Intrusion Prevention System

100 %
0 %
Information about Intrusion Prevention System

Published on March 24, 2011

Author: kittukind


Intrusion Prevention Systems: Intrusion Prevention Systems Christopher Harrington What is IPS?: What is IPS? I ntrusion P revention S ystem A system located on the network that monitors the network for issues like security threats and policy violations, then takes corrective action. While there are both Host and Network based IPS, term is usually associated with Network based IPS. What can an IPS do?: What can an IPS do? IPS can detect and block: OS, Web and database attacks Spyware / Malware Instant Messenger Peer to Peer (P2P) Worm propagation Critical outbound data loss (data leakage) IPS Types: IPS Types IPS can be grouped into 3 categories Signature Based Anomaly Based (NBAD) Hybrid Signature Based: Signature Based Use pattern matching to detect malicious or otherwise restricted packets on the network Sample signature alert tcp $EXTERNAL_NET any -> $HOME_NET 8 ( msg :"BLEEDING-EDGE CURRENT Possible W32.Nugache P2P Botnet Communication INBOUND Initial Packet"; flow:established,to_server ; dsize :<70; content:"|00 02|"; offset:0; depth:2; classtype:trojan -activity; reference:url, / avcenter / venc /data/w32.nugache.a@mm.html; r rev:3;) Signature Based Products: Signature Based Products Sourcefire / Snort StillSecure NFR Cisco Signature: Pro’s & Con’s: Signature: Pro’s & Con’s Pro’s Very flexible. Well suited to detect single packet attacks like SQL Slammer. Con’s Relatively little Zero Day protection. Generally requires that the attack is known before a signature can be written. Anomaly Based: Anomaly Based Anomaly based IPS look for deviations or changes from previously measured behavior like: Substantial increase in outbound SMTP traffic Existence of IRC communications where there was none before New open ports or services Anomaly Based Products: Anomaly Based Products Mazu Networks Arbor Networks Q1 Labs Top Layer Anomaly: Pro’s & Con’s: Anomaly: Pro’s & Con’s Pro’s Better protection against Zero Day threats Better detection of “low and slow” attacks Con’s Cannot protect against single packet attacks like SQL slammer Cannot analyze packets at layers 5 – 7 of the OSI model Hybrid IPS : Hybrid IPS Hybrid IPS combine Signature Based IPS and Anomaly Based IPS into a single device Hybrid Products: Hybrid Products Juniper NitroSecurity TippingPoint McAfee Hybrid Pro’s & Con’s: Hybrid Pro’s & Con’s Pro’s Superior protection for both known and Zero Day threats Each plays off the weakness of the other Con’s Generally more expensive than either Anomaly or Signature based products Can be slower depending on architecture Architecture: Software vs. Hardware: Architecture: Software vs. Hardware Software based Generally runs Linux or a BSD variant EG: Snort / Sourcefire, NitroSecurity, StillSecure Hardware based Uses ASIC / FPGA technology EG: TippingPoint, Top Layer, McAfee Software Pro’s & Con’s: Software Pro’s & Con’s Pro’s More flexible Generally easier to add major functionality Cheaper Generally has more functionality Con’s Usually slower than hardware Latency is usually higher than hardware Hardware Pro’s & Con’s: Hardware Pro’s & Con’s Pro’s Speed, Speed, Speed Lower latency than software Less moving parts to fail Con’s Expensive Not easily upgradeable Major upgrades usually mean new ASIC chips What about UTM?: What about UTM? Unified Threat Manager All-in-one devices that can do: Firewall Antivirus IPS VPN Etc. This is being discussed because vendors very often push UTM devices when customers are looking for IPS solutions UTM Products: UTM Products Fortinet Radware Cisco (ASA appliance) Juniper UTM Pro’s & Con’s: UTM Pro’s & Con’s Pro’s Cost effective for remote branch offices where other capabilities like Firewall are also needed Con’s Usually a limited subset of IPS functionality and signatures as compared to stand alone IPS products Thinking about an IPS?: Thinking about an IPS? Why? What problem are you trying to solve? What other problems may be solved? What problems may arise? If Networking is a different group than Security, do you have their buy in? Tips when selecting an IPS: Tips when selecting an IPS Prepare an RFP You can get a sample one from eWeek Do an on-site eval of your top choices It’s vital to see how the device works in your network. Make sure you test their support, especially if you are going to buy 24x7 Look for products certifications ICSA, NSS Group, Neohapsis What to consider when buying: What to consider when buying Speed / latency Will the device perform under load? Is the latency acceptable? Very important if you have VOIP! Accuracy How many attacks did it miss? How many false attacks did it block? Signature Updates Absolutely critical. How often the signatures are updated is a key indicator of how serious they are about selling IPS High Availability Will it do Active-Passive, Active-Active? "Fail Open“ Will the device pass traffic in the event of a device failure? IPS Testing and Certifications: IPS Testing and Certifications Testing & certifications are done by ICSA Labs NSS Group Neohapsis ICSA is the newest NSS is arguably the most respected, for now. The IPS should have at least one certification Where is IPS going?: Where is IPS going? Commoditizing IPS Functionality in Switches EG. Foundry, Consentry Can do IPS per port Network Access Control Post-connect NAC “Agentless” NAC Questions?: Questions? Thank You: Thank You

Add a comment

Related presentations

Related pages

Intrusion Prevention System – Wikipedia

Als Intrusion-Prevention-Systeme (kurz: IPS) werden Intrusion-Detection-Systeme (kurz: IDS) bezeichnet, die über die reine Generierung von Ereignissen ...
Read more

Intrusion prevention system - Wikipedia, the free encyclopedia

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network ...
Read more

What is an intrusion prevention system? - Palo Alto Networks

Intrusion Prevention and Detection System Basics. An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines ...
Read more

Intrusion Detection System – Wikipedia

Ein Intrusion Detection System ... Anstatt nur einen Alarm auszulösen, wie ein IDS, ist ein Intrusion Prevention System (kurz IPS) in der Lage, ...
Read more

Cisco Next-Generation Intrusion Prevention System (NGIPS ...

Cisco next-generation IPS technology delivers the most advanced network awareness in the industry, with superior threat protection up to Layer 7.
Read more

Was ist Intrusion Prevention? - Definition von

Intrusion Prevention Systeme (IPS) helfen, die Security im Firmen-Netzwerk zu verbessern. Die Tools überwachen den Traffic und reagieren entsprechend, um ...
Read more

Intrusion Prevention System, Detection System, IPS, IDS ...

Next-Generation Intrusion Prevention System – IPS Integriertes Echtzeit-Intrusion Prevention System (IPS) zum Schutz sensibler Daten und Anwendungen vor ...
Read more

Intrusion Prevention System (IPS) | Fortinet

Intrusion Prevention System (IPS) from Fortinet protects networks and offers a wide range of features to monitor and block malicious network activities
Read more

What is intrusion prevention? - Definition from

Intrusion prevention is a preemptive approach to network security used to identify potential threats and respond to them swiftly. Like an intrusion ...
Read more

Intrusion Prevention System | Zero Hour Protection ...

Cyberoam Intrusion Prevention System protects against network and application-level attacks, securing organizations against intrusion attempts, malware ...
Read more