How To Design An Intrusion Prevention System



Similar documents
Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

FortiDDos Size isn t everything

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

On-Premises DDoS Mitigation for the Enterprise

Intrusion Detection Systems

Chapter 15. Firewalls, IDS and IPS

First Line of Defense to Protect Critical Infrastructure

Firewalls, IDS and IPS

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

Network- vs. Host-based Intrusion Detection

Firewalls and Intrusion Detection

Complete Protection against Evolving DDoS Threats

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

Next-Generation Firewalls: Critical to SMB Network Security

SecurityDAM On-demand, Cloud-based DDoS Mitigation

CSCE 465 Computer & Network Security

Introduction of Intrusion Detection Systems

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

The Advantages of a Firewall Over an Interafer

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

PROFESSIONAL SECURITY SYSTEMS

CMPT 471 Networking II

Architecture Overview

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Firewalls, Tunnels, and Network Intrusion Detection

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Managing Latency in IPS Networks

INTRODUCTION TO FIREWALL SECURITY

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

1. Firewall Configuration

Fail-Safe IPS Integration with Bypass Technology

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Firewall and UTM Solutions Guide

Introducing IBM s Advanced Threat Protection Platform

Networking for Caribbean Development

How To Block A Ddos Attack On A Network With A Firewall

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

McAfee IntruShield Network IPS Sensor Pioneering and Industry-Leading, Next-Generation Network Intrusion Prevention Solution

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Radware s Behavioral Server Cracking Protection

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Cisco Intrusion Prevention System Advanced Integration Module for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800, 2900, 3800 and 3900 Series Integrated Services Routers

Content-ID. Content-ID URLS THREATS DATA

A Layperson s Guide To DoS Attacks

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

DDoS Protection Technology White Paper

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ForeScout CounterACT Edge

Intrusion Detection Systems

Firewall Firewall August, 2003

CSCI 4250/6250 Fall 2015 Computer and Networks Security

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Introducing FortiDDoS. Mar, 2013

POLIWALL: AHEAD OF THE FIREWALL

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

DDoS Overview and Incident Response Guide. July 2014

IDS / IPS. James E. Thiel S.W.A.T.

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Barracuda Intrusion Detection and Prevention System

SourceFireNext-Generation IPS

McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles 5.7. NGFW Engine in the IPS and Layer 2 Firewall Roles

Network Management and Monitoring Software

Secure Software Programming and Vulnerability Analysis

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Radware s Attack Mitigation Solution On-line Business Protection

Intrusion Detection for Mobile Ad Hoc Networks

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Arbor s Solution for ISP

Security Toolsets for ISP Defense

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

POLIWALL: AHEAD OF THE FIREWALL

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

Cyber Watch. Written by Peter Buxbaum

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Transcription:

INTRUSION PREVENTION SYSTEMS (IPS): NEXT GENERATION FIREWALLS A Spire Research Report March 2004 By Pete Lindstrom, Research Director SP i RE security Spire Security, LLC P.O. Box 152 Malvern, PA 19355 www.spiresecurity.com

Intrusion Prevention Systems: Next Generation Firewalls Executive Summary Much is being said about intrusion prevention, but little is being done to acknowledge the potential impact of a solution on the network architecture. With so much attention being paid to the intrusion detection-like characteristics, the need for firewall capabilities is being ignored. In fact, the firewall is a more appropriate model for considerations around the deployment and use of a network intrusion prevention solution. This white paper discusses the characteristics of both intrusion detection and firewall solutions that compose the evolving intrusion prevention solutions. It identifies the features that are useful and highlights the architectural requirements for any security device that intends to be inline on the network. Finally, the paper discusses Top Layer s approach to intrusion prevention a practical approach that evolves firewall capabilities into a deeper content inspection solution. About Spire Security Spire Security, LLC conducts market research and analysis of information security issues and requirements. Spire provides clarity and practical security advice based on its Four Disciplines of Security Management, an operational security model that encompasses identity management, trust management, threat management, and vulnerability management. Spire s objective is to help define and refine enterprise security strategies by determining the best way to deploy policies, people, process, and platforms in support of an enterprise security management solution. This white paper is sponsored by Top Layer Networks. Spire Security maintains its independence regarding the content and assertions that is the product of years of security audit, design, and consulting work. 2004 Spire Security, LLC. All rights reserved. i

Intrusion Prevention Systems: Next Generation Firewalls Intrusion Prevention Systems: Next Generation Firewalls Table of Contents INTRODUCTION...1 DETECTION VS. PREVENTION...1 Intrusion Prevention...1 Intrusion Detection...1 The End Result...2 ARCHITECTURE MATTERS...3 DETERMINISTIC INTRUSION PREVENTION...3 TOP LAYER...4 Protection...4 Performance...4 Reliability...4 Architecture...4 SPIRE VIEWPOINT...5 ii 2004 Spire Security, LLC. All rights reserved.

