Intrusion Prevention SystemsAhmed Saeed

Team Leader (Cisco Division)

CTTC (PVT) Limited

WHAT IS IPS?

Intrusion Prevention System A system located on the network that monitors

the network for issues like security threats and policy violations, then takes corrective action.

Performs Deep Packet Inspection

WHAT CAN AN IPS DO?

IPS can detect and block: OS, Web and database attacks Spyware / Malware Instant Messenger Peer to Peer (P2P) Worm propagation Critical outbound data loss (data leakage)

DIFFERENCE BETWEEN IDS AND IPS Intrusion Detection System (IDS)

Passive Hardware\software based Uses attack signatures Configuration

SPAN/Mirror Ports Generates alerts (email, pager) After the fact response

Intrusion Prevention System (IPS) Inline & active Hardware\software based Uses attack signatures Configuration

Inline w/fail over features. Generates alerts (email, pager) Real time response

IPS TYPES

IPS can be grouped into 3 categories Signature Based Anomaly Based (NBAD) Hybrid

SIGNATURE BASED

Use pattern matching to detect malicious or otherwise restricted packets on the networkBased on current exploits (worm, viruses)Detect malware, spyware and other

malicious programs.Bad traffic detection, traffic normalization

SIGNATURE BASED PRODUCTS

Sourcefire / Snort StillSecure NFR Cisco IOS IPS

SIGNATURE: PRO’S & CON’S

Pro’s Very flexible. Well suited to detect single packet attacks like

SQL Slammer.

Con’s Relatively little Zero Day protection. Generally requires that the attack is known

before a signature can be written.

ANOMALY BASED

Anomaly based IPS look for deviations or changes from previously measured behavior like:

Substantial increase in outbound SMTP traffic New open ports or services Analyzes TCP/IP Parameters changes

ANOMALY BASED PRODUCTS

Mazu Networks Arbor Networks Q1 Labs Top Layer

ANOMALY: PRO’S & CON’S

Pro’s Better protection against Zero Day threats Better detection of “low and slow” attacks

Con’s Cannot protect against single packet attacks like

SQL slammer Cannot analyze packets at layers 5 – 7 of the OSI

model

HYBRID IPS

Hybrid IPS combine Signature Based IPS and Anomaly Based IPS into a single device

HYBRID PRODUCTS

Juniper Cisco IBM-ISS TippingPoint McAfee

HYBRID PRO’S & CON’S

Pro’s Superior protection for both known and Zero Day

threats Each plays off the weakness of the other

Con’s Generally more expensive than either Anomaly

or Signature based products Can be slower depending on architecture

ARCHITECTURE: SOFTWARE VS. HARDWARE Software based

Generally runs Linux or a BSD variant EG: Snort / Sourcefire, NitroSecurity,

StillSecure

Hardware based Uses ASIC / FPGA technology EG: TippingPoint, Top Layer, McAfee

SOFTWARE PRO’S & CON’S

Pro’s More flexible Generally easier to add major functionality Cheaper Generally has more functionality

Con’s Usually slower than hardware Latency is usually higher than hardware

HARDWARE PRO’S & CON’S

Pro’s Speed, Speed, Speed Lower latency than software Less moving parts to fail

Con’s Expensive Not easily upgradeable

Major upgrades usually mean new ASIC chips

WHAT ABOUT UTM?

Unified Threat Manager All-in-one devices that can do:

Firewall Antivirus IPS VPN Etc.

This is being discussed because vendorsvery often push UTM devices when customers are looking for IPS solutions

UTM PRODUCTS

Fortinet Radware SonicWall ISS-Proventia Cisco (ASA appliance) Juniper (SSG and ISG Firewalls)

UTM PRO’S & CON’S

Pro’s Cost effective for remote branch offices where

other capabilities like Firewall are also needed

Con’s Usually a limited subset of IPS functionality and

signatures as compared to stand alone IPS products

THINKING ABOUT AN IPS?

Why? What problem are you trying to solve? What other problems may be solved? What problems may arise? If Networking is a different group than

Security, do you have their buy in?

TIPS WHEN SELECTING AN IPS

Prepare an RFP You can get a sample one from Internet

Do an on-site POC of your top choices It’s vital to see how the device works in your

network. Make sure you test their support, especially if

you are going to buy 24x7 Look for products certifications

ICSA, NSS Group, Neohapsis

WHAT TO CONSIDER WHEN BUYING Speed / latency

Will the device perform under load? Is the latency acceptable?

○ Very important if you have VOIP! Accuracy

How many attacks did it miss? How many false attacks did it block?

Signature Updates Absolutely critical. How often the signatures are

updated is a key indicator of how serious they are about selling IPS

High Availability Will it do Active-Passive, Active-Active?

"Fail Open“ Will the device pass traffic in the event of a device

failure?

IPS TESTING AND CERTIFICATIONS

Testing & certifications are done by ICSA Labs NSS Group Neohapsis

ICSA is the newest NSS is arguably the most respected, for now.

The IPS should have at least one certification

QUESTIONS?QUESTIONS?

THANK YOUTHANK YOU