|
Three years ago, Entercept (a company now
acquired by Network Associates*)
introduced to the world a unique host security approach. It
enveloped the operating system kernel within a security layer,
which intercepted system calls and evaluated these against
a database of attack signatures and behaviours. Depending
on the nature of the system call, the Entercept security layer
either permitted or terminated the request, thereby preventing
both known and unknown attacks such as buffer overflows, privilege
escalation, and Blaster-like worm attacks.
Thus was born 'intrusion prevention', which soon became the
buzz in security tools. Today, not only do intrusion prevention
systems increment security like other tools — they, indeed,
take security to the next higher level!
An Intrusion Prevention System (IPS) can provide security
at the most fundamental levels: the operating system kernel
and the network data packet. It can also cater for, and overcome
the failure of traditional security tools to proactively counter
'unknown' attacks.
As per a 2002 CII-PwC security survey of Indian companies,
unknown attacks that exploit newly discovered vulnerabilities
in OS are the biggest cause of security breaches in organisations.
Countering such attacks requires continual patch updating,
which is difficult and cumbersome to say the least, unless
organisations deploy automated patch updating solutions such
as PatchEasy, UpdateExpert etc.
Since the IPS provides protection against both known and unknown
attacks, an organisation's systems remain sufficiently sheltered
while they await deployment of a new patch, plugging a just-announced
vulnerability. The fact that IPS fosters the capability of
being able to prevent unknown attacks is more than adequate
recommendation for organisations to snap it up.
IPS made its entry as if on cue — just as the murmur
of growing disenchantment with IDS was turning into a chorus.
While IDS does notify administrators of attacks, it does nothing
to thwart these. That is simply not good enough for weary
administrators who want to say "don't tell me —
just fix it!" Well, IPS proactively does that.
This disillusionment with IDS is furthered by the ineffectiveness
of firewalls to prevent application-layer intrusions, and
attacks that originate inside the network. Again, IPS obviates
this inadequacy by providing efficient application layer security
and internal network traffic monitoring.
Intrusion prevention systems fall into two categories —
host-based intrusion prevention (HIP) products such as Entercept,
and the newer network-based intrusion prevention (NIP) products
like IntruShield. An HIP product protects servers and hosts
through software agents that sit between applications and
the OS kernel. It intercepts system calls on the lowest level
(such as disk read-write requests, network connection requests,
and attempts to change the registry or write to memory) and
either allows or denies the activity based on predetermined
rules. For example, unless permitted, an application would
not be able to modify certain files or change data in the
system registry.
In addition to a database of known attack signatures, HIP
systems also have an inbuilt database of generic attack behaviours.
Therefore, they can block generic malicious activity such
as rewriting OS executables or establishing unauthorised network
connection, even without predetermined rule-sets or signatures.
The end result is that most intended exploits simply wouldn't
work. Attackers might be able to get past network defenses
and find their way to a server, but would not be able to do
anything once they got there.
Network intrusion prevention products, are typically situated
'in line' — eminently positioned to intercept network
traffic, and scan it for suspicious activity through deep
packet inspection, and then either block it or let it through.
Network IPS products use a range of techniques, from IDS-like
signature scanning (looking for telltale intrusion patterns
in strings of bytes) to protocol anomaly detection (looking
to see if a packet of data does anything not ordinarily permitted
by its data transmission protocol).
Network-based systems block worms that pass through their
filters, eliminating Nimda-like malicious worm outbreaks within
the enterprise network. Some even proactively 'go after' attackers
by sending 'tagged' responses to network probes, and permanently
block those who use the tagged information to connect.
Clearly, in an unbounded world where network perimeters are
obsolete, and where the distinction between insiders and outsiders
is diffused, traditional security tools fall short. In this
world, IPS is the new crown jewel of enterprise security!
|
