intrusion analysis. The underlying operating
system of the platform on which the NIPS software is mounted is
stripped of unnecessary network services, and essential
services are secured. The hardware includes these components:
- Network interface card (NIC): NIPS must be
able to connect to any network (Ethernet, FastEthernet, and
Gigabit Ethernet are common).
- Processor:
Intrusion detection requires CPU power to perform intrusion
detection protocol analysis and pattern matching.
-
Memory: Intrusion detection analysis is
memory-intensive. The amount of memory that is available
directly affects the ability of a NIPS to detect an attack
efficiently and accurately.
NIPS gives security
managers real-time security insight into their networks
regardless of network growth. Additional hosts can be added to
protected networks without needing additional sensors. When new
networks are added, additional sensors are easy to deploy.
Additional sensors are only required when the rated traffic
capacity of the sensor is exceeded, when a sensor’s performance
does not meet current needs, or when a revision in security
policy or network design requires additional sensors to help
enforce security boundaries. NIDS and NIPS
Deployment
Figure shows an example configuration of a
network IDS (NIDS) and NIPS deployment. For NIPS and NIDS, the
placement of sensors in the network is of crucial importance.
You must deploy sensors at network entry points that protect
critical network segments. The network segments have internal
and external corporate resources. The sensors report to the
Management Server that is located inside the corporate
firewall. - Advantages of network IPS and IDS: A
network-based monitoring system has the benefit of easily
seeing attacks that are occurring across the entire network.
Seeing attacks against the entire network gives a clear
indication of the extent to which the network is being
attacked. Furthermore, because the monitoring system is only
examining traffic from the network, the system does not have to
support every type of operating system that is used on the
network.
- Disadvantages of network IPS and
IDS: Encryption of the network traffic stream can
effectively blind the sensor. Reconstructing fragmented traffic
can also be a difficult problem to solve. Possibly the biggest
drawback to network-based monitoring is that as networks become
increasingly larger (with respect to bandwidth), it becomes
more difficult to place the sensor at a single location in the
network and successfully capture all the traffic. Eliminating
this problem requires the use of more sensors throughout the
network, which increases costs.
Content
6.4 Introducing Cisco IOS IPS
6.4.5 Signature-Based IDS and IPS The
signature-based pattern matching refers to searching for
predefined content or a fixed sequence of bytes in a single
packet. A signature-based approach is fairly rigid, but simple
to employ. In most cases, the signature pattern is matched only
if the suspect packet is associated with a particular service
or, more precisely, destined to or from a particular port. This
method decreases the amount of inspection that the network
performs on every packet. However, this approach makes it more
difficult for systems to deal with protocols that do not reside
on well-defined ports and, in particular, Trojan horses and
their associated traffic, which can usually be moved at will.
Initially, this approach might send many alerts, many of which
are associated with traffic that is not a threat for the
network. After the system is tuned and adjusted to the specific
network parameters, there will be fewer false alerts than with
the policy-based approach. Figure shows and describes how
signature-based IDS and IPS work. To determine an attack
signature, which is usually a well-known pattern of attack, IDS
and IPS inspect packet headers or data payloads and match them
against a signature database. A signature is a sequence or a
string of bytes in a certain context. The context may be the
position of the sequence in the data flow, a part of a valid
command in the application layer protocol, or a combination of
options in the IP datagram. The following are some signature
examples: - Attacks against a web server are usually in
the form of specially crafted URLs, so the IDS and IPS look for
the signature at the start of the data flow, which begins with
an HTTP request from the client.
- An attack against a
Simple Mail Transfer Protocol (SMTP) server may be in the form
of a buffer overflow in the mail from command of the
SMTP session. IDS and IPS look for an attack signature in the
SMTP session that starts with the mail from command and
includes a particular pattern before the end of the line.
- An attack on the mail client may be in the form of a
buffer overflow in the Multipurpose Internet Mail Extension
(MIME) header of the message itself. IPS or IDS will look for
the sequence of bytes that identifies the start of a new MIME
part in the message and a sequence of bytes that compose a
buffer overflow following the message.
These
examples illustrate that a signature-based IDS and IPS only
detects attacks that have been entered into a database by the
vendor or the administrator. Usually, IDS and IPS are unable to
detect undiscovered or unreported attacks (day zero attacks).
Therefore, all signature-based IDSs and IPSs place a certain
amount of burden on the administrators, as the administrator
must regularly update the signature database. Usually, the
manufacturers publish database updates. If not, the
administrator must create custom signatures that guard against
these attacks.
Content 6.4 Introducing
Cisco IOS IPS 6.4.6 Policy-Based IDS and
IPS The policy-based approach uses an algorithm to base
alarm decisions on. An example of this type of policy is a
policy that is used to detect a port sweep. This policy looks
for the presence of a threshold number of unique ports being
scanned on a particular machine. The policy may further
restrict itself through the specification of the types of
packets that the policy is interested in (for example, SYN
packets). Additionally, there may be a requirement that all the
probes must originate from a single source. Policies of this
type require some threshold manipulations to make them conform
to the use patterns on the network that they are monitoring.
This type of policy can be used to look for very simple
statistical events or complex relationships. Figure shows and
describes how policy-based IDS and IPS work. Policy-based IDS
and IPS block the traffic or send an alarm if a violation of a
configured policy occurs. A policy-based system is a popular
method of detection, especially if unknown attacks need to be
detected. Policy-based IDS and IPS must have a clear
representation of what the security policy is. For example, you
can write a network access policy in terms of permissions,
listing which networks can communicate with which other
networks using which protocols. Some security policies are hard
to incorporate into IDS and IPS. For example, if browsing of
pornographic, hacking, or “warez” (illegally copied, pirated
software) sites is not allowed, the system must be able to
communicate with some type of blacklist database to check if a
policy violation has occurred.
Content 6.4
Introducing Cisco IOS IPS 6.4.7
Anomaly-Based IDS and IPS Anomaly-based signatures
typically look for network traffic that deviates from what is
considered “normal.” The main issue regarding this methodology
is the definition of “normal.” Some systems have hard-coded
definitions of normal traffic patterns. Other systems are
designed to learn normal traffic behavior, but the challenge
with these systems is to eliminate the possibility of
improperly classifying abnormal behavior as normal.
Consequently, while relatively easy to implement in small
environments, the anomaly-based approach can be difficult to