a mere convenience and not a core function of the product. Moreover, IPS technology offers deeper insight into network operations providing information on overly active hosts, bad logons, inappropriate content and many other network and application layer functions.
Application firewalls are a very different type of technology. An application firewall uses proxies to perform firewall access control for network and application-layer traffic. Some application-layer firewalls have the ability to do some IPS-like functions, such as enforcing RFC specifications on network traffic. Also, some application layer firewalls have also integrated IPS-style signatures into their products to provide real-time analysis and blocking of traffic. Application firewalls do have IP addresses on their ports and are directly addressable. Moreover, they use full proxy features to decode and reassemble packets. Not all IPS perform full proxy-like processing. Also, application-layer firewalls tend to focus on firewall capabilities, with IPS capabilities as add-on. While there are numerous similarities between the two technologies, they are not identical and are not interchangeable.
Unified Threat Management (UTM), or sometimes called "Next Generation Firewalls" are also a different breed of products entirely. UTM products bring together multiple security capabilities on to a single platform. A typical UTM platform will provide firewall, VPN, anti-virus, web filtering, intrusion prevention and anti-spam capabilities. Some UTM appliances are derived from IPS products such as 3Com's X-series products. others are derived from firewall products, such as Juniper's SSG or Cisco's ASA appliances. And still others were derived from the ground up as a UTM appliance such as Astaro or Fortinet. The main feature of a UTM is that it includes multiple security features on one appliance. IPS is merely one feature.
Access Control is also an entirely different security concept. Access control refers to general rules allowing hosts, users or applications access to specific parts of a network. Typically, access control helps organizations segment networks and limit access. While an IPS has the ability to block access to users, hosts or applications, it does so only when malicious code has been discovered. As such, IPS does not necessarily serve as an access control device. While it has some access control abilities, firewalls and network access control (NAC) technologies are better suited to provide these features.
Network intrusion prevention systems (NIPS) are purpose-built hardware/software platforms that are designed to analyze, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic.
Not all IPS/IDS engines are full protocol analyzers. Some products rely on simple pattern recognition techniques to look for known attack patterns. While this can be sufficient in many cases, it creates an overall weakness in the detection capabilities. Since many vulnerabilities have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines can be evaded. For example, some pattern recognition engines require hundreds of different signatures (or patterns) to protect against a single vulnerability. This is because they must have a different pattern for each exploit variant. Protocol analysis-based products can often block exploits with a single signature that monitors for the specific vulnerability in the network communications.
Unusual but legitimate network traffic patterns may create false alarms. The system's effectiveness is related to the granularity of the RBIPS rulebase and the quality of the stored statistics.
Once an attack is detected, various prevention techniques may be used such as rate-limiting specific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).
NIST SP 800-83, Guide to Malware Incident Prevention and Handling [2]
NIST SP 800-31, Intrusion Detection Systems [3]
Study by Gartner "Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough" [4]
..... Click the link for more information.
..... Click the link for more information.
Intrusion prevention systems (IPS) were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related.
The first commercial/retail IPS was the BlackICE product from NetworkICE Corporation. It debuted in 1998 with a business and personal version of the product. It provided host and in-line network IPS capabilities using protocol analysis as its core detection technique. The first products were BlackICE Desktop (a host-IPS for end-user systems) BlackICE Guard (an in-line network IPS) and BlackICE Sentry (a passive, IDS solution). Enterprise users managed BlackICE agents from the ICEcap Management Console. The BlackICE product included a firewall that could respond, in real-time to intrusions and block attackers. NetworkICE was purchased in June 2000 by Internet Security Systems (ISS) which was in turn purchased by IBM in 2006. The BlackICE engine is still used in most ISS products, including IBM's Proventia line of products.
Intrusion prevention systems may also serve secondarily at the host level to deny potentially malicious activity. There are advantages and disadvantages to host-based IPS compared with network-based IPS. In many cases, the technologies are thought to be complementary.
An Intrusion Prevention system must also be a very good Intrusion Detection system to enable a low rate of false positives. Some IPS systems can also prevent yet to be discovered attacks, such as those caused by a Buffer overflow.
IPS, Application Firewalls, Unified Threat Management & Access Control
The role of an IPS in a network is often confused with access control and application-layer firewalls. There are some notable differences in these technologies. While all share similarities, how they approach network or system security is fundamentally different.An IPS is typically designed to operate completely invisibly on a network. IPS products do not have IP addresses for their monitoring segments and do not respond directly to any traffic. Rather, they merely silently monitor traffic as it passes. While some IPS products have the ability to implement firewall rules, this is often a mere convenience and not a core function of the product. Moreover, IPS technology offers deeper insight into network operations providing information on overly active hosts, bad logons, inappropriate content and many other network and application layer functions.
Application firewalls are a very different type of technology. An application firewall uses proxies to perform firewall access control for network and application-layer traffic. Some application-layer firewalls have the ability to do some IPS-like functions, such as enforcing RFC specifications on network traffic. Also, some application layer firewalls have also integrated IPS-style signatures into their products to provide real-time analysis and blocking of traffic. Application firewalls do have IP addresses on their ports and are directly addressable. Moreover, they use full proxy features to decode and reassemble packets. Not all IPS perform full proxy-like processing. Also, application-layer firewalls tend to focus on firewall capabilities, with IPS capabilities as add-on. While there are numerous similarities between the two technologies, they are not identical and are not interchangeable.
