Intrusion Prevention by wuyunqing


									     Intrusion Prevention
     IDS and IPS help identify and thwart potential attacks before it’s too late.

Intrusion detection and prevention systems have                           December 2006 report.
become more intelligent in recent years and now                           Vendors are starting to integrate IPS functionality into other network
play a vital role in network security.                                    security devices.

In the mid-1990s, when intrusion detection systems (IDSs) arrived         For example, the Juniper Networks Integrated Security Gateway (ISG)
on the security scene, they scanned network traffic and alerted IT        is an all-in-one device that primarily serves as a high-performance
departments of potential attacks, but they were passive devices by        firewall and virtual private network (VPN), but it includes add-
design and did nothing to directly thwart attacks, explains John Yun,     on modules for intrusion prevention. Cisco also offers IPS in a
Juniper Networks’ IDP product manager. While IDS products have            multifunction network security appliance as well as an add-on
matured, they have sometimes had a reputation for causing too             feature to its switches and routers.
many false positives.
                                                                          Other network-based IPS vendors include IBM’s Internet Security
Today, the next generation of devices — intrusion prevention              Systems and McAfee.
systems (IPSs) — are more feature rich and not only detect but
proactively block attacks, such as worms, Trojans, Denial of Service      A second type of IPS, called host-based IPS, is used to protect
(DoS) attacks and hackers trying to break into networks, Yun says.        servers and computers, which provides a second layer of defense.
                                                                          Cisco, McAfee and Symantec are among the vendors that sell
                                                                          host-based IPSs.
“The network devices have become smarter and faster. They’ve
 become a necessary part of network security,” says Jon Oltsik,
 senior analyst at Enterprise Strategy Group in Milford, Mass. “They      Juniper’s Products
 sit on the network, look at all the packets and stop anything that       Juniper sells two sets of IPS products: standalone appliances and
 can potentially do harm.” A network-based IPS, which typically           highly integrated security appliances that include firewall and VPN
 sits behind the firewall, uses a combination of several detection        capabilities. Enterprises with an existing network infrastructure
 capabilities to understand the context of network traffic, minimizing    typically purchase the standalone appliances and place them right
 false positives and improving detection accuracy, Yun says.              behind the firewall, Yun says.

Signatures scan traffic for predefined attack patterns, but the device    Juniper’s standalone Intrusion Detection and Prevention (IDP)
can also detect malicious activities that are outside of normal traffic   appliance comes in four models. The IDP 50 appliance delivers a
patterns, says Cisco product manager John Trollinger.                     maximum throughput of 50 megabits per second, while the IDP
                                                                          200 offers a throughput of 250Mbps. The IDP 600 features speeds
“It’s a box that can intelligently look at traffic from multiple          of 500Mbps, while the highest-end model, the IDP 1100, offers 1
 perspectives,” Trollinger continues. “It learns the normal activity      gigabit per second (Gbps) throughput.
 on the network, and if there’s any deviation, it’s intelligent enough
 to say it is bad traffic.” For example, “protocol anomaly detection”     “The four models are designed for small, midsize and large
 identifies attacks that try to exploit specific network protocols such    enterprises, depending on their bandwidth requirements,”
 as Simple Network Management Protocol (SNMP). The device is               Yun explains.
 smart enough to detect when traffic using those protocols veers
 from the norm.                                                           IT departments that are building new networks or large enterprises
                                                                          requiring high throughput can purchase the integrated appliance,
Traffic anomaly detection can identify attacks that cover multiple        called the ISG Series with IDP, which comes in two models: the ISG
sessions. For example, it can detect a hacker who first scans for open    1000, which can deliver up to 1Gbps of throughput, and the ISG
ports from outside the network, then returns later to try to exploit      2000, which provides up to 2Gbps of throughput.
any discovered vulnerabilities.
                                                                          Cisco’s Offerings
Another benefit of an IPS is the ability to protect applications and      Cisco’s IPS products come in four flavors: as standalone appliances;
servers when new software vulnerabilities are found. IPS vendors          as a module on Catalyst 6500 Switches; as a feature on Cisco
typically develop new signatures within hours of a new vulnerability’s    routers, and as a module in the Cisco ASA 5500 Series multifunction
discovery, states 3Com System Engineer Jeff Barnes. That allows IT        appliance, which includes firewall and VPN capabilities. The heart of
departments to protect the network until software vendors develop         Cisco’s intrusion prevention solution is the Cisco IPS Sensor Software
the necessary patches, he continues.                                      Version 6.0.

