Intrusion Prevention System

Intrusion prevention is a preemptive approach to network security used to identify potential threats and respond to them swiftly. Like an intrusion detection system (IDS), an intrusion prevention system (IPS) monitors network traffic. However, because an exploit may be carried out very quickly after the attacker gains access, intrusion prevention systems also have the ability to take immediate action, based on a set of rules established by the network administrator. For example, an IPS might drop a packet that it determines to be malicious and block all further traffic from that IP address or port. Legitimate traffic, meanwhile, should be forwarded to the recipient with no apparent disruption or delay of service.

According to Michael Reed of Top Layer Networks, an effective intrusion prevention system should also perform more complex monitoring and analysis, such as watching and responding to traffic patterns as well as individual packets. "Detection mechanisms can include address matching, HTTP string and substring matching, generic pattern matching, TCP connection analysis, packet anomaly detection, traffic anomaly detection and TCP/UDP port matching."

Broadly speaking, an intrusion prevention system can be said to include any product or practice used to keep attackers from gaining access to your network, such as firewalls and anti-virus software.

IPS Criteria
This section defines the criteria for IPS technology. The criteria were formulated out of a general survey of the technologies on the market. Moreover, these criteria are intended to reinforce the concept that IPS’s are “reactive” systems that can detect and react to threats.

Requirement 1 – Sophisticated Analysis
The first and most critical requirement of an IPS is that it must possess some kind of internal intelligence that can differentiate malicious activity from safe activity using some type of anomaly detection component. This component should systematically analyze system behavior or communications against a sophisticated and dynamic set of criteria,
tolerances, and static signatures. The key word in this criterion is sophisticated. The analysis engine must be more than just a big set of rules. It must be adaptable and dynamic. Additionally, this analysis must be sophisticated enough to categorize and identify activity.Merely blocking malicious code or communication is not sufficient for a true IPS. It must identify the nature of the activity and provide administrators with some kind of insight into the activity. Since this is something intrusion detection systems do, its natural for the analysis component of an IPS to be an IDS engine that analyzes, ranks, identifies, and describes system or network activity. Furthermore, this intelligence must be an integral component to the system. It cannot be a static rule-set or control list. The analysis must be exhaustive and sophisticated enough to detect subtle differences in attack vectors.Perhaps one way to look at this concept is in terms of airport security. Consider two different security checkpoints. Guard 1 merely checks to see if you have a valid ticket. If you have the correct ticket, he lets you pass. Guard 2 checks your ticket, but he also looks through your belongings, asks you questions about where you are going, and runs your belongings through bomb and metal detectors.Guard 1 is performing access control. He is enforcing a static set of rules. If you have a ticket, you pass. If you do not have a ticket, you cannot pass. This offers extremely limited security.Guard 2 is performing intrusion prevention. He is not only enforcing a static rule set, he is also analyzing you and your “payload.” If you appear to be safe, he lets you pass. But if you are carrying a bomb or a gun, he blocks your passage (and probably arrests you.) Moreover, Guard 2 is doing more than just looking at your belongings. He is asking you questions, like “where are you going today?” or “where did you come from?” He is using his intelligence to determine if you have sinister intentions. Furthermore, he is probably also paying attention to current events and adapting his sensitivity to odd behavior based on environmental factors. If there is an a warning from the government that terrorists are likely to be boarding planes, his sensitivity to strange behavior is increased.
Requirement 2 – Statefulness
The Guard 1 & 2 example leads to the next criteria of IPS – statefulness. An IPS must implement some type awareness to its environment. It cannot just blindly accept or reject activity. It must have some understanding of the environment where it operates.The key word in this criterion is awareness. An IPS must understand its environment.This could be in the form of maintaining network or operating system state information.For example, an in-line IPS gateway should maintain data tables on which systems are communicating and with whom.Furthermore, state information must feedback to the analysis engines. When the detection and identification engine is analyzing information, it must take into account the state of that
information. This could be in the form of tolerances or heuristics that can adapt to the network or system environment.
Requirement 3 – Automated Response
In addition to detecting and identifying suspect behavior, an IPS must be able to respond to that detection. This mechanism must have the ability to automatically prevent hostile code from entering a secured area and/or executing. This prevention can be configurable and have different levels of enforcement, yet it must function (or have the option to function) automatically.
They key word in this criterion is automated. The response must be automatic and not require human intervention. This ensures that the product can actively protect systems and/or data and does not require constant monitoring from people.
Ideally, this automated response should be contained within the IPS technology itself. Some products have attempted to sell themselves as IPS technologies because they have an option to interface with other security technologies. For example, some products can automatically write rules in a perimeter firewall. This type of external dependency creates a weakness in the IPS technology as a whole. It makes the IPS dependent upon an external system which may or may not respond as desired. This would not disqualify a product as an IPS, but it certainly make it weaker.
Requirement 4 – Rapid Response
Automation therefore begets immediacy. An IPS must not only respond to malicious behavior, it must do so with expedience. An IPS must actively practice and enforce protection in real or near-real-time. In other words, it must actively deliver critical protection and detection while malicious events are happening. This requirement may seem obvious, but when you look at the range of products calling themselves IPS, it would instantly invalidate many of those products. The key word in this criterion is active. An IPS is not a passive system that just leisurely reports problems to some big database. It must actively protect information systems and or data from unauthorized or malicious use.
Moreover, it must implement this security in real-time. When malicious activity is detected, it must immediately respond to that activity and prevent it. It cannot wait until somebody pushes a button to enable the protection.
Not IPS
Now that the criteria are established, its important to separate a few technologies that are not IPS. They fail to meet the criteria or are just being overly spun by the marketing people at their respective companies.
Pre-Hardened Operating Systems: This is a new line of products that has emerged recently. Basically, they are operating systems (usually Linux variants) that have been prehardened against attack. Some of them even include novel components to control access and prevent unauthorized applications from executing. These technologies offer very good
security and will prevent intrusions. But they lack the internal intelligence to analyze behavior or traffic for malicious activity. They typically deal with a static set of rules that merely allow or do not allow something to execute.
Personal Firewalls: Sorry, but ZoneAlarm, Tiny, and all the other personal firewalls are not intrusion prevention systems. Specifically, these products all lack internal intelligence to make distinctions between normal and abnormal activity. Naturally, I would disassociate ISS’s BlackICE firewall from this group, since it does contain an internal analysis engine that can perform deep inspection of network traffic for intrusions.
Integrity Monitors: Software that merely monitors the integrity of system files or data may be very useful in tracking changes, but it does not qualify as a IPS. This is mainly because these systems typically lack automated response mechanisms or real-time protection.
Encryption Technologies: Encrypting data is important. But its not an IPS. Merely encrypting data does not mean its safe. The whole concept of an IPS is to detect attempts to carry out malicious or unwanted activities. Encrypting data may increase its security, but it does not have the ability to detect and respond to attacks in real-time.

