Introducing Intrusion Prevention
Date: Sep 12, 2011
Wouldn’t it be nice to have a device at the perimeter of your network that was constantly updated with the latest and greatest attacks that are attempted against networks like your own? When this device senses an attack, it either notifies you, or prevents the attack entirely, or both. This is the goal (and the beauty) of Intrusion Detection, or Prevention.
Detection versus Prevention
An Intrusion Detection System (IDS) can detect the attack (hopefully) and can notify administrators through a variety of methods. Most of these systems can also do Intrusion Prevention, but perhaps the administrator chooses for them not to. When you are using IDS instead of IPS, you are in what is called Promiscuous Mode. Your IDS system is working with a copy of packets that are attempting to enter the network segment being protected.
An Intrusion Prevention System (IPS) can detect the attack, notify the administrators, and also attempt to prevent the attack. Perhaps the device will drop packets or reset TCP connections. The IPS device can perform a variety of actions to try and ensure your network is safe. When you are using IPS instead of IDS, you are in what is called Inline Mode. Your device is in the path of the network packets attempting to enter the protected segment. It is not working with a copy of the packets, but instead, it is working with the very packets themselves.
When students first learn of these two approaches, they typically scowl and immediately ask, “why in the world would anyone want to settle for mere detection, when PREVENTION is possible!?!?” Let us examine this issue in great detail.
IDS is sometimes used because it has no impact on the network that you are trying to protect. If the IDS sensor gets really busy, you do not have to worry about it introducing random delays (jitter) into your network. As you probably know, jitter is a big enemy of technologies like Voice over IP (VoIP). Another great reason to consider IDS is if there is a failure of the sensor, the network cannot be impacted. Keep in mind that some sensors can essentially fail due to overload.
Now of course, choosing the IDS approach is not without its disadvantages. The first that comes to mind is the obvious fact that this approach cannot stop an attack. Also, IDS systems tend to be a bit more vulnerable to the various evasion techniques that attackers will use to circumvent detection.
Think about the opposite of the points we made above and you have the advantages and disadvantages of an IPS approach. Two huge advantages are the fact that it can prevent attacks and is less vulnerable to evasion, but issues arise with jitter and failures of the sensor.
Detection Technologies
What are options for the technologies used within an IDS or IPS device? One possibility is that the device uses a profile-based technique. The network administrator defines the “normal” activity of the network and the sensor performs what is called anomaly detection. The device is detecting activity that deviates from the normal activity that has been defined. One of the issues with this approach is that it is sometimes difficult for the administrator to define normal. Because of the complexities of this, profile-based IDS/IPS devices tend to be prone to a high number of false positiveswhen the device misidentifies traffic as an attack.
What is the main technology that Cisco uses? It is signature-based. With this approach, known attacks are defined in a signature that allows the device to engage in pattern matching. As you might guess, this technique is much less prone to false positives. Of course, you are going to be responsible for consistently updating your device with the latest signatures as more and more attacks get created.
Evasion Techniques
What techniques can attackers use to attempt to foil your IDS or IPS implementation? Well, there are many; here are just some:
- FloodingThe attacker floods the network with noise then launches attack; the idea here is to cause the IDS/IPS device to be too busy to do its job properly.
- FragmentationThe attacker breaks the attack up into fragments so it is harder to recognize by the IDS/IPS device .
- EncryptionThe attacker sends the attack through an encrypted tunnel.
- ObfuscationWhat a great word, huh? In this evasion technique, the attacker seeks to disguise the attack to conceal it using special characters or representations.
The Many Options for your IDS/IPS
If you are getting excited to deploy either technology in your network, we have some great news. There are many, many options for implementing these security techniques. There are network modules that you can insert in your existing modular routers. There are modules for your Adaptive Security Appliance (ASA). There are standalone appliances like the 4215, the 4240, and the 4255. There is an IDS blade for devices like the Catalyst 6500. There is even the option to run the technology in router software. This option is appropriately named the IOS IPS.
As a CCNA or CCNP in Security, you should be aware of the interfaces that exist in the standalone appliance versions of IDS/IPS. These interfaces include:
- The command and control interface provides an IP address to the network so that the device can be managed from an appropriate network management workstation.
- The monitoring interface is purely for the device to do its job and is not visible on the network; it possesses no IP address.
Reliable IPS
Cisco had been developing a wide range of features for their popular IDS and IPS devices to make them even more effective. Here are some that are featured in IPS devices that you should be aware of:
- Risk RatingAdministrators now have a configurable Risk Rating they can assign to help improve the effectiveness of the device.
- High availabilityVarious high availability mechanisms are now supported to ensure the IPS system is always doing its job; these features include technologies like HSRP and EtherChannel.
- Application firewall featuresThat’s right, some IPS systems from Cisco can now do deep packet inspection, enabling them to act like application-layer firewalls and catch some of the most common attacks against application vulnerabilities.
- Accurate worm mitigation through event correlation.
Host Intrusion Prevention System
For the ultimate in network protection, you can consider combining your network-based IPS with IPS at the workstation level. Host Intrusion Prevention Systems (HIPS) are software packages that can be installed on the various Operating Systems in your infrastructure. These allow for more intense protection of these systems themselves. For example, the Cisco Security Agent is HIPS software that seeks to eliminate common attacks against system registries and buffers, along with many other typical workstation vulnerabilities.
Combing network-based IPS with host-based is an excellent part of Cisco’s Defense-In-Depth approach to security.