Intrusion Prevention Systems: Next Generation Firewalls Introduction Intrusion prevention is full of promise. The idea is that all attacks against any part of the protected environment will be deflected by intrusion prevention solutions because they are omnipotent; they can take any stream of network packets and make the determination of intent whether it is an attack or legitimate use then take appropriate action with complete perfection. The end result is a limited need for intrusion detection or monitoring solutions since everything that represents a threat is blocked. While an admirable goal, it is impossible in practice. The pipe dream of complete protection, however, does not limit the potential of intrusion prevention - make no mistake, intrusion prevention solutions are a core requirement for any security architecture. Fundamentally, intrusion prevention solutions are the replacement for firewalls and therefore must act more like a firewall to be successful. This paper explains why. Detection vs. Prevention On the surface, intrusion detection and intrusion prevention solutions appear competitive. After all, they share a long list of similar functions, like packet inspection, stateful analysis, fragment reassembly, TCP segment reassembly, deep packet inspection, protocol validation, and signature matching. But these capabilities take a backseat to the starkly different purposes for which they are deployed. An IPS operates like a security guard at the gate of a private community, allowing and denying access based on credentials and some predefined ruleset, or policy. An IDS works like a patrol car within the community, monitoring activities and looking for abnormal situations. No matter how strong the security at the gate is, the patrols continue to operate in a system that provides its own checks and balances. Intrusion Detection The purpose of intrusion detection is to provide monitoring, auditing, forensics, and reporting of network activity. It operates on the packets that are allowed through an access control device. Because of reliability constraints, internal threats, and a healthy dose of skepticism, intrusion prevention must allow some gray area attacks through to protect against false positives. IDS solutions, on the other hand, are loaded with intelligence, using many different techniques to identify potential attacks, intrusions, exploits, and abuses. An IDS has the luxury of being out-of-band and can therefore perform its operations without affecting the computing & networking architectures. The passive nature of IDS is what provides the strength to conduct intelligent analysis of the packet stream. That positions IDS well to identify: Known attacks via signatures and rules. Variations in traffic volume and direction using complex rules and statistical analysis. 2004 Spire Security, LLC. All rights reserved. 1

Intrusion Prevention Systems: Next Generation Firewalls Communication traffic pattern variations using flow analysis. Anomalistic activity detection using baseline deviation analysis. Suspicious activity detection using heuristics, flow analysis, statistical techniques, and anomaly detection. Some attacks are just plain hard to detect with any degree of certainty, and most can only be detected by methods that are non-deterministic in nature. That is, they are not suitable for a policy-driven blocking decision. Intrusion Prevention As mentioned earlier, intrusion prevention solutions are intended to provide protection for assets, resources, data, and networks. The primary expectation is that they will reduce the threat of attack by eliminating the harmful and/or malicious network traffic while continuing to allow legitimate activity to continue. The goal is a perfect system no false positives that reduce end user productivity and no false negatives that create undue risk within the environment. Perhaps a more crucial role is the need to be reliable; to perform in the expected manner under any conditions. In order to accomplish this goal, IPS solutions must be deterministic in nature. Deterministic capabilities imbue the confidence required for a hard decision. This means that intrusion prevention solutions are ideally positioned to deal with: Undesired applications and active Trojan horse attacks against private networks and applications, by using deterministic rules and access control lists. Attack packets like those from LAND and WinNuke by using high-speed packet filters. Protocol abuse and evasive actions network protocol manipulations like Fragroute and TCP overlap exploits by using intelligent reassembly. Denial of service (DOS/DDOS) attacks such as SYN and ICMP floods by using threshold-based filtering algorithms Application abuse and protocol manipulations known and unknown attacks against HTTP, FTP, DNS, SMTP etc. by using application protocol rules and signatures. Application overload or abuse attacks by using threshold-based resource consumption limits. All of these attacks and the vulnerable state that allows them to happen are welldocumented. In addition, the aberrations in communications protocols from network through application layer have no place in any sort of legitimate traffic, making the faults self-selective in a deterministic context. The End Result The difference between IDS and IPS ends up being determinism. That is, IDS can (and should) use non-deterministic methods to divine any sort of threat, or potential threat, from existing and historical traffic. This includes performing statistical analysis of traffic volume, traffic patterns, and anomalous activities. It is not for the 2 2004 Spire Security, LLC. All rights reserved.

