Intrusion Prevention System, (IPS), In-depth Analysis – A Detailed Guide

An screens . This article will provide a deep dive on Intrusion Prevention System architecture.

A firewall that monitors a network’s security for intrusions (also known as an Intrusion Prevention System, or IPS) can be used to detect any suspicious activity, such as policy violations, security threats, and other malicious activities.

Exploits are usually in the form malicious inputs to an object application or resources. The attacker then uses these to take control and block an application.

An IPS might drop a packet it considers to be harmful and block all activity at that port or IP address, but this has no effect on real traffic.

Intrusion prevention systems can be considered incremental because they simultaneously monitor the system activity for suspicious activity.

These fundamental differences are that, unlike an Intrusion detection and prevention system, Intrusion prevention can be set up to prevent or stop intrusions once they are detected.

Intrusion Prevention System Architecture

One or more sensors are the core of any intrusion prevention system deployment. Every sensor has a strategic location to detect traffic on particular networks segments.

In the past, organizations had to install a sensor on each segment of a network. However, a single sensor is now capable of monitoring multiple segments at once.

The SOC Analyser – Cyber Security Intrusion Training Course offers a comprehensive SIEM tool to monitor and analyze cyber attacks.

IPS sensors can be deployed to monitor network segments within an organization. They are placed wherever networks have different security policies, like Internet connection points or internal user networks, to ensure that the networks are monitored.

Some vendors offer virtual appliances sensors in addition to the hardware sensor. They have the same monitoring capabilities and analysis as . However, the virtual appliance can be deployed within a server running virtual machines (VMs), to monitor virtual networks among those VMs.

Because network traffic between VMs is not going outside of the server in such architectures, a virtual appliance must be installed on the server.

Bouncer IPS can be described as a multimodular device. Each function is equipped with a specific component. These components are part of Bouncer IPS:

• 
  Bouncer Defence Unit
  
• 
  Bouncer Control Unit
  
• 
  Bouncer Report Unit
  
• 
  Intelligence Plug-In
  
• 
  Alarm Center Plug in
  
• 
  Bouncer Shield plug-in
  
• 
  Update Manager Plug-In
  
• 
  Bouncer Inter-connection Channel (BIC)
  

Bouncer Defense Unit

Bouncer Defense Unit (BDU), is at the heart of intrusion prevention. The BDU’s policies define the protection level. It is completely transparent and does not impact network traffic. The BDU can also be used in other deployment options.

You can place it on several network segments, such as the perimeter and DMZ. You can either use the default policies to set up the BDU or customize the policies so that it is deployed when you are ready.

customer’s requirements.

Bouncer Control Unit

Bouncer Control Unit (BCU), is an intuitive, easy-to use control centre. The console allows the security operator to select a BDU and set up traffic monitoring and queries logs.

To maximize security, all communication between Bouncers and BCUs is done through transparent protocols (not TCP/IP).

Bouncer Reporting Unit

Bouncer Reporting Units (BRUs) provide advanced drill-down capabilities that are integrated with Crystal Reports. Managers can access detailed information on tactical and operational levels through the user-friendly format of this report.

Bouncer Intelligence Center Plug

Bouncer Intelligence Center Plug-In allows attackers to be gathered during an attack. It also supports adaptive context construction and the triggering of different responses.

Install the intelligence plug-in separately to gather central intelligence. BDU security policies define the amount and types of target data that can be collected.

The intelligence plug-in also provides graphic representations in high quality of both attacker’s activity as well as the size of the attack.

Alarm Center Plug in

Alarm Center Plug-In manages the consolidation and distribution of arms among a variety alarm devices, including mobile phones, pagers, email addresses, etc. ).

This device is used to consolidate alarms from various BDUs. It also disseminates alarm data between designated personnel, BCUs and BDUs.

Bouncer Shield plug-in

Bouncer Shield Plug-In maintains and updates information about the most suspect targets. These information are sourced from industry professionals.

Update Manager Plug-In

The Update Manager plug-in manages Bouncer system upgrades such as hotfixes and patterns. It also provides security information and other relevant information, for the BCUs and BDUs.

Inter-Connection Channels (BICs),

This allows seamless connection between all components of the Bouncer IPS (BDU and BCU), Multiple channels are used to ensure reliable separation, so online activities can be uninterrupted by data probing and data distribution.

Setting up the IPS

These are the elements that make up the IPS configuration.

• 
  Disabling or enabling the IPS
  
• 
  Vulnerability Definitions
  
• 
  IPS exemptions
  
• 
  Initial definition configuration
  
• 
  Resetting configuration
  

Disabling or Enabling the IPS

All IPS functions can be turned on or off. You can disable the IPS functionality by disabling vulnerability definitions. However, the definition configuration remains the same.

