IPS Next Generation Firewalls Intrusion Systems

The term "Intrusion Prevention" has recently appeared in the security dictionaries. It certainly has a bigger meaning than a compelling marketing message.

The idea behind this technology is that any attack against any component of the protected environment will be deflected by intrusion prevention solutions. With "supremacy", Intrusion Prevention Systems can "grab" any network packet traffic and make a deliberate decision - whether this is an attack or a hack. fair use - then take appropriate action to accomplish the task in its entirety. The end result is a limited need for intrusion detection or surveillance once all threats have been compromised.

The paper analyzes the limitations of existing systems as well as the urgent need for a complete and correct solution in the future. Next, the characteristics of two intrusion detection and firewalls that form "intrusion prevention solutions" are debated. We note the useful features and highlights the architectural requirements for any security device that intends to inline over the network. Finally, the article proposes a Top Layer approach to intrusion prevention - a practical way of transforming firewall capabilities into a deeper content inspection solution.

The obvious need behind ads for "Intrusion Prevention"

The gossip surrounding the term "Intrusion Prevention" is being transmitted by the marketing efforts of some companies, some startling information given which topics are taken from analysts such as Gartner and the press. New "Web firewall" products are beginning to be priced and discussions are heating up. A large percentage of the traffic is currently being transmitted through Port 80, and most firewall products lack the ability to enforce application layer policies on a large volume of traffic. And now, Port 80 has become a symbol of a serious shortage in simple status-checking firewalls due to the success of recent attacks and the increasing deployment speed of B2B projects. , tunneling Web services and SOAP objects through Port 80.

CIOs and CIOs of companies are analyzing whether they need to add new, fully-fledged threat prevention measures. the application is about to happen. In fact they have deployed firewalls, antivirus software and intrusion detection systems on their networks, but still feel unsafe. In the face of existing threats, the risks have to be carefully assessed and mitigation plans must be put in place for existing systems. The demand for more open access, customer concerns, and adjustments are increasing. As a result, security experts are looking forward to adding security solutions to support enterprise unit needs:

Business executives are pursuing more open applications in an effort to achieve higher productivity.

Special network access points through IPsec and "client-less" VPNs are "hooked" into network loops to extend increasingly fragmented services.

- Consumers are suffering from denial of service attacks caused by hackers that lead to Internet transactions failing and lacking credibility. Credit card numbers and other private data are being stolen.

Due to the urgent need to protect systems, companies and government agencies are actively focusing on the issue of controversy. Security vendors are examining their products. Companies that build high-availability "Web farm" load balancing systems are even being stimulated by some market pressures to realize what they might have to offer to handle the threat. new threats to network applications. New companies are also emerging with products intended to provide quick and extraordinary recovery solutions. Plans are generally good and progress is being made, but an important solution is not yet in place.

IT security is essential to provide solutions against known and unknown threats

While many new threats are potentially hidden, security experts face challenges on many fronts:

Provides protection against known application-specific threats that can bypass application-specific intrusion detection firewalls. Currently, anti-virus gateways are supported with virus signature databases and updated services have provided some protection solutions but need more solutions.

Provides more protection with filters for all protocols, not just HTTP (multi-protocol "Intrusion Prevention"). Some types of threats are currently being handled by hybrid application authorization firewalls.

Provide specialized filtering, blocking, and validation technologies with content controls for the purpose of minimizing known and unknown attacks. The goal is to reduce the risk of unknown threats becoming the next "Code Red". Hybrid firewalls, which are likely to provide Layer 3 to Layer 7 security mechanisms, will provide the most appropriate platform for this development.

4. Scale for large bandwidth requirements. The evolution here will include performance improvements in encapsulated hardware, programmable network cards (NICs), gateways based on ASICs (specialized integrated circuits). applications) and better management tools for high-capacity grouped port solutions.

The features of new application-level attacks are driving security technology innovation

Security systems are being expanded because e-commerce initiatives are far beyond their natural capabilities. This extension leaves open systems and applications for hackers to discover and then exploits vulnerabilities discovered within the application / client communications process. Hackers have proven that it is possible to find many weaknesses to exploit in both new and old versions of applications created by automated programming tools and methods of software evaluation. Consider carefully, for example, the user input data in Web applications are sensitive points (vulnerable to attack). Building your ability to protect yourself against attacks during use in applications is often not the goal of application designers. And because attacks occur over time using applications, application-specific attacks do not necessarily violate RFC standards or even the protocols themselves. As a result, attacks are often invisible to the security wall (firewall) in many systems and therefore are capable of "hiding" in the normal flow of traffic. This new evolution in attacks is very smart, unique to each application and very difficult to identify.