Unified Threat Management (UTM), or sometimes called "Next Generation Firewalls" are also a different breed of products entirely. UTM products bring together multiple security capabilities on to a single platform. A typical UTM platform will provide firewall, VPN, anti-virus, web filtering, intrusion prevention and anti-spam capabilities. Some UTM appliances are derived from IPS products such as 3Com's X-series products. others are derived from firewall products, such as Juniper's SSG or Cisco's ASA appliances. And still others were derived from the ground up as a UTM appliance such as Astaro or Fortinet. The main feature of a UTM is that it includes multiple security features on one appliance. IPS is merely one feature.
Access Control is also an entirely different security concept. Access control refers to general rules allowing hosts, users or applications access to specific parts of a network. Typically, access control helps organizations segment networks and limit access. While an IPS has the ability to block access to users, hosts or applications, it does so only when malicious code has been discovered. As such, IPS does not necessarily serve as an access control device. While it has some access control abilities, firewalls and network access control (NAC) technologies are better suited to provide these features.
Contrast with Intrusion Detection Systems (IDS)
IPS systems have some advantages over intrusion detection systems (IDS). One advantage is they are designed to sit inline with traffic flows and prevent attacks in real-time. In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP which provides greater awareness. When deploying NIPS however, consideration should be given to whether the network segment is encrypted or not as many products are unable to support inspection of such traffic.Types
Host based
A host based IPS (HIPS) is one where the intrusion-prevention application is resident on that specific IP address, usually on a computer.Network
A network based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s)is done from a host with another IP address on the network (This could be on a front-end firewall appliance.)Network intrusion prevention systems (NIPS) are purpose-built hardware/software platforms that are designed to analyze, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic.
Content based
A content based IPS (CBIPS) inspects the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attack such as worm infections and hacks.Protocol Analysis
A key development in IDS/IPS technologies was the use of protocol analyzers. Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits. For example, the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending packets.Not all IPS/IDS engines are full protocol analyzers. Some products rely on simple pattern recognition techniques to look for known attack patterns. While this can be sufficient in many cases, it creates an overall weakness in the detection capabilities. Since many vulnerabilities have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines can be evaded. For example, some pattern recognition engines require hundreds of different signatures (or patterns) to protect against a single vulnerability. This is because they must have a different pattern for each exploit variant. Protocol analysis-based products can often block exploits with a single signature that monitors for the specific vulnerability in the network communications.
Rate based
Rate based IPS (RBIPS) are primarily intended to prevent denial of service and Distributed Denial of Service attacks. They work by monitoring and learning normal network behaviors. Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second, packets per connection, packets to specific ports etc. Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.Unusual but legitimate network traffic patterns may create false alarms. The system's effectiveness is related to the granularity of the RBIPS rulebase and the quality of the stored statistics.
Once an attack is detected, various prevention techniques may be used such as rate-limiting specific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).
Host based vs. network
- HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host.
- NIPS does not use processor and memory on computer hosts but uses its own CPU and memory.
- NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. However, this attribute applies to all network devices like routers and switches and can be overcome by implementing the network accordingly (failover path, etc.). A Bypass Switch can be implemented to alleviate the single point of failure disadvantage though. This also allows the NIPS appliance to to moved and taken off-line for maintenannce when needed.
- NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like hostscan, worm) and can react, whereas with a HIPS, only the hosts data itself is available to take a decision, respectively it would take too much time to report it to a central decision making engine and report back to block.
References
Common Vulnerabilities and Exposures (CVE) [1]NIST SP 800-83, Guide to Malware Incident Prevention and Handling [2]
NIST SP 800-31, Intrusion Detection Systems [3]
Study by Gartner "Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough" [4]
See also
- Intrusion-detection system
- Network intrusion detection system
- denial-of-service
- Next Generation Firewall
- Host-Based Intrusion Detection
Computer security is a branch of information security applied to both theoretical and actual computer systems. Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers.
..... Click the link for more information.
..... Click the link for more information.
intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers.
..... Click the link for more information.
..... Click the link for more information.
An IP address (Internet Protocol address) is a unique address that certain electronic devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP)—in simpler terms, a computer address.
..... Click the link for more information.
..... Click the link for more information.
port is a special number present in the header of a data packet. Ports are typically used to map data to a particular process running on a computer.
Ports can be readily explained with an analogy: think of IP addresses as the street address of an apartment building, and the
..... Click the link for more information.
Ports can be readily explained with an analogy: think of IP addresses as the street address of an apartment building, and the
..... Click the link for more information.
firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust.
..... Click the link for more information.
Function
..... Click the link for more information.
International Business Machines Corporation
Public (NYSE: IBM )
Founded 1889, incorporated 1911
Headquarters Armonk, New York, USA
Key people Samuel J.
..... Click the link for more information.
Public (NYSE: IBM )
Founded 1889, incorporated 1911
Headquarters Armonk, New York, USA
Key people Samuel J.
..... Click the link for more information.
buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security.
..... Click the link for more information.
..... Click the link for more information.
In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers.
..... Click the link for more information.
..... Click the link for more information.
Network Access Control (NAC), is a computer networking term and set of protocols used to explain how to secure the network nodes prior to the nodes accessing the network. NAC also integrates the automatic remediation process (fixing non-compliant nodes before allowing access) into
..... Click the link for more information.
..... Click the link for more information.
"DoS" redirects here. For other uses, see DOS (disambiguation).
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users...... Click the link for more information.
intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers.
..... Click the link for more information.
..... Click the link for more information.
A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
..... Click the link for more information.
..... Click the link for more information.
"DoS" redirects here. For other uses, see DOS (disambiguation).
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users...... Click the link for more information.
Next Generation Firewalls. Next generation firewalls leverage their existing deep packet inspection engine by sharing this functionality with an intrusion protection engine.
..... Click the link for more information.
..... Click the link for more information.
This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.
Herod_Archelaus
