Network intrusion detection systems. Integration and optimization of production processes

IDS/IPS systems are unique tools designed to protect networks from unauthorized access. They are hardware or computer tools that can quickly detect and effectively prevent intrusions. Among the measures that are taken to achieve the key goals of IDS/IPS, one can highlight informing specialists about information security about facts of attempted hacker attacks and the introduction of malware, disconnection of connections with attackers and reconfiguration firewall to block access to corporate data.

What are network intrusion detection systems used for?

Cyber ​​attacks are one of the main problems faced by entities that own information resources. Even well-known antivirus programs and firewalls are tools that are only effective at protecting obvious access points to networks. However, attackers are able to find bypass paths and vulnerable services even in the most advanced security systems. Given such a danger, it is not surprising that foreign and Russian UTM solutions are becoming increasingly popular among organizations that want to eliminate the possibility of intrusion and the spread of malware (worms, Trojans and computer viruses). Many companies decide to purchase a certified firewall or other tool for comprehensive information protection.

Features of intrusion detection systems

All intrusion detection and prevention systems existing today are united by several common properties, functions and tasks that information security specialists use to solve them. Such tools in fact carry out continuous analysis of the operation of certain resources and identify any signs of atypical events.

The security organization of corporate networks can be subject to several technologies, which differ in the types of incidents detected and the methods used to detect such events. In addition to functions constant monitoring and analysis of what is happening, everything IDS systems perform the following functions:

• collecting and recording information;
• notifications to network administrators about changes that have occurred (alert);
• creating reports to summarize logs.

IPS technology, in turn, complements the one described above, as it is capable of not only identifying the threat and its source, but also blocking them. This also speaks about the expanded functionality of such a solution. It is capable of performing the following actions:

• terminate malicious sessions and prevent access to critical resources;
• change the configuration of the “protected” environment;
• perform actions on attack tools (for example, delete infected files).

It is worth noting that the UTM firewall and any modern systems Intrusion detection and prevention are an optimal combination of IDS and IPS technologies.

How malicious attacks are detected

IPS technologies use methods based on signatures - patterns with which corresponding incidents are associated. Signatures can be connections, incoming emails, operating system logs, etc. This detection method is extremely effective when dealing with known threats, but is very weak when dealing with attacks that do not have signatures.

Another tamper detection method, called HIPS, involves statistically comparing the activity level of ongoing events with the normal activity level obtained during a so-called “training period.” This method can complement signature filtering and block hacker attacks that were able to bypass it.

Summarizing the functions and operating principles of IDS and IPS intrusion prevention systems, we can say that they solve two major problems:

• analysis of information network components;
• adequate response to the results of this analysis.

Suricata attack detectors

One of the IPS intrusion prevention solutions is attack detectors, which are designed to timely identify a variety of malicious threats. In Internet Control Server they are implemented in the form of the Suricata system - an advanced, multitasking, multitasking and very productive tool designed for preventive protection of networks, as well as collecting and storing information about any incoming signals. The operation of the attack detector is based on signature analysis and heuristics, and its convenience is due to the availability of open access to source code. This approach allows you to configure system operation parameters to solve individual problems.

Suricata's editable parameters include the rules to which traffic analysis will be subject, filters that limit the display of warnings to administrators, address ranges of different servers, active ports and networks.

Thus, Suricata as an IPS solution is a fairly flexible tool, the functioning of which is subject to changes depending on the nature of the attack, which makes it as effective as possible.

The ICS records and stores information about suspicious activity, blocks botnets, DOS attacks, as well as TOR, anonymizers, P2P and torrent clients.

When entering a module, its status, the “Disable” button (or “Enable” if the module is disabled) and the latest messages in the log are displayed.

Settings

In the settings tab, you can edit the parameters of the attack detector. Here you can specify internal, external networks, address ranges of various servers, as well as the ports used. All these variables are assigned default values, with which the attack detector can start correctly. By default, traffic on external interfaces is analyzed.

Rules

The attack detector can be connected to rules with which it will analyze traffic. On this tab, you can view the presence and contents of a particular file with rules, as well as enable or disable its action (using the checkboxes on the right). In the upper right corner there is a search by name or number of rules in the file.

Filters

In order to configure restrictions on the output of warnings by the attack detector, you need to go to the “Filters” tab. Here you can add the following restrictions:

• filter by number of messages,
• filter messages by frequency of occurrence,
• mixed type filter,
• ban on messages of a certain type;

When setting up, you must remember that the “Rule Id” field in different filters should be different.

