InfoSecurity

November 16, 2006
Intruders, not allowed!

Runa Mukherjee

NEW DELHI -- Intrusion prevention is basically a proactive approach to network security used to identify potential threats and respond to them swiftly. Like an intrusion detsection system (IDS), an intrusion prevention solution (IPS) monitors network traffic. However, because an exploit may be carried out very quickly after the attacker gains access, intrusion prevention solutions also have the ability to take immediate action, based on a set of rules established by the network administrator. For example, an IPS might drop a packet that it determines to be malicious and block all further traffic from that IP address or port. Legitimate traffic, meanwhile, should be forwarded to the recipient with no apparent disruption or delay of service.

An IPS not only examines network traffic like an IDS, but has the capability of “Inline Monitoring” and can also automatically block traffic it thinks is inappropriate or malicious.

“An intrusion prevention system is any device which exercises access control to protect computers from exploitation. 'Intrusion prevention' technology is considered by some to be an extension of intrusion detection (IDS) technology, but it is actually another form of access control, like an application layer firewall. The latest Next Generation Firewalls leverage their existing deep packet inspection engine by sharing this functionality with an Intrusion-prevention system,” said Greg Bunt, regional SE manager, Juniper Networks APAC.

With so many in the market, why IPS?

Intrusion Prevention Systems (IPS) complements existing security mechanisms. It is recognised as a security best-practice and part of a defense-in-depth strategy.

“There are a number of significant costs that can be avoided with the use of IPS, as well as incremental revenue opportunities that can be realised, with an intrusion prevention system. These relate to a broad range of areas within an organisation, including IT/operations, sales, customer service, marketing, finance, compliance, business development a nd R&D,” said Vishak Raman, country manager, Fortinet India.

Says Allan Bell, marketing director for Asia Pacific, McAfee Inc : “Firewalls can keep track of TCP sequence numbers and have the ability to block certain types of traffic, such as Code Red or Nimda, providing a limited form of intrusion prevention.However, most firewalls are not able to decipher these attacks and hence are unable to block many of the intrusions. Firewalls also are used to allow or disallow traffic by protocol or port. There are certain ports such as port 80 and protocols such as HTTP that you must allow,. The firewall has no knowledge of attacks embedded in this traffic.”

The landscape of doing business today is significantly different from the landscape of just five years ago. Companies are more connected than ever, with the promise that network expansion will only continue. As a result, companies must grapple with how to keep their network safe, without sacrificing growth or productivity.

The first step that virtually all organizations connected to the Internet take is to install a firewall, and with good reason. A firewall acts as a perimeter guard for a network, determining what traffic to allow or deny in and out. A firewall does this by applying a policy, comprised of 'accept' and 'deny' rules, based on various criteria, such as a source, destination and protocol in question.

By providing access control, firewalls do a good job of providing the first layer of defense. Most firewall polices allow protocols that enable organisations to do business on the Internet, such as SMTP, FTP, HTTP, SMTP and DNS, and keep out traffic that may pose a threat to the internal systems.

The second layer of defense is to detect the presence of attacks within the traffic allowed to flow within your network and to protect your network from those attacks. When implemented properly, an intrusion detection device can provide a powerful and cost-effective solution that complements a firewall in protecting your corporate assets. The technological advancements include increased intrusion detection accuracy and the ability to prevent an intrusion, all while simplifying the deployment, configuration and ongoing management of the system.

The advent of globalisation and the rise of mobility have extended individual enterprise networks into a larger global networks offering seamless connectivity.

“In today’s environment, where Internet worms spread across the world in a matter of minutes, security systems --and the network itself--must react instantaneously. The necessity to stop attacks and intrusions and to protect valuable assets led to creation of IPS. IPS is basically any device (hardware or software) which can detect an anomaly in the regular routine of network traffic and then stop the possible malicious activity,” said Mohammed Hayath, business development manager, Cisco Systems India & SAARC.

“The Cisco concept of the self-defending network is built around the idea that human intervention is no longer sufficient to stem the tide of attacks that IT systems are subjected to - so networks much be given the tools and capabilities to deal with threats on their own,” he said.

