Transcript Intrusion Prevention System

Intrusion Prevention
Systems
Ahmed Saeed
Team Leader (Cisco Division)
CTTC (PVT) Limited
WHAT IS IPS?

Intrusion Prevention System

A system located on the network that monitors the
network for issues like security threats and policy
violations, then takes corrective action.

Performs Deep Packet Inspection
WHAT CAN AN IPS DO?

IPS can detect and block:






OS, Web and database attacks
Spyware / Malware
Instant Messenger
Peer to Peer (P2P)
Worm propagation
Critical outbound data loss (data leakage)
DIFFERENCE BETWEEN IDS AND IPS

Intrusion Detection System (IDS)




Passive
Hardware\software based
Uses attack signatures
Configuration




SPAN/Mirror Ports
Generates alerts (email, pager)
After the fact response
Intrusion Prevention System (IPS)




Inline & active
Hardware\software based
Uses attack signatures
Configuration



Inline w/fail over features.
Generates alerts (email, pager)
Real time response
IPS TYPES

IPS can be grouped into 3 categories
Signature Based
 Anomaly Based (NBAD)
 Hybrid

SIGNATURE BASED

Use pattern matching to detect malicious or
otherwise restricted packets on the network
 Based on current exploits (worm, viruses)
 Detect malware, spyware and other malicious
programs.
 Bad traffic detection, traffic normalization
SIGNATURE BASED PRODUCTS
Sourcefire / Snort
 StillSecure
 NFR
 Cisco IOS IPS

SIGNATURE: PRO’S & CON’S

Pro’s
Very flexible.
 Well suited to detect single packet attacks like SQL
Slammer.


Con’s
Relatively little Zero Day protection.
 Generally requires that the attack is known before a
signature can be written.

ANOMALY BASED

Anomaly based IPS look for deviations or
changes from previously measured behavior like:
Substantial increase in outbound SMTP traffic
 New open ports or services
 Analyzes TCP/IP Parameters changes

ANOMALY BASED PRODUCTS
Mazu Networks
 Arbor Networks
 Q1 Labs
 Top Layer

ANOMALY: PRO’S & CON’S

Pro’s
Better protection against Zero Day threats
 Better detection of “low and slow” attacks


Con’s
Cannot protect against single packet attacks like
SQL slammer
 Cannot analyze packets at layers 5 – 7 of the OSI
model

HYBRID IPS

Hybrid IPS combine Signature Based IPS and
Anomaly Based IPS into a single device
HYBRID PRODUCTS
Juniper
 Cisco
 IBM-ISS
 TippingPoint
 McAfee

HYBRID PRO’S & CON’S

Pro’s
Superior protection for both known and Zero Day
threats
 Each plays off the weakness of the other


Con’s
Generally more expensive than either Anomaly or
Signature based products
 Can be slower depending on architecture

ARCHITECTURE: SOFTWARE VS.
HARDWARE

Software based
Generally runs Linux or a BSD variant
 EG: Snort / Sourcefire, NitroSecurity, StillSecure


Hardware based


Uses ASIC / FPGA technology
EG: TippingPoint, Top Layer, McAfee
SOFTWARE PRO’S & CON’S

Pro’s
More flexible
 Generally easier to add major functionality
 Cheaper
 Generally has more functionality


Con’s
Usually slower than hardware
 Latency is usually higher than hardware

HARDWARE PRO’S & CON’S

Pro’s
Speed, Speed, Speed
 Lower latency than software
 Less moving parts to fail


Con’s
Expensive
 Not easily upgradeable


Major upgrades usually mean new ASIC chips
WHAT ABOUT UTM?


Unified Threat Manager
All-in-one devices that can do:





Firewall
Antivirus
IPS
VPN
Etc.
This is being discussed because vendors
very often push UTM devices when
customers are looking for IPS solutions
UTM PRODUCTS
Fortinet
 Radware
 SonicWall
 ISS-Proventia
 Cisco (ASA appliance)
 Juniper (SSG and ISG Firewalls)

UTM PRO’S & CON’S

Pro’s


Cost effective for remote branch offices where other
capabilities like Firewall are also needed
Con’s

Usually a limited subset of IPS functionality and
signatures as compared to stand alone IPS products
THINKING ABOUT AN IPS?
Why?
 What problem are you trying to solve?
 What other problems may be solved?
 What problems may arise?
 If Networking is a different group than Security,
do you have their buy in?

TIPS WHEN SELECTING AN IPS

Prepare an RFP


You can get a sample one from Internet
Do an on-site POC of your top choices

It’s vital to see how the device works in your network.
Make sure you test their support, especially if
you are going to buy 24x7
 Look for products certifications


ICSA, NSS Group, Neohapsis
WHAT TO CONSIDER WHEN BUYING

Speed / latency
Will the device perform under load?
 Is the latency acceptable?

○

Very important if you have VOIP!
Accuracy
How many attacks did it miss?
 How many false attacks did it block?


Signature Updates


High Availability


Absolutely critical. How often the signatures are updated
is a key indicator of how serious they are about selling IPS
Will it do Active-Passive, Active-Active?
"Fail Open“

Will the device pass traffic in the event of a device failure?
IPS TESTING AND CERTIFICATIONS

Testing & certifications are done by
ICSA Labs
 NSS Group
 Neohapsis

ICSA is the newest
 NSS is arguably the most respected, for now.

The IPS should have at least one
certification
QUESTIONS?
THANK YOU