Type of organization

Select organization type Educational institution Budgetary institution Commercial organization

Prices DO NOT APPLY to private non-state institutions and institutions of postgraduate professional education

ICS editions

No ICS required Standard ICS FSTEC

To calculate the cost of FSTEC, contact the sales department

Delivery type

ICS ICS + SkyDNS ICS + Kaspersky Web Filtering

License type

New license Update license

Premium Update License License Extension

Dmitry Volkov
Head of IT Incident Investigation, Group-IB

Modern development of IPS

Network intrusion prevention systems (IPS) can be either an effective tool for security people or an expensive piece of hardware that sits around gathering dust. To ensure that an IPS system does not become a disappointment, it must at least meet the following requirements that must be taken into account when choosing it.

The system should:

1. have a wide range of models that meet the requirements of both small regional offices and the main enterprise with multi-gigabit networks;
2. support not only signature analysis, but also anomalous protocol analysis, and, of course, behavioral analysis;
3. provide a clear picture of the network and the devices connected to it;
4. provide work in IDS mode, carry out behavioral analysis, have tools for conducting investigations;
5. have centralized management of installed IPS/IDS systems;
6. have good analysis tools to effectively improve security policies.

IDS/IPS systems are most often connected where there are critical resources. But in addition to the fact that it is necessary to block attacks on these resources, you should constantly monitor them, namely: know which of these resources are vulnerable and how their behavior on the network changes. Therefore, it is necessary to add additional functionality to IDS/IPS systems, allowing them to protect the required resources more reliably, while reducing the cost of ownership. So, protection can be carried out in three phases - IPS, Adaptive IPS, Enterprise Threat Management. The functionality of each subsequent phase includes all the functions from the previous phase and is expanded with new ones.

Phase 1: You can monitor and/or block attacks that exploit thousands of vulnerabilities, that is, standard IPS sensors and their control centers.

Phase 2. It becomes possible to explore the network, prioritize events and automate IPS configuration.

Phase 3. Complete possible functionality to protect the corporate network before, during and after an attack.

ETM is the first manifestation of the awareness that protecting information assets requires working smarter, not harder. From a technology perspective, ETM is a combination of four threat and vulnerability management technologies combined into a single, centrally managed solution. As a result, this solution provides more capabilities than each product alone. As shown in Fig. 3, ETM consists of an intrusion prevention system (IPS), network behavioral analysis (NBA), network access control (NAC), vulnerability analysis (VA), communication subsystem and centralized management.

Comparison of IPS manufacturers

In Fig. Figure 4 shows which of the IPS system manufacturers are in the lead. But, without being tied to Gartner, let’s look at what functionality each manufacturer has.

As you can see, some are missing important features such as batch-level investigation and rule viewing and creation. Without such capabilities, it is sometimes completely unclear why the system issues warnings, and it will take a lot of time to figure out the reason for these warnings.

The lack of a mechanism for creating compliance policies also imposes certain limitations. For example, in an external audit it is useful to demonstrate how your policies are actually being implemented. Further comments are unnecessary, since the true state of affairs will become clear only after actual implementation in an industrial environment.

It must be remembered that ensuring network security is a complex task, and disparate solutions do not always ensure the integrity of perception and lead to additional costs.

Short review

Cisco Systems

Reliable solutions, have excellent support, but are difficult to configure, signature analysis gives many false positives, management interface when large quantities events does not allow adequate analysis of recorded events. For full functionality, additional investment in Cisco Security Monitoring, Analysis and Response System (CS-MARS) is required.

Tipping Point

The systems of this manufacturer are easy to configure and install. They have a good control interface, but can only be connected in a gap, that is, without passive detection. They do not allow you to expand the functionality and are simply an IDS/IPS system.

At one of the conferences, a representative from TippingPoint said in his speech that their equipment can be set and forgotten about - and this is their security strategy.

Perhaps someone shares it, but it’s hard for me to agree with it. Any security tool must be controlled, otherwise you will never get the proper return from it. For example, if someone persistently tries to hack your affiliate portal and he failed to do it the first two times thanks to the IPS system, then the third time he will succeed, and without monitoring the IPS system you will not know this and prevent subsequent attempts you won't succeed.

