Intrusion Prevention Systems, or IPS, are systems made to detect unauthorized intrusions into a network, and take action to stop the intrusion. There are two main types of IPSs: the first is network-based in which a device called a sensor runs an operating system that monitors network packets on certain circuits and reports intrusions to an IPS management console. The other type is host-based IPS which uses a software package installed on a host or server and monitors activity on the server and also reports intrusions to the IPS management console.
There are common techniques for finding out if there is an intrusion in process, and most IPSs use both to get the best coverage. One is misuse detection which compares monitored activities with signatures of known attacks. If a known attack signature is recognized, the IPS will issue an alert and discard the suspicious packet. Since there are constantly new attacks being created, the database of attack signatures must always be kept up to date. Another technique is anomaly detection which compares activities that are monitored with “normal” activities for that network, and if a major deviation is found such as a large number of failed login attempts, the IPS issues an alert and discards the suspicious packet. This works best in a stable network, but the drawback is that it could be a false alarm.
IPS is typically used in conjunction with other security tools like fire walls. Unfortunately IPS sensors and management consoles are frequently targeted for attacks, so the IPS must be kept very secure. Many organizations use IPSs from different vendors to overlap or increase coverage.
As well as having an IPS to detect intrusions, an organization must have a plan for responding to intrusions immediately. If an organization needs help assembling an emergency team for this purpose, they can contact CERT, the Internet’s emergency response team for assistance. Responding to intrusions is not always straight-forward, as an attack such as a DoS may come from the IP address of a client for example, so simply discarding all messages from that IP would cause the company to miss important messages.
Types of security controls include user training, use of antivirus software, fire walls, and encryption both in transit and on servers as well as IPS. One source for obtaining security is Snort, which is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Snort is widely deployed and utilizes signature, protocol, and anomaly based inspection. It performs real-time traffic analysis and packet logging on IP networks. The company states that it can detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, and SMB probes. It uses flexible rules language to describe traffic that should be stopped or passed. The detection engine uses modular plug-in architecture. It has three primary uses: straight packet sniffer, packet logger, or full-blown network intrusion prevention system. Snort has real-time alerting capabilities with several options for alert formats. The company feels that open source can be leveraged to create superior software because thousands of programmers review and test the functionality of the Snort engine and rule sets, therefore they can detect and respond to new attacks faster than a closed environment. Snort is free; it can be downloaded from www.snort.org and requires some other software to be downloaded to use it.
Snort’s parent company Sourcefire is an open source security company which offers several levels of IPS options for purchase. IPSs were invented to serve the needs of large organizations to detect hacks from within their network, and since fire walls are external-facing, they would not work for that use. However smaller networks do not have the security staff to configure an IPS, or the budget as these systems are expensive. Sourcefire has introduced an entry-level system, IPSx which strips out features designed for larger networks such as advanced policy management and custom workflow. The entry level system keeps the core reporting and alerts, pre-defined policies, and a simple interface, but it still runs from $18,000 to $35,000. Sourcefire’s full IPS are even more expensive.
Having an IPS requires an investment in time for a company’s IT professional to configure and update the system, and because of constantly changing threats, the system will constantly require configuring and updating. A large company can purchase an IPS but it is expensive and will still need constant monitoring. However, this is an investment in time and/or money that any size company must consider. Having a network open to intrusion can result in huge amounts of damage to the system, and to the company and its clients in the form of stolen data.
References
Dunn, John. “Sourcefire takes Intrusion Prevention to Masses.” 18 April 2011. PC World. 12 August 2011 <http://www.pcworld.com/article/225443/sourcefire_takes_intrusion_prevention_to_masses_with_ipsx.html>.
Fitzgerald, Jerry. Business Data Communications and Networking. 10th. Hoboken: John Wiley & Sons, 2009.
Snort. 2010. 12 August 2011 <http://www.snort.org>.
Sourcefire. 2011. 12 August 2011 <http://www.sourcefire.com/>.
Sojourn 
Leave a comment