The IPS technology also allows IT departments to develop their own        Cisco sells four versions of the IPS 4200 Series Sensor standalone
security policies, such as placing limits on peer-to-peer applications    appliances. The IDS 4215 Sensor features 80Mbps of throughput,
and instant messaging. To ensure quality of service for mission-          while the IPS 4240 offers 250Mbps of throughput. The Cisco IPS
critical applications, IPS also allows IT staffers to place bandwidth     4255 provides 600Mbps speeds, while Cisco IPS 4260 offers
limits on less important applications.                                    1Gbps speeds.

An IPS also provides detailed security reports, which are important       The company also offers a host-based IPS solution, called the Cisco
for IT departments that face government regulations that require          Security Agent, for servers and computers.
security audits, such as the Sarbanes-Oxley Act or the Health
Information Portability and Accountability Act (HIPAA), says John         Cisco’s network and host-based IPS offerings are managed by
Engels, Symantec’s group product manager.                                 Cisco MARS (Security Monitoring, Analysis and Response System),
                                                                          software that allows IT departments to centrally monitor their
Today’s IPS Market                                                        security devices, so they can identify and remove security threats,
 Network-based IPS appliances, which reached about $700 million           Trollinger says.
 in sales at the end of 2006, will continue as standalone network
 devices through at least 2008, but most next-generation firewalls        Cisco MARS correlates all the security data to provide the
 will include IPS functionality, states analyst firm Gartner in a         best possible protection for customers, he continues. It also »

                                                                                                                   Intrusion Prevention            11
      produces audit compliance reports to help organizations meet                            “It works in the application layer and digs all the way into the packet to look for
      government regulations.                                                                  attacks,” Peek says. “It’s a pretty good buffer.”

     Symantec’s Host-based IPS                                                                Protecting Critical Data
     Symantec offers Symantec Critical System Protection (CSP), host-based IPS                HHMI researchers are advancing the development of therapies and cures for cancer
     software for protecting servers from security threats, such as buffer overflow           and other chronic and life-threatening diseases, so it’s critical that the IT department
     attacks. “It provides a shield around the applications in the data center,”              protects the integrity of research data.
     Symantec’s Engels says.
                                                                                              Spartaco Cicerchia, manager of network and information security, has deployed
     CSP is a flexible software that allows IT administrators to write their own rules        two types of IPS at HHMI’s Janelia Farm Research Campus, a new 689-acre facility
     or use a default set of security policies, he continues.                                 in Ashburn, Va., that currently houses about 250 scientists. The IPS devices not
                                                                                              only detect attacks, but they block them from entering and wreaking havoc on the
     Symantec also sells Symantec Client Security and Symantec Sygate Enterprise              network.
     Protection, which include host-based firewall and network IPS software for
     computers. Securing notebook computers against network-based attacks, for                “We are guarding data that will ultimately be divulged to the public maybe 12
     example, is important if users are away from the office.                                  months down the road, but it’s still classified knowledge,” says Cicerchia, who has
                                                                                               six staffers who help him manage network security, VoIP, e-mail, file sharing and
     “It looks at the traffic off your Network Interface Card [NIC] and intercepts attacks     other services. “We have a collection of very bright researchers who come from
      from the Internet,” he says.                                                             leading institutions across the nation, and we don’t want people to run off with
                                                                                               their intellectual property.”
     Symantec Client Security includes a firewall, antispyware and antivirus protection.
     Symantec Sygate Enterprise Protection also offers firewall features. The company is
     merging the two products and plans to release the new combined product in June,
     Engel reveals.

     Good Reviews for IPS
     Web hosting company MaximumASP and The Howard Hughes Medical Institute
                                                                                                    CDW offers technology
                                                                                                   service support from top
     (HHMI) are proactively protecting their networks with IPSs.