The configuration settings for all definitions are the same after you have turned off and on the IPS.

Vulnerability Descriptions

Every definition is unique and corresponds with a particular vulnerability. Definitions are defined using a blob data. They also specify a default response which Microsoft recommends. Each definition specifies one of the two default answers.

• Log and block. Stop malicious packets containing exploit codes that match the definition. If TCP is used, drop the packet. Create a log entry that contains the relevant definition.
• Log. Create log entries that specify the appropriate definition of every malicious packet found without blocking them.

The IPS can be configured to either use the default response (block, log or log only malicious packets) as specified by each definition. It can also log detected in any definition and create events. You can also disable it. All definitions’ responses will be disallowed if you disable the IPS.

Every definition includes the publication date. Definitions can also contain data about the following fields.

• High Business Impact The levels of business impact that are possible include low, medium and high.
• Confidence The levels of confidence that can have are: low, medium and high.
• Severity The vulnerability levels that could be exposed are: low, medium, critical, significant, and important.
• Level of Risk The levels that could be considered high, low or medium-level are .
• Similar Bulletins A listing of security bulletins that are related to , published by Microsoft Response Center.
• Protocol– Targeted protocol.
• Typ: The most common types of malware include trojans, adware and spyware.

Forefront TMG Management lists the vulnerability definitions that are available for the IPS at the Intrusion Prevention System node. Each category has its own definition.

• Virtual Patching These definitions can be identified by their unique names, publication date, severity level, response level, protocol and list of security bulletins.
• P2P/IM Blocking These definitions can be identified by an unique name, publication date, risk level and response.
• Malware These definitions can be identified by their unique names, publication date, risk level, type and protocol.
• Other These definitions can be characterized with a unique name and the date they were published. A response is also included.

The IPS facilitates rapid development of vulnerabilities-based definitions, which can be used up until patches are installed (in contrast to exploit definitions, which must be created for particular attacks).

A definition can be used to identify exploits for the relevant vulnerability. While a patch will remove the vulnerability from software, it renders the exploit code useless.

The Vulnerability Definitions include the necessary policy updates to detect and prevent new Microsoft product vulnerabilities. Parallel to the Microsoft patch releases, IPS definitions are also released.

A Microsoft definition authoring group is responsible for the creation of IPS definitions after a vulnerability has been discovered.

Although definitions can be associated with Microsoft Response Center bulletins in certain cases, they might also be made available before the bulletin becomes available. Forefront TMG clients worldwide receive definitions from Microsoft Update.

Forefront TMG does not allow you to remove a definition. Once a definition is downloaded, it stays in Forefront TMG up to the time Forefront TMG ceases to be active.

Forefront TMG also keeps previous definitions in case of problems.

Microsoft Update provides definitions for inspection. Nitrogen automatically checks for definition updates or new definitions, and can download these definitions periodically. You can update Nitrogen computer manually.

Nitrogen Update Client detects any definitions it doesn’t have and updates existing definitions. The client then downloads relevant packages.

Once the definitions have been downloaded and processed they can be configured by either the administrator, or the auto activation policy.

To receive definition updates, you must sign up

Definitions can be used to block RPC calls for a specific UUID or calls to vulnerable functions.

Administrative tasks include setting up the schedule to update them and activating them.

IPS Exceptions

There are two kinds of exceptions you can make that specify traffic sources or destinations that should be included in the IPS.

• IP addresses that are not included in the global IPS exception list. IP addresses which are part of specific network entities may be removed from the IPS. The IPS will not scan or affect non-HTTP traffic whose destination or source is an address in the global IPS list. HTTP traffic whose source and destination are IP addresses in these networks entities won’t be scanned. This list could include computers, computer sets and networks as well as subnets, networks, set, or subnets.
• Domain name sets that are not included in the excluded domain sets. The IPS can be used to exclude domain names sets from its scope. The IPS will not inspect or affect HTTP traffic to addresses in the list of domain names.

All definitions that are enabled will be subject to the exclusion list for IP addresses as well as domain names.

Initial configuration

When the Getting Started Wizard is run, it will ask you whether you want to enable the IPS. You can choose one of these options if you want to enable the IPS:

• 
  The default action that Microsoft recommends for each definition is to block and log, or log only traffic that matches the defined definition.
  
• 
  Report malicious traffic, events and detect them. However, they do not block traffic.
  

A schedule will be required to obtain updates from Microsoft Update. You can create the following schedules.

• 
  You can check for updates whenever a time limit is reached. Only this option allows you to check for updates multiple times per day.
  
• 
  Checking the website for new updates every day at a time that is convenient to you.
  
• 
  Only checking for new updates on a few days per week.
  
• 
  Never check for updates.
  