Juniper Networks

No matter what analysts from Gartner or other publications write, it is difficult to say anything good about their products. The system is terribly difficult to set up. The NSM management console is very limited. The results are displayed in such a way that one gets the impression that the developers tried to make sure that they looked at it as little as possible and hoped that the attacks were actually repelled.

Sourcefire

Perhaps, best system. Everything is convenient. The functionality is incredibly wide. In addition, the system already has built-in capabilities for detailed data collection about attacking and attacked nodes, and not just IP and MAC addresses, which greatly reduces the time of analysis and analysis of events. Such information also includes the history of connections, opened and then
closed ports, types of transmitted addresses, user names if, for example, the transfer was via FTP or e-mail, and, of course, the e-mail address itself. In large networks it can become an indispensable means of protection. They have been releasing their solutions since 2001, but at Russian market came out recently.

Conclusion

There is no point in introducing a whole series of new products that solve only one problem. Static means security cannot protect a dynamic environment. It is necessary to protect your employees' time and their efforts. Let them work better, not harder. Reduce the cost of supporting a heterogeneous environment. Reduce the time spent analyzing data from multiple consoles and reports. Spend your money wisely before your security systems cost you more than the risks you're protecting against.

In an ideal world, only those you need come into your network - colleagues, friends, company employees... In other words, those you know and trust.

In the real world, it is often necessary to give access to the internal network to clients, software vendors, etc. At the same time, thanks to globalization and the widespread development of freelancing, access to people you do not know very well and do not trust is already becoming a necessity.

But as soon as you come to the decision that you want to open access to your internal network 24/7, you should understand that not only “good guys” will use this “door”. Usually, in response to such a statement, you can hear something like “well, this is not about us, we have a small company,” “who needs us,” “there’s no point in breaking what we have.”

And this is not entirely true. Even if you imagine a company where there is nothing on its computers except a freshly installed OS, these are resources. Resources that can work. And not only for you.

Therefore, even in this case, these machines can become the target of attackers, for example, to create a botnet, Bitcoin mining, hash cracking...

There is also the option of using machines on your network to proxy attacker requests. Thus, their illegal activities will tie you into the packet chain and, at a minimum, add headaches to the company in the event of litigation.

And here the question arises: how to distinguish legal actions from illegal ones?

Actually, this question should be answered by an intrusion detection system. With its help, you can detect most well-known attacks on your network, and have time to stop the attackers before they get to anything important.

Usually, at this point in the discussion, the thought arises that what is described above can be performed by a regular firewall. And this is correct, but not in everything.

The difference between firewall and IDS functions may not be visible at first glance. But an IDS can usually understand packet content, headers and contents, flags and options, and not just ports and IP addresses. That is, IDS understands the context, which a firewall usually cannot. Based on this, we can say that IDS performs the functions of a Firewall, but more intelligently. It is not typical for a regular Firewall to have a situation where, for example, you need to allow connections on port 22 (ssh), but block only some packets that contain certain signatures.

Modern Firewalls can be supplemented with various plugins that can do similar things related to deep-inspection of packages. Often such plugins are offered by IDS vendors themselves to strengthen the Firewall - IDS combination.

As an abstraction, you can think of an IDS as an alarm system for your home or office. IDS will monitor the perimeter and let you know when something unexpected happens. But at the same time, IDS will not prevent penetration in any way.

And this feature leads to the fact that in its pure form, IDS is most likely not what you want from your security system (most likely, you will not want such a system to protect your home or office - it does not have any locks).

Therefore, now almost any IDS is a combination of IDS and IPS (Intrusion Prevention System).

Next, you need to clearly understand the difference between IDS and VS (Vulnerability Scanner). And they differ in the principle of action. Vulnerability scanners are a preventive measure. You can scan all your resources. If the scanner finds something, you can fix it.

But, after the moment you have scanned and before the next scan, changes may occur in the infrastructure, and your scan loses its meaning, since it no longer reflects the real state of affairs. Such things as configurations, settings of individual services, new users, rights of existing users, and new resources and services added to the network can change.

The difference between IDS is that they perform detection in real time, with the current configuration.

It is important to understand that IDS, in fact, does not know anything about vulnerabilities in services on the network. She doesn't need it. It detects attacks according to its own rules - based on the appearance of signatures in traffic on the network. Thus, if the IDS contains, for example, signatures for attacks on Apache WebServer, but you don’t have it anywhere, the IDS will still detect packets with such signatures (perhaps someone is trying to send an exploit from Apache to nginx out of ignorance, or makes an automated toolkit).