Intrusion Prevention Systems: Next Generation Firewalls faint of heart, nor should it be it is for individuals who truly want to know what is happening on their networks. IPS, on the other hand, must be deterministic correct in all of its decisions in order to perform its function of scrubbing traffic. An IPS device is not supposed to take chances or react with some technical version of gut instinct. It is supposed to work all of the time, and make access control decisions on the network. Firewalls provided the first deterministic approach to access control on the network, providing basic IPS capability. IPS devices add next-generation capability to these firewalls still operating inline and providing the type of deterministic comfort required of an inline device that is making access control decisions. Architecture Matters So far, the focus of this paper has been on intelligence and purpose. There is a more basic difference between IDS and IPS architecture. To a large extent, the success of IDS has been possible because it was passive. Security professionals could deploy them without fear that it would break the network. Moving inline changes that. Fundamentally, any network security device that is going to operate inline must be reliable. Reliability is driven by constant operations and suitability to task it must perform the functions for which it is designed. Ultimately, an IPS solution must consistently block traffic that is malicious or inappropriate while allowing all appropriate traffic to pass by unfettered. This means that an IPS solution must have the following qualities: High availability no security device has the luxury of crashing due to system overload, it must be built to withstand the toughest network environment. High performance devices in the line of fire must be able to analyze every packet without any noticeable impact on traffic. Performance is driven by high throughput and low network latency. Manageability and scalability ultimately, deploying devices throughout the network drives the need to effectively manage them without worrying about their ability to support the traffic on the wire. These architectural requirements, when coupled with the deterministic techniques discussed earlier, highlight the true calling of an IPS solution: to be the next generation firewall. This tracks closely with the firewall s need for architectural strength while adding the more intelligent deterministic capabilities associated with deep packet inspection. Deterministic Intrusion Prevention The clarification of purpose for intrusion prevention provides the center of gravity necessary to piece together the fit in a security architecture. Deterministic characteristics focus on the behavior and attributes of packets and transactions and understand when activity is inappropriate or malicious. It does not require advanced knowledge of specific exploits because it works backwards from design models, like 2004 Spire Security, LLC. All rights reserved. 3

Intrusion Prevention Systems: Next Generation Firewalls protocol RFCs, reference implementations, and individual application environment characteristics to known ways to abuse these communications. Then, it sets bounds around what is allowed in a network environment based on this knowledge. The benefits are clear: Proactive protection from the network security infrastructure. Operational efficiencies due to reduced need to react to event logs for protection. Increased coverage against packet attacks and zero-day attacks. Deterministic intrusion prevention is the next generation firewall with deep packet inspection. It is not a silver bullet, but it will clearly become a staple at the perimeter and deeper in the network for Defense in Depth. Top Layer The Top Layer IPS 5500 approaches intrusion prevention from a network architecture perspective. It builds on Top Layer s core competencies in network appliances to create a deep packet inspection intrusion prevention solution, with key features in four primary areas: Architecture Protection The IPS 5500 contains several dedicated hardware processing units to handle the demands of deterministic IPS. For example, one ASIC-based network processor is dedicated to reassembling IP fragments and addressing common network evasion techniques. At layers 2-4, it adds an FPGA (field programmable gate array) with a built-in stateful inspection firewall to conduct all the core firewall capabilities. In addition, it uses a second FPGA subsystem to implement streaming stateful parsing and matching for deep packet inspection and detection of protocol anomalies and unknown attacks. Top Layer provides protection up the stack and across the enterprise. It provides protection that ranges from basic stateful-inspection firewall capabilities to denial-ofservice (DOS/DDOS) and protocol anomaly prevention. The IPS 5500 adds value deployed either on the perimeter or in front of critical assets. Performance Reliability The key to any inline security device is its ability to handle high-speed traffic without slowing it down (latency) or dropping packets. In third party tests, Top Layer has consistently demonstrated its strength in the performance arena. Top Layer s IPS 5500 was designed for reliability. It contains bypass ports for seamless network insertion and failsafe connectivity, redundant and hot-swappable 4 2004 Spire Security, LLC. All rights reserved.

Intrusion Prevention Systems: Next Generation Firewalls components for failover requirements and cluster configurations for high availability. Spire Viewpoint The buzz bandwagon is a crowded one in the security space. Intrusion prevention can mean many things to many different people. It is important to understand what type of intrusion prevention device is a good solution. While IDS is most often compared to IPS, firewalls are the closest relative, since architecture trumps intelligence (and rock beats scissors) every time. While the architecture provides the strength of IPS, it also highlights a different kind of strength for IDS it s passive nature. As long as there are packets on the network, there will be a need for intrusion detection. IDS is intended to monitor all traffic that is allowed into the network. It operates as a part of a system of checks and balances that ensure the proper operation of the network. Ultimately, the decision to deploy IPS devices comes when a firewall is being upgraded or there is a desire for additional protection with defense in depth deployments. Because of this, IPS devices should operate like a firewall, complete with deterministic ruleset, and an architecture that will integrate with the rest of the network environment. 2004 Spire Security, LLC. All rights reserved. 5

Contact Spire Security To comment about this white paper or contact Spire Security, LLC about other security topics, please visit our website at www.spiresecurity.com. This white paper is sponsored by Top Layer Networks. Spire Security maintains its independence regarding the content and assertions that is the product of years of security audit, design, and consulting work.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information