Intrusion Prevention System
Download
Report
Transcript Intrusion Prevention System
Intrusion Prevention
Systems
Ahmed Saeed
Team Leader (Cisco Division)
CTTC (PVT) Limited
WHAT IS IPS?
Intrusion Prevention System
A system located on the network that monitors the
network for issues like security threats and policy
violations, then takes corrective action.
Performs Deep Packet Inspection
WHAT CAN AN IPS DO?
IPS can detect and block:
OS, Web and database attacks
Spyware / Malware
Instant Messenger
Peer to Peer (P2P)
Worm propagation
Critical outbound data loss (data leakage)
DIFFERENCE BETWEEN IDS AND IPS
Intrusion Detection System (IDS)
Passive
Hardware\software based
Uses attack signatures
Configuration
SPAN/Mirror Ports
Generates alerts (email, pager)
After the fact response
Intrusion Prevention System (IPS)
Inline & active
Hardware\software based
Uses attack signatures
Configuration
Inline w/fail over features.
Generates alerts (email, pager)
Real time response
IPS TYPES
IPS can be grouped into 3 categories
Signature Based
Anomaly Based (NBAD)
Hybrid
SIGNATURE BASED
Use pattern matching to detect malicious or
otherwise restricted packets on the network
Based on current exploits (worm, viruses)
Detect malware, spyware and other malicious
programs.
Bad traffic detection, traffic normalization
SIGNATURE BASED PRODUCTS
Sourcefire / Snort
StillSecure
NFR
Cisco IOS IPS
SIGNATURE: PRO’S & CON’S
Pro’s
Very flexible.
Well suited to detect single packet attacks like SQL
Slammer.
Con’s
Relatively little Zero Day protection.
Generally requires that the attack is known before a
signature can be written.
ANOMALY BASED
Anomaly based IPS look for deviations or
changes from previously measured behavior like:
Substantial increase in outbound SMTP traffic
New open ports or services
Analyzes TCP/IP Parameters changes
ANOMALY BASED PRODUCTS
Mazu Networks
Arbor Networks
Q1 Labs
Top Layer
ANOMALY: PRO’S & CON’S
Pro’s
Better protection against Zero Day threats
Better detection of “low and slow” attacks
Con’s
Cannot protect against single packet attacks like
SQL slammer
Cannot analyze packets at layers 5 – 7 of the OSI
model
HYBRID IPS
Hybrid IPS combine Signature Based IPS and
Anomaly Based IPS into a single device
HYBRID PRODUCTS
Juniper
Cisco
IBM-ISS
TippingPoint
McAfee
HYBRID PRO’S & CON’S
Pro’s
Superior protection for both known and Zero Day
threats
Each plays off the weakness of the other
Con’s
Generally more expensive than either Anomaly or
Signature based products
Can be slower depending on architecture
ARCHITECTURE: SOFTWARE VS.
HARDWARE
Software based
Generally runs Linux or a BSD variant
EG: Snort / Sourcefire, NitroSecurity, StillSecure
Hardware based
Uses ASIC / FPGA technology
EG: TippingPoint, Top Layer, McAfee
SOFTWARE PRO’S & CON’S
Pro’s
More flexible
Generally easier to add major functionality
Cheaper
Generally has more functionality
Con’s
Usually slower than hardware
Latency is usually higher than hardware
HARDWARE PRO’S & CON’S
Pro’s
Speed, Speed, Speed
Lower latency than software
Less moving parts to fail
Con’s
Expensive
Not easily upgradeable
Major upgrades usually mean new ASIC chips
WHAT ABOUT UTM?
Unified Threat Manager
All-in-one devices that can do:
Firewall
Antivirus
IPS
VPN
Etc.
This is being discussed because vendors
very often push UTM devices when
customers are looking for IPS solutions
UTM PRODUCTS
Fortinet
Radware
SonicWall
ISS-Proventia
Cisco (ASA appliance)
Juniper (SSG and ISG Firewalls)
UTM PRO’S & CON’S
Pro’s
Cost effective for remote branch offices where other
capabilities like Firewall are also needed
Con’s
Usually a limited subset of IPS functionality and
signatures as compared to stand alone IPS products
THINKING ABOUT AN IPS?
Why?
What problem are you trying to solve?
What other problems may be solved?
What problems may arise?
If Networking is a different group than Security,
do you have their buy in?
TIPS WHEN SELECTING AN IPS
Prepare an RFP
You can get a sample one from Internet
Do an on-site POC of your top choices
It’s vital to see how the device works in your network.
Make sure you test their support, especially if
you are going to buy 24x7
Look for products certifications
ICSA, NSS Group, Neohapsis
WHAT TO CONSIDER WHEN BUYING
Speed / latency
Will the device perform under load?
Is the latency acceptable?
○
Very important if you have VOIP!
Accuracy
How many attacks did it miss?
How many false attacks did it block?
Signature Updates
High Availability
Absolutely critical. How often the signatures are updated
is a key indicator of how serious they are about selling IPS
Will it do Active-Passive, Active-Active?
"Fail Open“
Will the device pass traffic in the event of a device failure?
IPS TESTING AND CERTIFICATIONS
Testing & certifications are done by
ICSA Labs
NSS Group
Neohapsis
ICSA is the newest
NSS is arguably the most respected, for now.
The IPS should have at least one
certification
QUESTIONS?
THANK YOU