Firewalls: This is perhaps the most contentious issue in IPS world. Firewall vendors are desperately trying to re-brand their products as intrusion prevention systems. Firewalls are a tough to exclude, because they exhibit many of the qualities of a good IPS. Most firewall vendors have jumped on the IPS bandwagon and are rapidly trying to implement deeper levels of inspection and protection into their products. Some vendor are doing a very good
job at this, others seem to be taking a piecemeal approach and just dropping in analysis on just a few high-value protocols, like HTTP. This space also includes the proxy-based firewalls, which in many ways were the predecessors of IPS. Therefore, its clear that some firewalls are IPS or have IPS qualities. While some, namely the purely stateful packet
inspection type firewalls, are not IPSs.
Conclusion
IPS is here to stay. It is a compelling and valuable addition to the information security of any organization. Understanding what IPS means and how it works is the first step toward using and benefiting from its capabilities. It is time for the information security community to adopt some standards for IPS. Withouta standard set of criteria, it becomes too easy for marketing people to mislead or mis-inform customers. This can result in poor decision making and decreased security.Hopefully, this paper will serve as a reference to organizations on what they can expect froman IPS. This market is growing rapidly, and it is easy to become lost in the myriad of products and pitches from vendors. When you objectively analyze products, based on the criteria in this paper, it will become clear which technologies offer the most advanced


Article source: http://searchsecurity.techtarget.com/definition/intrusion-prevention
Article source: http://www.anitian.com/downloads/ips_defined.pdf