How does it function:

Every network has bad (malicious) traffic in it. It may be someone outside trying to gain information or a disgruntled employee on the inside looking to cause havoc. Whomever the culprit, you want to know and do something about it. It is the job of an NIDS - network intrusion detection system to tell you about the attack, so that you can keep it from impacting your business. The system, however, is only as good as its detection capabilities. As a result, it is critical that the system’s detection mechanisms are accurate enough to differentiate between the good and bad traffic that gets into your network.

The following are all possible results of intrusion detection:

1. Undetected bad traffic

2. Detected bad traffic

3. Good traffic that the system thinks is bad (false alarm)

4. Good traffic that the system identifies as good

IPS can be implemented at the network ( network-based intrusion prevention -NIPS ) or on the host ( host-based intrusion prevention -HIPS ). NIPS are hardware devices, while HIPS are software solutions.

Gartner has identified three levels and nine distinct protection styles of host-based intrusion prevention.Traditional perimeter defenses such as firewalls and anti-virus are necessary but not sufficient for many reasons:

• Direct attacks can tunnel through perimeter defenses using encryption. Once a host is compromised it can be used to launch attacks deeper into the network;
• Mobile computers can be compromised when they’re outside the protective perimeter, and be used to attack other hosts when they return;
• Wireless LANs can also be used to bypass perimeter defenses;
• Perimeter defenses can be by-passed by intentional or unintentional attacks from the inside;
• Network intrusion detection systems do not prevent attacks, require extensive care and feeding, and often generate a huge number of false positives that take time to resolve.

“Most IDS tend to be reactive rather than proactive – that is, they often have to wait until something has happened before they can raise the alarm. An Intrusion Prevention Solution (IPS), however, is proactive, and is designed to stop intrusions dead, blocking the offending traffic before it does any damage rather than simply raising an alert that a malicious payload has been delivered,” said Allan Bell of Mc Afee.

The Pros:

Security threats for enterprises over the years have grown in prominence. Initially hackers used to target individual computers in the ‘80s, then individual networks in the ‘90s and today they are targeting the global infrastructure.

“ In the past, users could only access the network through a few ingress or egress points—usually where the Internet connected to the enterprise network. And as a result enterprises stacked security at the Internet perimeter using firewalls and intrusion detection systems (IDS). However today, many more means of gaining entry to the network exist. With the perimeter having been extended and distributed, security too needs to be applied at each of these new ingress and egress points and therefore enterprises need to take a Integrated approach to security such that there is greater visibility and control on the overall network security environment,” said Mohammed Hayath of Cisco.

Network security technologies can be broadly classified into four categories:

• Packet level protection, such as routers’ Access Control Lists (ACL) or stateless firewalls
• Session level protection, such as stateful inspection firewalls
• Application level protection, such as proxy firewalls and intrusion prevention systems (IPS)
• File level protection, such as gateway antivirus systems

Figure below compares the four categories of network security technologies. Evaluation of each category by coverage of protocols/applications, level of protection, and relative performance enables organisations to choose the appropriate network security technologies to protect their networks.

Packet Level Protection

Packet level protection, also known as packet filtering, is one of the most widely used means of controlling access to a network. The concept is simple: determine whether a packet is allowed by comparing some basic pieces of information in the packet headers.

Two-way communication presents a challenge for network security based on packet filtering. If one blocks all incoming traffic, one prevents responses to outgoing traffic from coming in, disrupting communication. Consequently, one has to open two holes, one for outgoing traffic and one for incoming traffic, without enforcing any association of the incoming traffic with existing outgoing connections in the network. Packet filtering thus can allow in crafted malicious packets that appear to be part of existing sessions, causing damage to protected resources.

Packet filtering devices do not track dynamic protocols, where a server and a client negotiate a random port for data transmission. Examples of protocols that use dynamic ports include FTP, RPC, and H.323. To enable these applications to pass through packet filtering systems, one has to open a very large hole, significantly reducing the security protection provided by packet-filtering systems. For instance, in order to allow in standard FTP, one must let through any traffic with a destination port greater than 1,023 (1,023 – 65,500) and source port of 20, thus opening a significant security hole in the network.