     MaximumASP, a six-year-old company based in Louisville, Ky., specializes in the
     Microsoft platform, hosting more than 30,000 Web applications for thousands
     of customers in more than 70 countries. MaximumASP is bombarded by up to
     500,000 attacks an hour, says Silas Boyle, the company’s managing partner.                    manufacturers and service
     The company operates two core networks that run concurrently and mirror each
     other in the data center. The IT staff has installed an IPS appliance in front of each
     network. The company has also deployed Snort, an open-source intrusion detection
                                                                                                      providers across all
                                                                                                      product categories.
     and prevention system, providing the IT staff a second pair of eyes to verify the
     main IPS appliance’s conclusions, according to Eric Peek, MaximumASP’s director
     of security.

     Prior to installing the IPS appliance two years ago, managing and defending the
     network from attacks was a full-time job for staff members. Now, with the IPS
     detecting and blocking attacks, a smaller security team monitors the device to make
     sure it’s working.                                                                       HHMI is protecting its network and data with a layered security approach, using
                                                                                              an IPS device in front of the firewall and another IPS device behind the firewall.
     “Blocking attacks manually took a lot of time and you can very easily miss attacks,”     Cicerchia explains the strategy with an analogy of going to a nightclub, where
      Peek says. “If there were many attacks, you just focused on the top attacks. But IPS    a bouncer first checks to make sure club-goers are dressed appropriately before
      devices do everything for you. They make it a lot more manageable.”                     letting them in. In addition, security guards are inside the club to make sure people
                                                                                              behave, he says.
     When an operating system or software vulnerability is found, researchers from the
     IPS vendor develop signatures to protect servers and applications within three hours,    “We deployed one outside the firewall, mainly to understand who’s knocking at
     Peek says. So even though Microsoft may take a few days to create a patch, the IPS        the door, and we used one inside our firewall to see if anyone has gotten in,”
     vendor’s signatures are protecting the servers.                                           he explains.

     MaximumASP uses management software to monitor attacks and review the                    The Janelia Farm Research Campus standardized on Juniper Networks’ network
     performance of the commercial IPS devices. The company can also personalize              security products: the two IPS devices, a Juniper NetScreen-5400 firewall and the
     security for each customer by writing rules enforced by the IPS devices.                 Secure Access 6000 SSL VPN device. For redundancy, Cicerchia bought duplicates
                                                                                              of each and installed them in a cluster, so if one of the devices fails, the other one
      If a client wants to lock down something or allow certain types of traffic through,     takes over.
      MaximumASP can configure the IPS to block or let the traffic through, Boyle says.
                                                                                              Juniper Network’s Integrated Security Gateway (ISG) 2000, which sits in front of
     For example, some customers want to block SQL injection commands, while others           the 5400 firewall, is essentially another firewall but with three add-on modules that
     approve of them. The technology isn’t 100 percent perfect. A new signature can           have intrusion-prevention capabilities.
     sometimes cause a false positive, in which legitimate activity is flagged as a threat.
     If that happens, MaximumASP blocks those signatures unless a particular customer         The three modules, which according to Juniper can deliver up to 2 Gbps of
     wants them used, Peek explains.                                                          throughput, allow the research institute to scan all incoming network traffic without
                                                                                              creating bottlenecks.
     Overall, MaximumASP is pleased with the technology, which has stopped
     everything from viruses to DoS attacks.                                                  “If it sees an oncoming attack, ISG screens the traffic before it gets to the main
                                                                                               firewall,” Cicerchia says. “It doesn’t touch our real production environment.”

Beyond the 5400 firewall is the IDP 1100, Juniper’s high-end IPS product with         are stopping attacks and working properly. “We corroborate the data and see
1Gbps throughout. The device uses a handful of detection and prevention               what is legitimate activity and not legitimate activity.”
techniques to thwart attacks including stateful signatures, which scan for known
attack patterns, and protocol and traffic anomaly detection, which compares normal    Cicerchia says the intrusion prevention technology is easy to install and manage.
traffic patterns and identifies deviations.                                           He manages the security products with NetScreen Security Manager (NSM),
                                                                                      Juniper’s management software that allows him to centrally manage and monitor
Cicerchia and his staff review the network traffic reports to make sure the devices   the security devices. ◊

                                                                                                                                              Intrusion Prevention        13

To top