Forefront TMG Management allows you to modify any of the initial IPS settings at will.

Resetting IPS configuration

You can change the IPS configuration at any moment for any IPS definitions you have downloaded. You can choose one of these options to reset your IPS configuration:

• 
  The default action that Microsoft recommends for each definition is to block and log, or log only traffic that matches the defined definition.
  
• 
  Report malicious traffic, events and detect them. However, they do not block traffic.
  

You can reset the IPS configuration of definitions already downloaded. The option you select will also be applied to any new definitions being downloaded.

Activity Statistics

In the Forefront TMG Activity Statistics, the two following fields provide information on the overall activity of the IPS.

• Inspection of packets by the IPS
• IPS blocks packets

Scenarios

Forefront Threat Management Gateway IP is intended to provide protection in the following situations.

Edge Firewall-Outgoing Access

For business or leisure, internal clients can access the Internet to do their work. A malicious website that has exploit code to attack a vulnerability in the network protocol may be accessed by an internal client of your company. The patch is not yet available on that user’s machine.

Forefront TMG acts as an edge firewall and inspects all traffic from internal clients that connect to the Internet. Forefront TMG has already downloaded the vulnerability description and terminates the session by redirecting to a malicious Internet resource so the client isn’t infected.

The IPS can also protect clients from potential vulnerabilities in other non-browser apps like Instant Messaging or newsgroup readers (MS05-30, for instance). Forefront TMG Administrator reviews alerts and logs to learn about an exploit attempt.

Edge Firewall Publishing

To allow Internet users and partners to have access to resources provided by the company, the IT manager publishes the internal server through Forefront TMG.

Malicious clients use the Internet connection to the public server to attempt to exploit code which takes advantage of an existing vulnerability in the network protocol.

The vulnerability has been disclosed to Microsoft in the same way as the previous scenario. However, it is not yet available on the public server.

The vulnerability has been disclosed to Microsoft in the same way as the previous scenario. However, it is not yet available on the public server.

Forefront TMG has already downloaded the vulnerability description and ended the session started by the malicious client. Publisher server is infected. Forefront TMG Administrator reviews logs, alerts, and discovers the exploit attempt.

Roaming customers

An employee connects via his computer at home to the corporate network. A new piece of malware infects the home computer and begins attacking corporate computers via the VPN tunnel connection.

Forefront TMG has already downloaded the vulnerability description and ends any attempt to infect corporate networks using exploits of it.

Forefront TMG also detects that the VPN client is compromised and disengages the VPN connection.

Branch Office

Forefront TMG is used by the IT manager to connect a remote office with headquarters. Forefront TMG handles all traffic between the branches and headquarters.

A branch user had brought his laptop from home to bring it with him. The virus infects other computers at the office. Although the virus spreads to other computers within the branch office, Forefront TMG stops it from infecting the headquarters.

Host Intrusion Prevention Systems

Host intrusion prevention system, also known as HIPS (host intrusion prevention system), is a security approach that uses third-party software to detect and stop malicious activity.

Endpoint protection is usually provided by host-based intrusion prevention system. The HIPS tool will alert the user of the device to malicious activity. It can also log the activity and block any future traffic coming from that IP address.

Host intrusion prevention systems permit users to transmit logs of malicious activities and suspicious fragments directly to vendors for possible identification.

Most host intrusion detection systems use signatures to detect malicious activity. Although signature-based detection can be effective, it cannot protect against all known threats.

This cannot guard against zero-day threats or signatures not in the provider’s database.

This second method of intrusion detection creates a baseline for normal activity, and compares the current activity to that baseline. HIPS is used to detect anomalies such as deviations in protocols and bandwidth.

An intrusion can occur when activity is not within an acceptable range, such as remote applications trying to access ports normally shut off.

An anomaly such as an abrupt spike in bandwidth usage does not necessarily mean an attack. This approach is a guess, and there are high chances of false positives.

Another common method for intrusion detection is stateful inspection. This allows you to examine the protocols contained in the packets that traverse the network. Stateful analysis refers to the way the malware prevention tool monitors the status for each protocol.

It can, for example, understand how TCP or UDP packets may or cannot transport DNS, SMTP or HTTP and which values should be included or not in each packet.

If there is an unanticipated deviation from the protocol state, stateful protocol analysis can detect it and flag it as a potential attack.

Stateful analysis has a greater awareness of packet contents than statistical anomaly detection, so false positives are less likely.

Although HIPS products tend to focus only on one approach, there are times when multiple approaches can be used.

McAfee’s Host Intrusion Prevention for Desktop (IPS) and Dell’s Managed iSensor Intrusion Prevention System(IPS), are two examples of services that rely upon multiple methods to prevent intrusion.

