intrusion prevention systems
DESCRIPTION
Intrusion Prevention Systems. Ahmed Saeed Team Leader (Cisco Division) CTTC (PVT) Limited. What is IPS?. I ntrusion P revention S ystem A system located on the network that monitors the network for issues like security threats and policy violations, then takes corrective action. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/1.jpg)
Intrusion Prevention SystemsAhmed Saeed
Team Leader (Cisco Division)
CTTC (PVT) Limited
![Page 2: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/2.jpg)
WHAT IS IPS?
Intrusion Prevention System A system located on the network that monitors
the network for issues like security threats and policy violations, then takes corrective action.
Performs Deep Packet Inspection
![Page 3: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/3.jpg)
WHAT CAN AN IPS DO?
IPS can detect and block: OS, Web and database attacks Spyware / Malware Instant Messenger Peer to Peer (P2P) Worm propagation Critical outbound data loss (data leakage)
![Page 4: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/4.jpg)
DIFFERENCE BETWEEN IDS AND IPS Intrusion Detection System (IDS)
Passive Hardware\software based Uses attack signatures Configuration
SPAN/Mirror Ports Generates alerts (email, pager) After the fact response
Intrusion Prevention System (IPS) Inline & active Hardware\software based Uses attack signatures Configuration
Inline w/fail over features. Generates alerts (email, pager) Real time response
![Page 5: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/5.jpg)
IPS TYPES
IPS can be grouped into 3 categories Signature Based Anomaly Based (NBAD) Hybrid
![Page 6: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/6.jpg)
SIGNATURE BASED
Use pattern matching to detect malicious or otherwise restricted packets on the networkBased on current exploits (worm, viruses)Detect malware, spyware and other
malicious programs.Bad traffic detection, traffic normalization
![Page 7: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/7.jpg)
SIGNATURE BASED PRODUCTS
Sourcefire / Snort StillSecure NFR Cisco IOS IPS
![Page 8: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/8.jpg)
SIGNATURE: PRO’S & CON’S
Pro’s Very flexible. Well suited to detect single packet attacks like
SQL Slammer.
Con’s Relatively little Zero Day protection. Generally requires that the attack is known
before a signature can be written.
![Page 9: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/9.jpg)
ANOMALY BASED
Anomaly based IPS look for deviations or changes from previously measured behavior like:
Substantial increase in outbound SMTP traffic New open ports or services Analyzes TCP/IP Parameters changes
![Page 10: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/10.jpg)
ANOMALY BASED PRODUCTS
Mazu Networks Arbor Networks Q1 Labs Top Layer
![Page 11: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/11.jpg)
ANOMALY: PRO’S & CON’S
Pro’s Better protection against Zero Day threats Better detection of “low and slow” attacks
Con’s Cannot protect against single packet attacks like
SQL slammer Cannot analyze packets at layers 5 – 7 of the OSI
model
![Page 12: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/12.jpg)
HYBRID IPS
Hybrid IPS combine Signature Based IPS and Anomaly Based IPS into a single device
![Page 13: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/13.jpg)
HYBRID PRODUCTS
Juniper Cisco IBM-ISS TippingPoint McAfee
![Page 14: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/14.jpg)
HYBRID PRO’S & CON’S
Pro’s Superior protection for both known and Zero Day
threats Each plays off the weakness of the other
Con’s Generally more expensive than either Anomaly
or Signature based products Can be slower depending on architecture
![Page 15: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/15.jpg)
ARCHITECTURE: SOFTWARE VS. HARDWARE Software based
Generally runs Linux or a BSD variant EG: Snort / Sourcefire, NitroSecurity,
StillSecure
Hardware based Uses ASIC / FPGA technology EG: TippingPoint, Top Layer, McAfee
![Page 16: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/16.jpg)
SOFTWARE PRO’S & CON’S
Pro’s More flexible Generally easier to add major functionality Cheaper Generally has more functionality
Con’s Usually slower than hardware Latency is usually higher than hardware
![Page 17: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/17.jpg)
HARDWARE PRO’S & CON’S
Pro’s Speed, Speed, Speed Lower latency than software Less moving parts to fail
Con’s Expensive Not easily upgradeable
Major upgrades usually mean new ASIC chips
![Page 18: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/18.jpg)
WHAT ABOUT UTM?
Unified Threat Manager All-in-one devices that can do:
Firewall Antivirus IPS VPN Etc.
This is being discussed because vendorsvery often push UTM devices when customers are looking for IPS solutions
![Page 19: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/19.jpg)
UTM PRODUCTS
Fortinet Radware SonicWall ISS-Proventia Cisco (ASA appliance) Juniper (SSG and ISG Firewalls)
![Page 20: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/20.jpg)
UTM PRO’S & CON’S
Pro’s Cost effective for remote branch offices where
other capabilities like Firewall are also needed
Con’s Usually a limited subset of IPS functionality and
signatures as compared to stand alone IPS products
![Page 21: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/21.jpg)
THINKING ABOUT AN IPS?
Why? What problem are you trying to solve? What other problems may be solved? What problems may arise? If Networking is a different group than
Security, do you have their buy in?
![Page 22: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/22.jpg)
TIPS WHEN SELECTING AN IPS
Prepare an RFP You can get a sample one from Internet
Do an on-site POC of your top choices It’s vital to see how the device works in your
network. Make sure you test their support, especially if
you are going to buy 24x7 Look for products certifications
ICSA, NSS Group, Neohapsis
![Page 23: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/23.jpg)
WHAT TO CONSIDER WHEN BUYING Speed / latency
Will the device perform under load? Is the latency acceptable?
○ Very important if you have VOIP! Accuracy
How many attacks did it miss? How many false attacks did it block?
Signature Updates Absolutely critical. How often the signatures are
updated is a key indicator of how serious they are about selling IPS
High Availability Will it do Active-Passive, Active-Active?
"Fail Open“ Will the device pass traffic in the event of a device
failure?
![Page 24: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/24.jpg)
IPS TESTING AND CERTIFICATIONS
Testing & certifications are done by ICSA Labs NSS Group Neohapsis
ICSA is the newest NSS is arguably the most respected, for now.
The IPS should have at least one certification
![Page 25: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/25.jpg)
QUESTIONS?QUESTIONS?
![Page 26: Intrusion Prevention Systems](https://reader036.vdocument.in/reader036/viewer/2022081506/5681495f550346895db6b2e1/html5/thumbnails/26.jpg)
THANK YOUTHANK YOU