5.4 Intrusion Prevention Systems
- We have a VPN, and firewalls, and you do not want to mess with them because the design spec for the Laundry’s firewall software is not to keep intruders out, but to make them undergo spontaneous combustion when they get in: as Bob puts it, it’s the only way to be sure.
The Annihilation Score
Suppose a network IDS does detect something unpleasant. Then what? An intrusion prevention system (IPS) can best be described as an IDS with an attitude. Rather than simply detecting something bad, they try to do something about it. The trick is avoiding collateral damage, or at any rate collateral damage that’s worse than what the attack would have caused if left unmolested. The worst situation is a successful attack whose goal was to induce you to perform harmful actions.
Consider, for example, the Slammer worm [Moore et al. 2003]. Slammer spread via a single UDP packet to port 1434, used by a Microsoft SQL server. Because UDP does not require a 3-way handshake the way TCP does, the worm spread extremely quickly; its growth rate was limited by the outbound bandwidth of infected hosts. One can postulate an IPS that noticed links being clogged, saw a tremendous spike in traffic to a rarely seen port, and automatically set up a filter rule blocking such packets. It makes perfect sense, and that is in fact what was done by many ISPs. Now imagine a variant of Slammer that emitted three packets to UDP port 53 for every one it sent to 1434. The packets to 53—DNS—would, for this example, be harmless, but would a network based IPS know that? All that it can see are three facts: links are being clogged by an unprecedented flood of traffic; many of the unusual packets are to port 1434; even more of them are to port 53. Would it try to shut down both ports? If so, the IPS would effectively turn off the Internet. (N.B. I’ve slightly simplified the details of this enhanced attack; correcting it is left as an exercise for the reader.)
An IPS can do many things. As with an IDS it can be host or network resident; both sitings have advantages and disadvantages. Depending on where it is located, it can block connections, quarantine files, modify packets, and more [Scarfone and Mell 2007]. Forrest and Somayaji described one that slowed down suspect processes, rather than killing them ; this scheme doesn’t do irrevocable harm if it’s guessed incorrectly.
Ultimately, the IPS problem rests on three pillars: very good detection, selection of countermeasures, and matching the countermeasures to confidence in identification of the root cause of the problem. This last issue is much less studied than the second, which in turn is much less studied than the first.