1 / 26

Intrusion Prevention Systems

Intrusion Prevention Systems. Ahmed Saeed Team Leader (Cisco Division) CTTC (PVT) Limited. What is IPS?. I ntrusion P revention S ystem A system located on the network that monitors the network for issues like security threats and policy violations, then takes corrective action.

maeko
Download Presentation

Intrusion Prevention Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Prevention Systems Ahmed Saeed Team Leader (Cisco Division) CTTC (PVT) Limited

  2. What is IPS? • Intrusion Prevention System • A system located on the network that monitors the network for issues like security threats and policy violations, then takes corrective action. • Performs Deep Packet Inspection

  3. What can an IPS do? • IPS can detect and block: • OS, Web and database attacks • Spyware / Malware • Instant Messenger • Peer to Peer (P2P) • Worm propagation • Critical outbound data loss (data leakage)

  4. Difference between IDS and IPS • Intrusion Detection System (IDS) • Passive • Hardware\software based • Uses attack signatures • Configuration • SPAN/Mirror Ports • Generates alerts (email, pager) • After the fact response • Intrusion Prevention System (IPS) • Inline & active • Hardware\software based • Uses attack signatures • Configuration • Inline w/fail over features. • Generates alerts (email, pager) • Real time response

  5. IPS Types • IPS can be grouped into 3 categories • Signature Based • Anomaly Based (NBAD) • Hybrid

  6. Signature Based • Use pattern matching to detect malicious or otherwise restricted packets on the network • Based on current exploits (worm, viruses) • Detect malware, spyware and other malicious programs. • Bad traffic detection, traffic normalization

  7. Signature Based Products • Sourcefire / Snort • StillSecure • NFR • Cisco IOS IPS

  8. Signature: Pro’s & Con’s • Pro’s • Very flexible. • Well suited to detect single packet attacks like SQL Slammer. • Con’s • Relatively little Zero Day protection. • Generally requires that the attack is known before a signature can be written.

  9. Anomaly Based • Anomaly based IPS look for deviations or changes from previously measured behavior like: • Substantial increase in outbound SMTP traffic • New open ports or services • Analyzes TCP/IP Parameters changes

  10. Anomaly Based Products • Mazu Networks • Arbor Networks • Q1 Labs • Top Layer

  11. Anomaly: Pro’s & Con’s • Pro’s • Better protection against Zero Day threats • Better detection of “low and slow” attacks • Con’s • Cannot protect against single packet attacks like SQL slammer • Cannot analyze packets at layers 5 – 7 of the OSI model

  12. Hybrid IPS • Hybrid IPS combine Signature Based IPS and Anomaly Based IPS into a single device

  13. Hybrid Products • Juniper • Cisco • IBM-ISS • TippingPoint • McAfee

  14. Hybrid Pro’s & Con’s • Pro’s • Superior protection for both known and Zero Day threats • Each plays off the weakness of the other • Con’s • Generally more expensive than either Anomaly or Signature based products • Can be slower depending on architecture

  15. Architecture: Software vs. Hardware • Software based • Generally runs Linux or a BSD variant • EG: Snort / Sourcefire, NitroSecurity, StillSecure • Hardware based • Uses ASIC / FPGA technology • EG: TippingPoint, Top Layer, McAfee

  16. Software Pro’s & Con’s • Pro’s • More flexible • Generally easier to add major functionality • Cheaper • Generally has more functionality • Con’s • Usually slower than hardware • Latency is usually higher than hardware

  17. Hardware Pro’s & Con’s • Pro’s • Speed, Speed, Speed • Lower latency than software • Less moving parts to fail • Con’s • Expensive • Not easily upgradeable • Major upgrades usually mean new ASIC chips

  18. What about UTM? • Unified Threat Manager • All-in-one devices that can do: • Firewall • Antivirus • IPS • VPN • Etc. This is being discussed because vendors very often push UTM devices when customers are looking for IPS solutions

  19. UTM Products • Fortinet • Radware • SonicWall • ISS-Proventia • Cisco (ASA appliance) • Juniper (SSG and ISG Firewalls)

  20. UTM Pro’s & Con’s • Pro’s • Cost effective for remote branch offices where other capabilities like Firewall are also needed • Con’s • Usually a limited subset of IPS functionality and signatures as compared to stand alone IPS products

  21. Thinking about an IPS? • Why? • What problem are you trying to solve? • What other problems may be solved? • What problems may arise? • If Networking is a different group than Security, do you have their buy in?

  22. Tips when selecting an IPS • Prepare an RFP • You can get a sample one from Internet • Do an on-site POC of your top choices • It’s vital to see how the device works in your network. • Make sure you test their support, especially if you are going to buy 24x7 • Look for products certifications • ICSA, NSS Group, Neohapsis

  23. What to consider when buying • Speed / latency • Will the device perform under load? • Is the latency acceptable? • Very important if you have VOIP! • Accuracy • How many attacks did it miss? • How many false attacks did it block? • Signature Updates • Absolutely critical. How often the signatures are updated is a key indicator of how serious they are about selling IPS • High Availability • Will it do Active-Passive, Active-Active? • "Fail Open“ • Will the device pass traffic in the event of a device failure?

  24. IPS Testing and Certifications • Testing & certifications are done by • ICSA Labs • NSS Group • Neohapsis • ICSA is the newest • NSS is arguably the most respected, for now. The IPS should have at least one certification

  25. Questions?

  26. Thank You

More Related