|
Introduction
Intrusion Prevention Systems are designed to protect information
systems from unauthorized access, damage or disruption. Vendors
have developed IPS to counteract the rapidly evolving threats
presented by the latest generation of worms, software and
network exploits.
As the number and frequency of threats has increased, the
increasing complexity of the network environment has made
mitigation of these threats harder to achieve. Modern networks
have evolved for the purposes of distributing critical information
and services to an ever-expanding group of users. The need
for access to these critical services has led to the development
of redundant communication links, wireless networks, mobile
notebook computers, handheld digital devices, even internet-enabled
cellular phones. These new access technologies and links increase
the value of the information systems they support, but at
the same time provide more paths for attack and compromise.
This paper will address the need for Intrusion Prevention
Systems, will explore the two most popular IPS architectures
and will try to provide insight into the selection and use
of these systems.
The Need for IPS
As hacker attacks and network worms began to appear in the
late 1990s, Intrusion Detection systems were developed to
identify and report attacks to corporate Security personnel
for manual remediation. Traditional Intrusion Detection technologies
do nothing to stop an attack-they simply detect hostile traffic
and send alerts. As the level of threats and the size of IDS
deployments increased, it was found that the amount of time
needed to analyze and respond to the IDS systems was becoming
prohibitively large. The evolution of new hybrid attacks that
use multiple vectors to breech the security infrastructure
highlighted the need for the enterprise to defend itself against
a constantly shifting threat. Organizations have suffered
catastrophic damage to their business confidentiality, integrity
and availability as intrusions have become more virulent.
In a matter of minutes, Fortune 500 companies suffered millions
of dollars of lost revenue as production lines went dark and
order taking and fulfillment processes came to a halt because
of attacks like Sasser, SQL Slammer or Nimda. Traditional
Firewall and anti-virus solutions while valuable, cannot address
the new generation of threats. A solution that proactively
protects vital information assets in a timely manner, without
waiting for new signature creation and distribution was needed.
Intrusion Prevention Overview
For the purposes of this paper, we will define an Intrusion
Prevention System as a system that protects the following:
Confidentiality — The confidentiality of information
stored in electronic format on a computer system from unauthorized
viewing or copying. Threats include the introduction of back-door
programs, keyboard-logging programs etc. which are designed
to allow access to information to unauthorized personnel.
Integrity — The integrity of the information
stored in electronic format on a computer system from unauthorized
alteration or modification. Threats include back door programs,
network worms etc. that are designed to alter or erase information.
Availability — The availability of a computing
resource, network, system etc. or information stored in electronic
format on such a system or network for use by authorized personnel.
Threats include Denial of Service attacks, back-door programs
that allow the use of resources by non-authorized personnel
for non-authorized purposes etc. There are currently two basic
approaches to achieving the goals outlined above.
Host Intrusion Prevention — A software system
that loads directly on the computer system being protected.
Network Intrusion Prevention — A software or
dedicated hardware system that connects directly to a network
segment and protects all of the systems attached to the same
or downstream network segments.
Both of these approaches have their strengths and their weaknesses
and are better at protecting against some types of threats
than others. Both architectures provide the protection features
outlined above to varying degrees. Due to the dynamic nature
of network intrusion threats, deploying a mixture of both
technologies will provide the greatest level of protection
for critical assets.
Host IPS
Host IPS is a software program that resides on individual
systems such as servers, workstations or notebooks. Traffic
flowing into or out of that particular system is inspected
and the behavior of the applications and operating system
may be examined for indications of an attack. These host system-specific
programs or "agents" may protect just the operating
system, or applications running on the host as well (such
as web servers). When an attack is detected, the Host IPS
software either blocks the attack at
the Network Interface level, or issues commands to the application
or operating system to stop the behavior initiated by the
attack. For example, Buffer overflow attacks may be prevented
by prohibiting the execution of the malicious program inserted
into the address space exploited by the attack. Attempts to
install back door programs via applications like Internet
Explorer are blocked by intercepting and denying the "write
file" command issued by IE.
| Benefits of Host IPS |
 |
Software installed directly on the
system protects against not just the attack, but against
the results of an attack, such as blocking a program
from writing a file, blocking the escalation of a users
privileges etc.
|
|
Protects mobile systems from attack
when attached outside the protected network. Roaming
laptop computers are a primary vector for introducing
worms into a protected network. Carrying a Network IPS
with the mobile system is not a practical solution.
|
|
Protects against local attacks. Personnel
with physical access to a system can launch local attacks
by executing programs introduced via CD, Floppy disk
etc. These attacks often focus on escalating the user's
privileges to "root" or "administrator"
to facilitate compromise of other systems in the network.
|
|
Provides a "Last line of defense"
against attacks that have evaded other security tools.