Session Level Protection

Session level protection technologies control the flow of traffic between two or more networks by tracking the state of sessions and dropping packets that are not part of a session allowed by a predefined security policy. Firewalls that implement session-level protection keep state information for each network session and make allow/deny decisions based on a session state table. The most common systems for session level protection are stateful inspection firewalls. Note that session level protection technologies are “session based,” meaning that firewalls go beyond individual TCP connections to involve many such connections. Session-level firewalls

support dynamic protocols by identifying port change instructions in client-server communication and comparing future sessions against these negotiated ports. For instance, to track FTP sessions, the firewall inspects the control connection, used for issuing commands and negotiating dynamic ports, and then allows in various data connections for transferring files. Because session level protection provides all the benefits of packet level protection without the limitations, it renders packet level protection unnecessary for most networks.

Application Level Protection

Application level protection technologies monitor network traffic and dynamically analyze it for signs of attacks and intrusions. Within the network security infrastructure, two common technologies for application level protection are proxy firewalls and Intrusion Prevention Systems (IPS). Proxy firewalls are network systems that act on behalf of the client accessing a network service and shield the client and the server from direct peer-to-peer connection. The client establishes a connection with the proxy server, and the proxy server establishes a connection with the destination server. The proxy then forwards the data between the parties.

IPS are network devices that can accept or deny traffic based on IP addresses, protocol/service, and application level analysis and verification. IPS receive traffic from the network, reassemble the traffic streams and look at application primitives and commands to detect suspicious fields that warrant some predefined action. These actions vary from logging suspicious events to dropping the connection completely.

Proxy firewalls and IPS examine control and data fields within the application flow to verify that the actions are allowed by the security policy and do not represent a threat to end systems. By understanding application-level commands and primitives, they can identify content out of the norm and content that represents a known attack or exploit. Proxy firewalls and IPS perform IP de-fragmentation and TCP stream reassembly as well as eliminating ambiguity within traffic, which can be used by malicious users trying to conceal their actions.

Proxy firewalls usually support the common Internet applications, including HTTP, FTP, telnet, rlogin, email and news. Yet, a new proxy must be developed for each new application or protocol to pass through the firewall, and custom software and user procedures are required for each application.

IPS generally support a wider range of protocols and applications, including those required to protect the network against attacks from the Internet. New applications can be allowed through an IPS without requiring changes to the user workstations. In this way, IPS are more transparent to the network than proxy firewalls.

Proxy firewalls and IPS can detect certain viruses or Trojans by looking at application service fields. For instance, IPS can look at the subject field, attachment name, or attachment type within email traffic to detect characteristics of known viruses. However, application level protection does not do a detailed analysis at the file level, which is also required to detect the large number of viruses in existence.

File Level Protection

File level protection provides the ability to extract files within traffic and inspect them to detect malware, including viruses, worms or Trojans3. A common technology for file level protection in a network is gateway antivirus.

An antivirus system looks for virus signatures – a unique string of bytes that identifies a virus – and zaps the virus from the file. Most antivirus scanning systems catch not only the initial virus but also many of its variants, since the signature code usually remains intact.

Gateway antivirus systems scan files that are embedded in network traffic, including files in HTTP traffic (web downloads) and files in email traffic (attachments). If an infected file is detected, a gateway antivirus system removes it from the traffic, so it does not affect other users. To scan files within network traffic, gateway antivirus must understand a broad range of file encoding protocols (i.e., MIME, uucode, Base64) and file compression algorithms. Since there are over 60,000 known viruses, gateway antivirus systems must be able to conduct thorough scans. Constant updates to the virus pattern file are required for effective protection against new virus outbreaks, since new viruses are continuously being uncovered4.

Since the application streams that are scanned for viruses must be completely reassembled by the gateway antivirus system as the traffic crosses the network, users or servers might experience a slight delay in the scanned streams. Administrators usually have granular control of the traffic and file types that warrant scanning.

