Professional Documents
Culture Documents
and
Intrusion Prevention Systems(IPS)
Overview
Taxonomy of intrusion detection system
Promiscuous & Inline Mode Protection:
IDS, IPS
Snort
Summary
2/14/15
Switch
1
2
Sensor
Management
Console
Target
1. An attack is launched on a
network that has a sensor
deployed in IPS mode (inline
mode).
2. The IPS sensor analyzes the
packets as they enter the IPS
sensor interface. The IPS
sensor matches the malicious
traffic to a signature and the
attack is stopped immediately.
3. The IPS sensor can also send
an alarm to a management
console for logging and other
management purposes.
4. Traffic in violation of policy can
be dropped by an IPS sensor.
Sensor
Bit Bucket
Management
Console
Target
Both
technologies
are deployed
sensors.
Both
technologies
are using
deployed
using
Bothsensors.
technologies use signatures to detect
patterns of misuse in network traffic.
traffic.
2/14/15
IDS
Promiscuous Mode
No impact on network
(latency, jitter)
Disadvantages
Response action cannot
stop trigger packets
Disadvantages
Sensor issues might affect
network traffic
IPS
Inline Mode
Sensor overloading
impacts the network
2/14/15
Agent
Firewall
Agent
Agent
Agent
Agent
Agent
WWW
server
2/14/15
Untruste
d
network
Agent
DNS
server
to network traffic.
10
Sensor
Firewall
Untruste
d
network
Managemen
t System
2/14/15
WWW DNS
server server
11
Disadvantages
Is host-specific
HIPS
Operating system
dependent
Protects host after decryption
Lower level network events
Provides application-level
not seen
encryption protection
Host is visible to attackers
Is cost-effective
Not visible on the network
Operating system
Network independent
IPS
Lower level network events
seen
Signature Triggers
Advantages
Disadvantages
Easy configuration
Anomalybased
Detection
Generic output
Customized policies
Policy-based
Detection
Easy configuration
Pattern-based
Detection
Honey PotBased
Detection
2/14/15
14
15
Signature Types
Atomic
Simplest form
Consists of a single packet, activity, or event
Does not require intrusion system to maintain state information
Easy to identify
Composite
Also called a stateful signature
Identifies a sequence of operations distributed across multiple hosts
Signature must maintain a state known as the event horizon
2/14/15
16
Pattern-based Detection
Trigger
Signature Type
Atomic Signature
Stateful Signature
No state required to
Pattern- examine pattern to
based
determine if signature
detection action should be applied
Example
Policy-based Detection
Signature
Trigger
Signature Type
Atomic Signature
Stateful Signature
IPS Sensors
Factors that impact IPS sensor selection and deployment:
Size of implementation
Small (branch offices)
Large
Enterprise
2/14/15
19
Snort
Open source, freely available software except for rules
Installed as dedicated server on Windows and Linux,
Solaris operating systems
Placed as network sensor in a network
Rules are set of instructions defined to take certain action
after matching some sort of signatures (atomic or
composite)
Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET any
(content:"uk.youtube.com;msg:"someone visited YouTube";)
2/14/15
20
Snort Modes
Sniffer Mode
Used to sniff traffic from network
Traffic will be captured using libpcap or winpcap.
Traffic will be captured directly from the sensor .
Logger Mode
Simple logging into a file. Two possible formats are Binary
and ASCII.
Logging into a Database (eg. MySQL)
Can be used for creating the normal traffic profile
21
Summary
Intrusion detection system (IDS) is software or hardware
designed to monitor, analyze and respond to network traffic .
Can be classified as Profile or Signature based intrusion
detection.
Signatures can be defined as Atomic or Composite.
Can be available as Host or Network based Intrusion
detection .
IDS is used as promiscuous mode protection in DMZ
IPS is used as Inline mode protection for securing internal
network
Cisco 4200 series IDS and IPS sensors offer rich set of
features for ISD and IPS
Snort is an open source, free IDS and can operate in sniff ,
logging and Intrusion detection/prevention modes. Snort
uses rules to analyze traffic.
IDS/IPS software can be vulnerable to exploits so run patched
version, and shutdown unnecessary services.
Unified Threat Management (UTM) is a network device that have
many features in one box. E.g, Untangle, Watchguard.
2/14/15
22