The potential victim system itself is the last defense
point available to Security personnel to guard against
system compromise.
|
|
Prevents internal attack or misuse
on devices located on the same network segment, Network
IPS only provides protection for data moving between
different segments. Attacks launched between systems
located on the same segment can only be countered with
Host IPS.
|
|
Protects against encrypted attacks
where the encrypted data stream terminates at the system
being protected. Host IPS examines data and/ or behavior
after encrypted data has been decrypted on the host
system.
|
|
Independent of network architecture;
allows for protection of systems located on obsolete
or unusual network architectures such as Token Ring,
FDDI etc.
|
Network IPS
Network IPS devices are deployed in-line with the network
segment being protected. All data that flows between the protected
segment and the rest of the network must pass through the
Network IPS device. As the traffic passes through the device,
it is inspected for the presence of an attack. Attack detection
mechanisms vary between systems, but the most accurate systems
integrate several techniques to achieve very high levels of
confidence in the detection of attacks and mis-use. Extreme
accuracy and high levels of performance are crucial to an
effective system as mis-identification of an attack can cause
legitimate traffic to be blocked, which would be, in essence
a self-inflicted "Denial of Service" condition.
High performance is necessary to ensure that legitimate traffic
is not delayed or disrupted as it flows through the device.
When an attack is identified, the Network IPS discards or
blocks the offending data from passing through the system
to the intended victim thus blocking the attack.
| Benefits of Network
IPS |
|
A single control point for traffic
can protect thousands of systems located "down
stream" of the device. This allows an organization
to scale their solution quickly and provides the flexibility
needed to responds to the constant changes in network
architecture.
|
|
Easy deployment as a single sensor
can protect hundreds on systems. Deploying a few, to
a few dozen sensors requires significantly less time
and effort than distributing software to hundreds or
thousands of systems.
|
|
Provides a broader view of the threat
environment such as scans, probes and attacks against
non-system based assets. Network IPS, by working at
the network level provides a broader view of the threat
environment than a host based product. Having a strategic
vision of the threat environment allows security management
to proactively adapt to a changing security landscape.
|
|
Protects non-computer based network
devices. Not all attacks are directed against systems
that run operating systems supported by Host based IPS,
E.g. routers, firewalls, VPN concentrators, print servers
etc. are all vulnerable to attack and require protection.
|
|
Platform Neutral. Protects legacy and
unusual Operating Systems and applications Host IPS
systems are not available for all systems that might
be present in an organization. Network IPS provides
a measure of protection for all devices, no matter what
the operating system or application.
|
|
Protects against network DoS, DDos
attacks, bandwidth-oriented attacks, SYN flood etc.
A common form of attack is to flood a network with irrelevant
traffic that denies or degrades the network for the
use of the authorized personnel. Working at the network
level allows a Network IPS to protect against these
types of attacks.
|
To summarize, Intrusion Prevention technology
is the only proven protection for the sophisticated threats
encountered in today network environments. No organization
today would consider running their networks and systems without
perimeter and personal firewalls. Intrusion Prevention technology
is the logical successor and compliment to traditional network
and host firewalls and has been developed to provide the protection
that simple firewalls can no longer deliver. Organizations
that are serious about security are rapidly adopting this
latest tool to keep up with the frantic pace of change.
The Benefit of Overlapping and Integrated
Technologies - McAfee Intrusion Prevention
Combining "Best of Breed" Host and Network IPS technology
results in a more comprehensive and robust defensive posture,
meaning fewer successful attacks, more efficient use of scare
security resources and lower operating costs than simply deploying
one technology or the other.
An intrusion or compromise consists of multiple stages: Reconnaissance,
Scanning, Gaining Access, Maintaining Access, and Clearing
Tracks. Although both Host and Network IPS have the ability
to prevent each stage, both technologies are not equally adept
at detecting and blocking each stage. Integrating the
strengths of each architecture provides a solution whose sum
is greater than its parts. By deploying complementary, integrated
"Protection-in-Depth" technologies like McAfee Network
and Host IPS, organizations can achieve superior protection
at a reasonable cost.
 |
Entercept Host
IPS
McAfee Entercept delivers patented host intrusion prevention
for critical servers, desktops, database servers and web servers.
It protects critical systems against the constantly evolving
threats facing organizations today, detecting and blocking
known and unknown attacks with its award-winning technology.
Centrally managed agents reside on each host and actively
enforce default or custom policies, preventing malicious activity
from compromising the integrity and confidentiality of the
systems and the data that resides on those systems.
Agents
There are three versions of McAfee Entercept agents:
|
Standard Edition — for
critical servers and desktops
|
|
Database Edition — for
databases servers
|
|
Web Server Edition — for
web servers
|
Each agent utilizes a unique combination
of behavioral rules, signatures and a process firewall to
detect and block attacks with unmatched accuracy:
Behavioral Rules — Evaluate requests to the operating
system or applications before they are processed by the host,
thus protecting systems against unknown or zero day attacks
that target new vulnerabilities for which there is no patch
Signatures — Intercept known hostile content in
the data and eliminate dangerous payloads before they are
processed the host, thus protecting systems
Process Firewall — Blocks requests for applications
and services, into or out of the host; blocks specific attacks
at the network level before being processed by the host; blocks
the IP address of an attacker inside or outside of the perimeter
McAfee Entercept Database and Web Server agents are the only
Host Intrusion Prevention solutions with application-specific
content interception engines that detect and block malicious
activity before it can affect operating systems, applications
or data.
Management System
The McAfee Entercept Management System centrally manages up
to 5,000 Standard, Database or Web Server agents per management
server. The Management System enables enterprises to import
and export configurations across multiple management servers
and enforce security configurations and policies across applications,
user groups and agents, significantly decreasing the cost
of installing and maintaining large deployments. McAfee Entercept
enables deployment of single set of policies across Windows,
Solaris and HP-UX platforms, enabling consistent, reliable
host security for today's heterogeneous server environments.
The Entercept Alert Management system is integrated with the
IntruShield Management server and forwards alerts to IntruShield
for centralized integration and correlation of all security
incidents detected by the Entercept Agents. Integrating these
two powerful systems enhances the productivity of the Security
staff and provides unparalleled threat management capability
with the lowest investment of critical talent and resources.
Strengths of Entercept Host IPS
Application Shielding — McAfee Entercept Web
Server Edition and Database Edition provide shielding for
specific applications like IIS, Apache and MS SQL 2000. Protection
tailored to the specific application provides the most comprehensive
protection available.
Architectural Independence — Not all networks
architectures allow for easy monitoring of all connections
to and from critical systems. McAfee Entercept resides on
the critical hosts so that it can analyze threats to that
machine, regardless of the make up of the network or what
route the attack took.
Local Attacks — Host IPS can block an attacker
who has physical access to a server and is trying to perform
a privilege escalation or other type of attack on the machine.
A Network IPS would never 'see' this type of attack.
Not evaded by encrypted attacks — Entercept
defends critical systems when the attacks are contained within
encrypted protocols that terminate at the host itself. Entercept
inspects data and behavior after it has been decrypted on
the system to guard against all types of encrypted attacks.
Protecting mobile machines — Entercept protects
mobile users if they are communicating over a network that
does not have a Network IPS sensor or firewall. With the increase
in mobile workers and home offices, security cannot be restricted
to the physical networks at the main organizational locations.
Optimized for unique host environments — Since
Entercept is written for the specific platform and application,
it allows for more powerful and granular security policies,
enabling unique policy configuration and enforcement for every
system.
Powerful Buffer Overflow Protection — Entercept's
powerful 'generic' buffer overflow protection provides unsurpassed
detection and blocking of unknown or zero-day attacks.
Last Line of Defense — Because it resides locally,
Entercept is ideal for protecting applications and preventing
them from performing actions out of the bounds of their design.
System shielding provides a protective envelope of operation
that prevents both outside penetration and malicious use of
the system, preventing those attacks that have bypassed other
security tools from successfully executing.
Examples of attacks that only Host IPS can detect and
block:
:: Local Privilege Escalation Attacks — http://www.isec.pl/vulnerabilities/isec-0013-mremap.txt
:: Client Side Attacks — http://archive.infoworld.com/articles/op/xml/00/07/17/000717opswatch.xml
IntruShield Network IPS
McAfee IntruShield delivers "Best of Breed" Network
Intrusion Prevention for all resources located on a network.
It protects network infrastructure and critical systems against
the constantly evolving threats facing organizations today,
detecting and blocking known and unknown attacks with its
award-winning technology. Centrally managed hardware sensors
are deployed in the network and actively enforce default or
custom policies, preventing malicious activity from compromising
the confidentiality, integrity and availability of the network.
There are 3 models of IntruShield sensor available.
4000: Provides protection for the Enterprise core with throughput
of 2 Gbps with all protection features enabled. The sensor
protects two Gigabit network segments
2700: Provides protection for the Enterprise perimeter with
throughput of 600 Mbps with all protection features enabled.
Protects three 100 BaseT segments or one lightly loaded Gigabit
network segment.
1200: Protects the branch office or small business perimeter
with 100 Mbps throughput and protection for (1) 100 BaseT
segment.
IntruShield sensors are designed from the ground up to provide
the most accurate and powerful Network IPS functionality.
The sensor incorporates multiple, high performance processing
elements and programmable gate arrays that work in concert
to provide unparalled accuracy with wire speed performance
at up to 2 Gbps. IntruShield integrates advanced protocol
normalization and anomaly detection, multi-field stateful
signature inspection and dynamic statistical anomaly detection
techniques to achieve the highest level of accuracy in the
industry.
Protocol normalization and anomaly detection — Provides
for the detection of potential attacks without the need for
a database of signatures. All packets entering the sensor
are normalized or "scrubbed" to provide a view of
the data to the sensor identical to the view that the protected
system will see when the packets are re-assembled at their
destination. This process is key to IntruShield's ability
to detect attacks that have been specifically crafted to evade
a Network IPS. After the normalization process, the protocol
is fully decoded and is compared against the rules that pertain
to that specific protocol. Any deviations from the norm in
the construction of the packet is flagged as a protocol anomaly
and is forwarded to the Detection Correlation engine where
it is integrated with the other detection engines before a
final attack detection
decision is made.
The Signature detection engine — Within IntruShield
provides highly detailed and accurate detection of attacks
flowing through the sensor for which a signature is available.
Signatures are written to identify both specific attacks,
as well as unknown attacks that are targeted at a vulnerability
within an operating system or application. IntruShield signatures
are capable of examining numerous different values within
a packet or flow simultaneously. The sensor monitors the validity
of the TCP/IP session and tracks the state of each session
in its state table. Tracking the state of all flows through
the sensor allows for "Stateful Inspection" via
the signature engine. By tracking the connection state, IntruShield
can focus only on packets that may compromise a system, those
that are part of a valid connection. By understanding the
connection state, IntruShield minimizes the potential for
falsely detecting an attack. Correlating the Signature engine
with the Protocol Anomaly engine adds to accuracy by ensuring
that a value within a packet that matches a signature element
is contained within the proper protocol, and is in the appropriate
area of the flow as defined by the specific protocol.
For example, if two security analysts are discussing a particular
attack via Instant Messaging within a network, and they include
a portion of an HTTP attack within their Instant Messaging
conversation. Most competing IPS devices would generate an
alarm on the HTTP attack code. IntruShield will recognize
that although there is attack data within the Instant Messaging
packets flowing through the sensor, the data is not a valid
attack, as an HTTP attack cannot compromise an Instant Messaging
process. A complete understanding of not only the data that
comprises the attack, but also the context within which the
data is detected is required to provide this degree of accuracy.
IntruShield is the only system on the market that performs
such advanced correlation functions and these processes are
the key to IntruShield accuracy.
Competitive systems are based on general-purpose computer
platforms, or on layer two traffic switches that have been
adapted to perform simple string matches of data patterns
within a signature with data patterns within a packet.
The Statistical anomaly detection engine — Within
IntruShield detects and protects against Denial of Service
and Distributed Denial of Service attacks. This engine monitors
and records information on all traffic passing into and out
of a protected segment. A dynamic "profile" incorporating
over 100 different values is built and maintained by the system
for each segment. The system tracks things like the number
and types of packets passing between addresses one side of
the senor and the other, the most common addresses and address
ranges in the traffic flow, the percentage of different types
of traffic etc. This profile forms a baseline" value
for the typical activity seen on a segment. DoS and DDoS attacks
are detected as rapid variations in activity that are outside
of the baseline maintained by the sensor for a segment. When
an attack is detected, the system is able to determine what
packets belong to the attack, and which packets belong to
legitimate traffic. Packets that are identified as being part
of the attack are dropped; packets that are part of the legitimate
traffic flow are passed to the destination. In contrast, competing
systems typically require the operator to manually set a value
based merely on the number of packets per second that should
be allowed onto the segment. If this value is exceeded, their
systems indiscriminately drop packets with no ability to determine
if they belong to the attack or to legitimate traffic.
With version 2.1 of the product, IntruShield now provides
protection against SSL encrypted attacks for critical E-Commerce
infrastructure. The I4000 and I2700 sensors decrypt incoming
SSL packets and provide full inspection and protection of
the traffic contained within the encrypted flow. This is achieved
by securely caching a copy of the SSL servers' private encryption
key on the sensor. This unique capability is indicative of
the advanced design of the system and the forward thinking
ability of the IntruShield design team.
IntruShield Manager
The McAfee IntruShield Management System centrally manages
all IntruShield sensors installed in an enterprise. The Management
System enables enterprises to import and export configurations
across multiple sensor, significantly decreasing the cost
of installing and maintaining large deployments. The system
provides centralized alert monitoring and provides an enterprise
wide view all events from both the IntruShield sensors and
Entercept agents deployed throughout the network. Powerful
forensic analysis and reporting capabilities are provided
to enable in-depth analysis and reporting of the global security
posture at the organization.
Strengths of IntruShield Network IPS
Accuracy and Performance — IntruShield's unique,
purpose built hardware appliance and integrated detection
technology provides the most accurate Network detection and
prevention of known and unknown attacks, whether clear text
or encrypted with SSL. Multi-gigabit performance supports
the most demanding enterprise network core protection needs.
Comprehensive Protection — IntruShield protects
all assets connected to the protected network segment including
network infrastructure components like routers, switches,
print servers etc. No Host IPS runs on every version of every
operating system, so IntruShield protects environments that
are not running Windows, Solaris or HP-UX platforms protected
by McAfee Entercept. A single strategically placed IntruShield
appliance can protect hundreds of different systems and devices
at the same time, minimizing installation and maintenance
costs and maximizing staff effectiveness.
Virtual Firewall Capability — IntruShield provides
the full capabilities of a stateful firewall with advanced
Access Control capability between physical or virtual segments
protected by the sensor. With this capability, IntruShield
can act as an interior firewall and prevent attacks from spreading
into other parts of the network. For example, a McAfee IntruShield
product installed at or near the WAN interface could prevent
an attack from spreading into other regions. Alternatively,
it could detect a buffer overflow for which there is an exploit
or vulnerability signature before it reaches the target host,
preventing the attack from succeeding.
Comprehensive Forensic and Reporting Capabilities —
The integration of Entercept Host and IntruShield Network
alerts provides the ability to correlate and integrate attack
events network wide. Sophisticated forensic analysis and reporting
capabilities provide a powerful centralized view of the overall
security environment.
Ease of Management and Deployment — An IntruShield
network sensor can be deployed in a network in less than one
hour. The IntruShield management console provides centralized
control of all software and hardware features of the installed
network sensors. Numerous security templates are provided
to enable the system to be rapidly configured and customized
to suit the customers' environment.
Network Reconnaissance Detection — Because of
its network-wide view and ability to capture all of the packets
off the wire, IntruShield is able to detect network wide reconnaissance
activities such as port sweeps and pings. It is ideal for
gathering forensic information detailing from where an attack
came and what it is targeting. An example of a reconnaissance
technique is 'SNMP Harvesting' in which it is possible to
obtain an entire user database or even configuration details
of a router by probing SNMP MIBs. This kind of reconnaissance
activity places distinct traffic on the network, which is
detectible by IntruShield. A Host based IPS would not detect
this activity.
Examples of attacks that only Network IPS can detect and
block:
:: ARP Poisoning — http://www.watchguard.com/infocenter/editorial/135324.asp
:: Protocol Flooding — http://www.securiteam.com/exploits/5JP0R0K4AW.html
:: Routing Protocol Attacks — http://www.securiteam.com/tools/5IP032K6AS.html
Key Selection Considerations
Determining where and when to use the appropriate IPS technologies
requires an understanding of the strengths and weaknesses
of each product. Following is a summary of the critical issues
to keep in mind with a brief description of each technologies
approach to addressing the issues.
:: Threat Effectiveness ::
Blocking Zero-Day Attacks — Entercept uses behavioral
application protection rules to prevent exploits that use
unknown vulnerabilities (e.g., WebDAV using an attack vector
other than HTTP), whereas IntruShield uses protocol anomaly
detection and general vulnerability signatures to prevent
novel exploits (e.g., ASN.1 encoding errors in SNMP and Kerberos).
IntruShield can recognize worm propagation by detecting changes
in network traffic distribution with its statistical analysis
capability. Entercept can block worm propagation with its
process firewall technology.
Mitigating the 'Patching Emergency' — Both systems
provide complementary help in reducing the urgency of patch
deployment. IntruShield can safeguard unpatched systems if
anomaly-based protection is implemented and deployed for the
affected protocol (e.g., MS RPC DCOM buffer overflow). Entercept
makes use of its generic buffer overflow exploit prevention
to deflect overflow exploits. This protection allows customers
to test critical patches and schedule their deployment in
a controlled fashion.
Ensuring System Availability — Working in concert,
Entercept and IntruShield provide effective remediation of
Denial of Service and Distributed Denial of Service attacks.
IntruShields sophisticated Statistical Anomaly Detection capability
protects against traffic-oriented attacks while Entercepts
leading edge buffer overflow and process firewall technology
ensures that hosts remain available for service at all times.
Implementation Considerations
Coverage — IntruShield protects types of computer
systems as well as network infrastructure devices such as
routers and switches as long as it is deployed in the path
between target and attacker (e.g., Cisco IOS vulnerabilities).
Entercept protects servers and desktops against local exploits
and malicious operations that do not involve any network access
or traffic.
Deployment — Intercept is independent on how an
exploit gets to a machine, but needs to be installed on every
box in order to protect it. IntruShield only requires a few
devices for many servers and desktops, but needs to cover
all paths leading to an asset in order to be effective.
Conclusion
To the security administrator or CISO, the prospect of implementing
both a Host and a Network IPS is problematic because of one
particular rationale: If one solution is so effective then
why do I need to invest in both? Arguably, the overlap between
Network and Host IPS is very large. Nevertheless, this is
more an argument in theory rather than practice. With the
exception of a local attack where the hacker has physical
access to the target system, all attacks put traffic on the
wire and so it is theoretically possible to create a detection
capability and block it. In practice, it is another matter.
In many instances, a Host IPS is better positioned to evaluate
the intent of a particular action, which may appear innocuous
on the wire. A single prevention approach, based upon single
or point-technologies, will continue to fail against these
evolving blended attacks.
"Defense in depth" and "Protection-in-Depth"
are philosophies, and security professionals that follow them
build solutions on the premise that any single security measure
has limitations and will eventually fail. If the single technology
approach were correct, this argument would have ended long
ago when firewalls were originally introduced as a technology.
Technology often fails through poor configuration. For example,
intrusion detection and intrusion prevention technology can
be used to simply provide visibility (detection) into critical
systems and the network rather than prevention. A firewall's
effectiveness is only as good as its policy. Anti virus only
detects known viruses if it is up to date. The list goes on.
If malicious code writing and hacking stood still then it
might be harder to rationalize redundant security technology.
However, this is not the case. We can never predict all of
the vulnerabilities that are yet to be discovered nor can
we predict the exploits that invariably will follow.
Host and Network Intrusion Prevention Systems are both targeted
at the same goal, protecting critical assets from very sophisticated
threats. Two different approaches to achieving this goal are
more powerful and effective than any single design could possibly
be.
|
