Anatomy of an Intrusion Prevention System
What is an Intrusion Prevention System?
To understand what an IPS is, it is necessary to understand the problem it aims to solve. Today's cyber-threat environment is increasingly severe, compounded by the growing number of vulnerabilities that are discovered weekly, the emergence of new types of attacks (e.g., blended threats and Spyware), the shrinking time between vulnerability discovery and exploit development, the propagation speeds of automated worm attacks, and the dissolving network perimeter. IT security teams are overwhelmed and traditional point solutions like firewalls, antivirus software, and intrusion detection systems are inadequate protection by themselves. The threat landscape is further exacerbated by the challenges involved in applying patches in a timely manner, and also in the case of organizations that cannot enforce patch management (Universities, ISPs, etc.).What is needed is a new type of security element that pervades the network and automatically protects organizations from a broad variety of attack types (e.g., worms, viruses, Trojans, DDoS, Spyware) and from all potential points of attack –inside or out.
Ultimately, security will be embedded within the network fabric, where traffic of all types (e.g., data, voice, video, graphics, fax) is not just routed from source to destination, but delivered with the necessary quality of service, and delivered securely.
Intrusion Prevention Systems are the first step in this direction. In the simplest sense, an Intrusion Prevention System is an inline device that blocks attacks before they can reach their target. In a broader sense, an IPS performs total packet inspection, providing a range of functions due to this depth of analysis and traffic classification. Today, these are predominantly standalone systems that can be placed at key network points for protection. As an inline device, an IPS cannot become a bottleneck, and as an attack blocking device, an IPS must be extremely accurate when classifying traffic.
First and foremost, an IPS must exhibit the same throughput, reliability, and latency characteristics of other network infrastructure elements (e.g., switches and routers). Network engineers have carefully architected their networks to deliver traffic from one point to another with specific latency and throughput requirements. Today's business dependence on the network requires that they be highly reliable with near-zero downtime. If an IPS adversely impacts these network characteristics, it will never be given an opportunity to demonstrate its security effectiveness. Furthermore, these performance characteristics should not be dependent on the number of filters (or signatures) that is turned on or the type of traffic that is passing through the network.
Many organizations deploy Intrusion Prevention Systems at the perimeter to augment existing security elements, but most are deploying these systems on internal network segments to protect against attacks from within. When multiple IPS's are deployed internally, they effectively provide "zones of containment" for any attack that may originate from internal sources such as remote office locations, VPNs, or someone plugging in an infected laptop. These internal locations have much more demanding performance and reliability requirements in the range of multi-gigabit per second throughput and sub-millisecond latencies.
Security effectiveness is measured in three dimensions: accuracy, coverage, and timeliness. Of these, accuracy is the most important. Accuracy ensures malicious traffic is blocked, and legitimate traffic is not. The performance and accuracy of a software-based product presents a zero-sum game. If a filter is added to the software engine, the CPU must process additional cycles and performance goes down. Conversely, in a hardware product that utilizes massive parallel processing techniques, additional filters do not necessarily impact performance. This relates directly to accuracy as well. For example, it may be determined that five conditions must be met to unequivocally identify an attack, but the 5th condition requires 90% of the CPU cycles for only 10% improvement in accuracy. A software-based solution is forced to choose between ignoring the 5th condition to trade off 10% in accuracy for 90% performance. This situation has plagued many software solutions and resulted in false positives (classifying legitimate traffic as malicious). While this tradeoff is often assumed for a passive Intrusion Detection System, it is unacceptable for an Intrusion Prevention System intended to block only attack traffic.
Coverage refers to the breadth of attacks or attack vectors that an Intrusion Prevention System can protect against. While this is tightly linked to accuracy, it is also dependent on the types of filtering methods that the IPS engine supports. There are four primary filtering methods needed for the broadest protection:
Signatures –Basic pattern matching technique used for viruses or known exploits
Protocol Anomaly –Normalization technique that can enforce compliance to a protocol specification
Vulnerability –Method used to express application-layer rules to identify malicious traffic attempting to exploit an application or design vulnerability. These filters are the most difficult to develop, but the most proactive and comprehensive.
Traffic Anomaly –Method used to detect changes in behavioral traffic patterns that deviate from "normal"
These filtering methods are applied to flows not only to individual packets.
Finally, timeliness is the speed with which an IPS can offer protection against a new threat. In some instances, existing filters may actually protect against a zero-day or newly discovered threat. If vulnerability filters are in place, they can protect an organization preemptively before the existence of an exploit or worm. When a new vulnerability is discovered, a new filter or set of filters may be required for protection. Unfortunately, it is not uncommon for 5-10 new critical vulnerabilities to be discovered on a weekly basis. This means that a fundamental component of an IPS is the ability to continuously update the IPS with new filters. As mentioned earlier, these filters should not adversely impact network performance and should be able to be instantiated automatically within seconds on IPS systems globally.
An Intrusion Prevention System is the first step in the convergence of networking and security. As with other networking (e.g., routers) and security (e.g., firewalls) products, this convergence is driving a shift in IPS from general-purpose to purpose-built hardware. IPS is not just a perimeter protection element, but delivers its greatest value as a pervasive security element that is deployed at both internal and perimeter network segments. To be effective, an IPS must exhibit unconditional network performance and extreme attack blocking accuracy. Finally, IPS represents a philosophical shift from traditional security tools like firewalls and intrusion detection systems that require extensive configuration, tuning and manual maintenance, to an automated security solution.
This article provided courtesy of Tipping Point.