Antivirus typically scans files in email and web traffic, mainly inspecting communication from servers to clients. Viruses are aimed at damaging end user systems, but use various email and web servers to propagate. Consequently, it is important to detect viruses while they are being uploaded to or downloaded from servers.

Limitations

The critical question to answer is: “Why are you buying an IPS?” With the answer to this underlying question in hand, you’ll be well positioned to closely examine four aspects of IPS products that distinguish them from each other:

• Security parameters and coverage
• Performance
• Form factor
• Management

Considering how each product delivers on these four characteristics will allow you to quickly and efficiently create a short list of products that you will need to evaluate and test in your own network as the final –and essential – part of assuring that you are achieving the goals that will justify the costs associated with deploying an IPS in your network. It’s a dire fact that while every enterprise has a firewall, most still suffer from network security problems. IT professionals are acutely aware of the need for additional protective technologies, and network equipment vendors are anxious to fill in the gap.

Intrusion Prevention Systems have been promoted as cost-effective ways to block malicious traffic, to detect and contain worm and virus threats, to serve as a network monitoring point, to assist in compliance requirements, and to act as a network sanitising agent.

While all of these capabilities may fall within the purview of an expensive, high-end IPS product, not every IPS deployment will require all of these features nor will every business be able to accommodate the operational price necessary to maintain and manage one of these high-end systems.

For these reasons, the IPS market is overflowing with products that are suitable for a wide array of environments as they offer a wide spectrum of features. Establishing which IPS product is right for your network is crucial to any buying decision, because putting the wrong IPS into your network can be a costly error, both in terms of capital and operational expenditures.

In the IPS world, it is especially easy to fall into the trap of buying what a vendor wants to sell you, rather than what you actually need. It is important to decide what IPS is right for your network which begins by answering the question “Why am I buying an IPS?” and end with a plan for testing an IPS in your own network.

According to Bell of McAfee, most IPS can be used out of the box but to get value from an IPS may require additional tuning. To avoid the possibility of a false positive impacting legitimate corporate traffic it is recommended that an IPS be initially deployed in detection only mode. Once the user is confident it will not block legitimate traffic it can be deployed in blocking mode.

He said: “McAfee uses the combination of vulnerability based signatures to improve accuracy and has sophisticated protocol anomaly detection to protect against unknown attacks. This ensures false positives are kept to a minimum. One potential disadvantage with the HIPS approach is that, given the necessarily tight integration with the host operating system, future OS upgrades could cause problems. Vendors of HIPs can generally be expected to release new versions as OS upgrades become available.”

“Network intrusion detection systems do not prevent attacks, require extensive care and feeding, and often generate a huge number of false positives that take time to resolve,” says Raman of Fortinet.

“Most of the IPS provides an administrator with strict blanket policies, which in due course, leads to a large number of false positives. In such cases, IDPs are a perfect case of The Boy Who Cried Wolf . Improper blockage leads to higher maintenance on part of the system administrator. Ultimately, to remedy the situation, the filtering policies are loosened, the security compromised and the wolf welcomed,” said DigvijaySinh Chudasama, VP, Sales, Cyberoam Elitecore Technologies.

Maintenance and Cost

IPSs are a relatively new development, so there hasn't been a tremendous amount of time for IPSs to evolve into what one day they potentially would. Basically, maintenance charges are in line with general charges for maintenance within the industry and the protection offered is budgeted to the loss or damage of the intellectual property and risk to business.

“For 100 users, IDP can cost as much as Rs 2 lac. It requires Annual Maintenance Contract which would be about 15 – 20 percent of original price. So recurring cost of Rs 30,000 to 40,000 per year. In addition, enterprises need to recruit manpower to maintain and opeate the appliance,” said Chudasama of Elitecore.

Within a UTM, IDP (Intrusion Detection Prevention) comes for a fraction of the cost – just about 10-15 percent of individual IDP solution cost and can be as low as or lower than the AMC mentioned above.