Network Intrusion Prevention System

Network-based intrusion prevention systems (NIPS), are used to protect the of networks.

The network is protected from attacks such as DoS (denial-of-service) or unauthorized use.

NIPS is a network security system that monitors for suspicious activity and malicious traffic. It analyzes protocol activity to detect it. The NIPS can be installed on a network and used to establish physical security zones.

The network is now intelligent, and can quickly distinguish good traffic from poor traffic. The NIPS is essentially a prison that houses hostile traffic like viruses, Trojans, worms and .

A network intrusion prevention system monitors traffic and sits on top of it. It takes appropriate action when a suspicious event is detected.

An IPS, unlike intrusion detection systems that are inline or passive devices, is active and continuous. The evolution of an intrusion detection system is considered IPSs.

IPS Approaches

A few of these approaches are:

1. Software-based algorithmic approach

This is an IDS-anomal detection system that uses neural networks, but it has the additional ability to block intrusions.

2. Sand approach

ActiveX and Java applets are mobile code that is protected in the sandbox. This area has restricted access to all other system resources. This sandbox is then used to run the code and keep track of its performance.

It is stopped executing code that violates pre-defined policies (Conry Murray).

3. Hybrid approach

Network-based IPS, (NIPS) uses a variety of detection methods. Some proprietary, including traffic anomaly and signature detection, work in conjunction to detect an impending attack and stop traffic from an inline router.

4. Protection approach based on Kernel

Use on Host-Based IPS (HIPS). A majority of operating systems limit access to the kernel for user applications. Direct user access is prevented by the kernel, which controls system resources such as memory and I/O devices.

To use resources, applications communicate requests to the kernel. The kernel then executes the operation.

To gain access to privilege resources and services, any exploit code must execute at least one call. Kernel-based ISP prevents malicious system calls.

Buffer-overflow attacks and programming errors allow for exploits such as buffer-overflow to write kernel memory spaces, overwrite them, and cause system crashes or complete computer takeovers.

A software agent is installed between the user program and the kernel to prevent such attacks. A software agent is used to intercept system calls from the kernel and inspect them against a policy-defined access control list. Then, it allows or denies resources access.

Some IPS systems allow the agent to check against a list of known attack signatures and behaviors. The agent could check against known good behavior or rules to ensure that a service is being provided.

The agent can stop any system call that attempts to exceed its permitted zone.

Prevention Strategies

1. Protecting System Resources Trojan horses

Backdoor salters, Trojan horses and rootkits can be used to access system resources such as files/directories and registry settings. Hacking tools can’t be installed if they aren’t prevented from altering system resources.

2. Ending Privilege Escalation Exploits

Privilege escalation attempts to grant ordinary users administrator or root privileges. This can be prevented by denying access to resources which will alter privilege levels and prevent exploits such as Trojan horses, rootkits and backdoors.

3. How to Prevent Buffer Overflow Exploits

These attacks can be stopped by checking whether code being executed by the operating systems came from an application that is not a regular program or from an overflow buffer.

4. E-mail contact list banned

Mailing a copy of an e-mail attachment to Outlook’s contacts list can spread many worms. You can stop this from happening by preventing e-mail attachments being accessed Outlook’s contacts list.

5. Stop directory traversal

Hackers can access files beyond the range of different web servers through the directory traversal vulnerability. This could be prevented by a mechanism to prevent hacker accessing files beyond the normal web server range. Unix has the chroot command to do this.

Full-featured IPS

The IPS Software Blade is a comprehensive Intrusion Prevention System Security Solution, offering network protection against unwanted and malicious traffic.

• 
  Malware attacks
  
• 
  DDoS and DoS Attacks
  
• 
  Server vulnerabilities and application
  
• 
  Insider Threats
  
• Unwanted traffic to applications, including IM/P2P

Important IPS Performance Metrics

Performance metrics for IPS are measured using:

• 
  Dynamic alerting capability
  
• 
  Threat blocking ability
  
• 
  High availability/redundancy/speed of work
  
• Capability to accurately identify threats and drop packagesly

Large networks may find it particularly useful to have IPS solutions that allow you to create different rules (protection options) for each segment of your network.

Some of these IPS can be used to isolate the threat traffic from a specific segment of the network and limit the amount of bandwidth that is available to minimize the impact of network threats. IPS can help identify and reduce the impact of these types of network threats.

Summary

We have the first line defense against intruders with intrusion detection and prevention systems. An IPS should not be considered a replacement for IDS. However, if both are used together it is a different situation.

IPS and IDS give enterprises the visibility and control they need to safeguard their infrastructure against being taken over or attacked.

For Cybersecurity Updates, you can Follow Us on Linkedin and Twitter. You can also take our Best Cybersecurity Course Online to Stay Current.

Other Topics in SOC: