INTRUSION PREVENTION SYSTEMS
– SECURITY’S SILVER BULLET?
BY
DINESH SEQUEIRA
Introduction
Presently available network security components like Firewalls, Anti-Virus
programs and Intrusion Detection Systems (IDS) cannot cope with the wide
range of malicious attacks and zero day exploits on computer networks and
systems. Multi-exploit worms like Nimda, Trojan horses, and polymorphic viruses
are penetrating defenses, causing downtime and huge financial loss to
businesses. Predictions are that it will get worse (Skoudis). “Script kiddies” can
create malicious code with tools like Fragrouter and ADMutate. CERT (Computer
Emergency Response Team) Coordination Center at Carnegie Mellon University
reports that the number of reported security incidents is doubling each year
(CERT/CC). This paper takes a look at Intrusion Prevention Systems (IPS), preceded
by a history of network security components that fortify our networks. An
understanding of Firewalls, Anti-Virus programs, and IDS is important, before
moving onto IPS. Earlier systems have served us well, but with the proliferation
of sophisticated attacks and the discovery of new vulnerabilities, new methods
are needed to protect precious data and network resources.
IPS use a new proactive approach that stops the hackers (black hats)
before they can do damage. Host and Network based IPS are now commercially
available and more are to come in the next few months. Could IPS help secure
our network and critical business assets? This paper probes into the technology
behind these systems, why we need them, how they function, their pros and
cons, and some highly rated products.
IPS Approaches
Some of the approaches being used are
1.Software based heuristic approach - This approach is similar to IDS anomaly
detection using neural networks with the added ability to act against intrusions
and block them.
2.Sandbox approach - Mobile code like ActiveX, Java applets and various
scripting languages are quarantined in a sandbox - an area with restricted access
to the rest of the system resources. The system then runs the code in this
sandbox and monitors it’s behavior. If the code violates a predefined policy it’s
stopped and prevented from executing, thwarting the attack (Conry-Murray).
3.Hybrid approach –On network-based IPS (NIPS), various detection methods,
some proprietary including protocol anomaly, traffic anomaly, and signature
detection work together to determine an imminent attack and block traffic coming
from an inline router.
4.Kernel based protection approach – Used on host-based IPS (HIPS). Most
operating systems restrict access to the kernel by a user application. The kernel
controls access to system resources like memory, I/O devices, and CPU,
preventing direct user access. In order to use resources user applications send
requests or system calls to the kernel, which then carry out the operation. Any
exploit code will execute at least one system call to gain access to privileged
resources or services. Kernel based IPS prevents execution of malicious system
calls.
* Programming errors enable exploits like buffer-overflow attacks to overwrite kernel memory space and crash or takeover computer systems. To prevent
these types of attacks a software agent is loaded between the user application
and the kernel. The software agent intercepts system calls to the kernel, inspects
them against an access control list defined by a policy, and then either allows or
denies access to resources. On some IPS systems the agent checks against a
database of specific attack signatures or behaviors. It could also check against a
database of known good behaviors or a set of rules for a particular service. Either
way if a system call attempts to run outside its allowed zone, the agent will stop
the process.
*Vendors are using a combination of the above-mentioned approaches to
ward off combined attack types seen on today’s networks. Even though the
above approaches are different the goal is the same – to stop attacks in real-time
before they cause harm. Harm could be prevented by (Bobbitt)
· Protecting System Resources – Trojan horses, root kits, and backdoors
alter system resources like libraries, files/directories, registry settings, and
user accounts. By preventing alteration of system resources, hacking tools
cannot be installed.
· Stopping Privilege Escalation Exploits – Privilege escalation attacks try to
give ordinary users root or administrator privileges. Disallowing access to
resources, which alter privilege levels, can prevent this and block exploits
like Trojan horses, rootkits, and backdoors.
· Preventing Buffer Overflow Exploits – By checking whether the code about
to be executed by the operating system came from a normal application or
an overflowed buffer, these attacks can be stopped.
· Prohibit Access To E-mail Contact List – Many worms spread by mailing a
copy to those in the Outlook ‘s contact list. This could be halted by
prohibiting e-mail attachments from accessing Outlook’s contact list.
· Prevent directory traversal – The directory traversal vulnerability in different
web servers allows the hacker to access files outside the web servers
range. A mechanism that would prevent the hacker access to the web
server files outside its normal range could prevent such malicious
activities. Unix’s has a chroot command that does this.
Firewalls, anti-virus, and IDS have their place in the security landscape,
each with its unique features. Depending on business needs, budget constraints,
and organizational requirements we need to draw up a security policy and that
policy will determine the mix of components that need to be installed, to meet
security goals.
IPS adds to the defense in depth approach to security and is an evolution
of IDS technology. Its proactive capabilities will help to keep our networks safer
from more sophisticated attacks. Today the use of tunneling and encryption
means putting more content out of the reach of perimeter controls. Even though
NIPS will prevent attacks, some could slip through and HIPS would prevent
them. HIPS – the last line of defense provides “operating system hardening” with
greater granularity and application specific control. Intrusion prevention is a
generic term. Before purchasing a product, study the detection and prevention
mechanisms vendors have implemented vis-à-vis current attack methods.
Security is hard, some attacks could still slip through and no amount of
automation can replace trained and vigilant security personnel. But tools like IPS
can reduce the tedium and provide a silver lining if not a silver bullet!
Firewalls, anti-virus, and IDS have their place in the security landscape,
each with its unique features. Depending on business needs, budget constraints,
and organizational requirements we need to draw up a security policy and that
policy will determine the mix of components that need to be installed, to meet
security goals.
IPS adds to the defense in depth approach to security and is an evolution
of IDS technology. Its proactive capabilities will help to keep our networks safer
from more sophisticated attacks. Today the use of tunneling and encryption
means putting more content out of the reach of perimeter controls. Even though
NIPS will prevent attacks, some could slip through and HIPS would prevent
them. HIPS – the last line of defense provides “operating system hardening” with
greater granularity and application specific control. Intrusion prevention is a
generic term. Before purchasing a product, study the detection and prevention
mechanisms vendors have implemented vis-à-vis current attack methods.
Security is hard, some attacks could still slip through and no amount of
automation can replace trained and vigilant security personnel. But tools like IPS
can reduce the tedium and provide a silver lining if not a silver bullet!
Walang komento:
Mag-post ng isang Komento