Although radical protection is unworkable, there is no doubt that "Intrusion Prevention" solutions are indispensable for any security architecture. Basically, the "Intrusion Prevention" solutions are the replacement of the firewall generation and so they must first act as a firewall if you want to succeed.

What is an Intrusion Prevention System (IPS)?

Intrusion Prevention Systems

The two types of IPS known in the market today are "server based" and "inline" (network-based). "Server-based" systems are intrusion prevention software written to "hook" directly into applications or directly installed on application servers. This article only focuses on "inline" security. Inline security is similar to that of a dual-ported firewall architecture or an anti-virus gateway that is inverted from protected applications and intrusion prevention services for many downstream applications. of the IPS. In the sense of the term, we can define the following as "inline" intrusion prevention systems: any hardware or software device capable of detecting and preventing known attacks ". Even simpler, "Intrusion Prevention" refers only to detecting and then blocking specific application-aware attacks. The term "Intrusion Prevention System" itself is used to integrate both the "detection system" and the "prevention system" under one structure. Note that this definition is intended only for known attacks.

Detect and prevent

On the surface, intrusion detection and intrusion prevention solutions appear competitively. After all, they share a list of the same functions as packet inspection, stateful analysis, reassembly, TCP-segment reassembly, deep packet inspection, signatures and adaptations. An IPS acts as a gatekeeper for a residential area, allowing and denying access based on credentials and a set of rules. An IDS (intrusion detection system) works like a patrol car inside a residential area, monitoring activities and finding out unusual situations. Regardless of the level of security at the entrance to a residential area, the patrol car continues to operate in a monitoring system and its own balance.

Intrusion detection

The purpose of "intrusion detection" is to provide monitoring, inspection, legality and reporting of network activities. It works on packets that are allowed through an access control device. Due to security restrictions and internal threats, "Intrusion Prevention" must allow some "gray area" attacks to avoid false alarms. On the other hand, IDS solutions are "stuffed" with intelligence that uses a variety of techniques to identify intrusion, exploits, misuse and potential attacks. An IDS can perform operations without compromising the computing architecture and network connectivity.

IDS's passive nature lies in providing the power to direct intelligent analysis of packet flows. These IDS locations can be identified:

- Attacks known by signature and rules.

- Variations in traffic and direction using complex rules and statistical analysis.

- Sample traffic flows using flow analysis.

- Abnormal activity detection using baseline deviation analysis.

- Detect suspicious activity by analyzing flow, statistical techniques and detecting abnormalities.

Prevent entry

As mentioned earlier, "Intrusion Prevention" solutions aim to protect resources, data and networks. They will reduce attack threats by removing harmful or malicious network traffic while allowing legitimate activity to continue. The goal here is to be a perfect system - there are no false alarms that reduce end-user productivity and no false negatives create excessive risk within the environment. Perhaps a more essential role will be needed to trust, to perform the desired way under any conditions. This means that "Intrusion Prevention" solutions are put in place to serve with:

Unexpected applications and "Trojan horse" attacks target individual networks and applications, using defined rules and access control lists.

Packed attacks are like packets from LAND and WinNuke through the use of high-speed packet filters.

Protocol abuse and evasive actions - Fragmented network protocol operations like Fragroute and TCP overlap exploits - through intelligent reassembly.

Denial of Service (DOS / DDOS) attacks such as "flooding" SYN and ICMP packets by using threshold-based filtering algorithms.

- Abuse of applications and protocol actions - known and unknown attacks against HTTP, FTP, DNS, SMTP. - through the use of application protocol rules and signatures.

- Overload attacks or application abuse by using finite resource consumption based on threshold.

All attacks and assault states that allow them to happen incidentally are documented. In addition, abnormalities in communication protocols from the network through the application layer do not have room for any kind of legitimate traffic, making the errors become self-selective in the context.

Status of IPS technology

The state of the IPS technology is unmatched if you look at the individual vendor's product perspective with all the features of detecting, monitoring, preventing, updating and reporting on each transmission. Downloads for incoming and outgoing traffic through a special network choke point. Businesses have spent millions of dollars on products to help them protect their networks. Today's emerging IPS products are primarily focused on Port 80 and thus do not replace existing systems. Instead they add value to these systems. An all-encompassing IPS solution will have to be developed and proven before such systems can be considered as a real alternative to deployed systems.