“Maintainance costs are not high. Customers typically opt for the 'support contracts' which covers the equipment. With such support contracts customers would be provided by IPS Signature Updates on a regular basis as well as IPS Operating Systems updates as and when released,” stressed Mohammed Hayath of Cisco.

An IPS is a cost effective way of protecting an organisation, believes Bell of McAfee. By providing virtual patching it can save the organisation money. Instead of deploying patches as soon as they appear, an organisation can schedule patching to when it is convenient. Deploying patches costs money so rolling out many patches at the same time or when an organisation updates their COE/SOE can be more effective.

“A Network IPS will provide this protection while the computer is on the corporate network. Host IPS provides this protection even if a laptop is no longer on the corporate network. Even one security breach can be expensive. Not only in direct clean up costs but more importantly it can affect their corporate reputation,” he said.

The best in the market:

Some of the key players are offering their best in the market today.

Cisco intrusion detection and prevention solutions are part of the Cisco Self-Defending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions help protect the network. It provides a broad array of solutions for intrusion detection and prevention at both the network and at the endpoint. The Cisco Intrusion Prevention System (IPS) is an inline, networkbased solution, designed to accurately identify, classify, and stop malicious traffic, including worms, spyware/adware, network viruses, and application abuse, before they affect business continuity.

“Hence, these Cisco’s Accurate Prevention Technologies provide unprecedented confidence to stop malicious traffic, once identified, without concern of dropping valid traffic,” said Mohammed Hayath, Cisco.

Even McAfee offers both network and host intrusion prevention solutions. These are complementary and an organisation would benefit by deploying both solutions. Namely:

• McAfee Host Intrusion Prevention for Desktops / Servers
• McAfee Intrushield Network IPS Appliances / Security Manager Appliance

Cyberoam, however, is the only solution that provides complete security even in wireless and dynamic IP environments like DHCP. The ingenuity of the UTM lies in the fact that despite providing comprehensive controlling width, it also provides deep granular controls so that the administrator does not have to remain satisfied with blanket policies, emphasises Chudasama. The centralised approach not only empowers the user to monitor and control the complete network without hunting for the right options in other pages, but it also makes him or her to counter any network borne attack quickly and efficiently.

Fortinet offers a scalable and easy to deploy line of FortiGate IPS security systems that can be installed seamlessly at the network edge or as an IPS solution deployed at the network core to protect critical business applications from external as well as internal originating attacks.

The Juniper Networks Intrusion Detection and Prevention products (Juniper Networks IDP) provide comprehensive and easy to use protection against current and emerging threats at both the application and network layer. Using industry recognised stateful detection and prevention techniques, Juniper Networks IDP provides zero day protection against worms, Trojans, spyware, keyloggers, and other malware. It can be quickly and confidently deployed inline to effectively identify and stop network and application-level attacks before they inflict any damage, minimising the time and costs associated with intrusions, explains Greg Bunt of Juniper.

Conclusion

What enterprises need is an IPS/IDP solution that has granular controls in its policies. It should allow the administrator to configure customised IDP policies and signatures. Moreover, identity based IDP reporting provide unparallel network visibility, leading to effective mitigation of internal threats which are on the rise.

IDP solutions should be configured to rate a threat based on its origin, destination and nature. Currently, their response is primarily based on its nature only and so they are configured to block only “ general ” and “ more dangerous ” threats. Consequently they ignore threats that have not yet reached a critical level and are perceived to be of “Low Danger”. In a nutshell, they ignore the origin and destination of a threat.

While infrastructure can be arranged to provide more comprehensive protection, yet IPS cantbe termed as a point defense. Unlike a firewall, IPS is not being deployed just at the perimeter, but throughout the entire network to protect the core as well as internal segments. To meet the stringent networking requirements (latency, throughput, reliability) that these core and internal network locations demand, state-of-the-art IPSes are based on purpose-built custom hardware like other network infrastructure devices.

Thus, it is mandatory that the root of the threat is identified and taken care of by the high-level standards of packet filtering and protection offered by the many available IPS applications in the market. This has become essential in an era where information has not only become significant but also always under the potential threat of being robbed upon.