Of course, such an attack on a non-existent service will lead to nothing, but with IDS you will be aware that such activity is taking place.

A good solution is to combine periodic vulnerability scans with IDS/IPS enabled.

Intrusion detection methods. Software and hardware solutions.

Today, many vendors offer their IDS/IPS solutions. And they all sell their products in different ways.

The different approaches are driven by different approaches to categorizing security events, attacks, and intrusions.

The first thing to consider is the scale: will the IDS/IPS work only with the traffic of a specific host, or will it examine the traffic of the entire network.

Secondly, this is how the product is initially positioned: it can be a software solution, or it can be a hardware one.

Let's look at the so-called Host-based IDS (HIDS - Host-based Intrusion Detection System)

HIDS is just an example of a software implementation of a product and is installed on one machine. Thus, a system of this type “sees” only information available to a given machine and, accordingly, detects attacks only affecting this machine. The advantage of this type of system is that once on the machine, they see its entire internal structure and can monitor and check many more objects. Not just external traffic.

Such systems typically monitor log files, try to identify anomalies in event streams, store checksums of critical configuration files, and periodically compare whether someone has changed these files.

Now let's compare such systems with the network-based systems (NIDS) that we talked about at the very beginning.

For NIDS to work, essentially only a network interface is required from which NIDS can receive traffic.

Next, all NIDS does is compare traffic with predefined attack patterns (signatures), and as soon as something falls under the attack signature, you receive a notification about an intrusion attempt. NIDS are also capable of detecting DoS and some other types of attacks that HIDS simply cannot see.

You can approach the comparison from the other side:

If you choose IDS/IPS implemented as a software solution, you get control over what hardware you will install it on. And, if you already have hardware, you can save money.

There are also free IDS/IPS options available in software implementation. Of course, you need to understand that using free systems you do not get the same support, speed of updates and problem solving as with paid options. But this is a good place to start. In them you can understand what you really need from such systems, see what is missing, what is unnecessary, identify problems, and know what to ask the vendors paid systems at the beginning.

If you choose hardware solution, then you receive a box that is almost ready for use. The advantages of such an implementation are obvious - the hardware is chosen by the vendor, and he must guarantee that on this hardware his solution works with the declared characteristics (does not slow down, does not freeze). Usually inside there is some kind of Linux distribution with software already installed. Such distributions are usually greatly reduced in order to ensure fast operation speed, leaving only required packages and utilities (at the same time the problem of the size of the set on the disk is solved - the smaller the less HDD is needed - the lower the cost - the greater the profit!).

Software solutions are often very demanding on computing resources.

Partly because of this, only IDS/IPS works in the “box”, and on servers with software IDS/IPS there are usually always a lot of additional things running.

Currently, the protection provided by firewall and antivirus is no longer effective against network attacks and malware. At the forefront are IDS/IPS class solutions that can detect and block both known and unknown threats.

INFO

• About Mod_Security and GreenSQL-FW, read the article “The Last Frontier”, ][_12_2010.
• How to teach iptables to “look” inside a packet, read the article “Fire Shield”, ][_12_2010.

IDS/IPS technologies

To make a choice between IDS or IPS, you need to understand their operating principles and purpose. Thus, the task of IDS (Intrusion Detection System) is to detect and register attacks, as well as notify when a certain rule is triggered. Depending on the type, IDS can detect various types of network attacks, detect attempts at unauthorized access or escalation of privileges, the emergence of malware, and monitor the discovery of new port it. d. Unlike a firewall that controls only session parameters (IP, port number and connection state), IDS “looks” inside the packet (up to the seventh OSI layer), analyzing the transmitted data. There are several types of intrusion detection systems. Very popular are APIDS (Application protocol-based IDS), which monitor a limited list of application protocols for specific attacks. Typical representatives of this class are PHPIDS, which analyzes requests to PHP applications, Mod_Security, which protects a web server (Apache), and GreenSQL-FW, which blocks dangerous SQL commands (see the article “The Last Frontier” in [_12_2010).

Network NIDS (Network Intrusion Detection System) are more universal, which is achieved thanks to DPI (Deep Packet Inspection) technology. They control more than one specific application, all passing traffic, starting at the channel level.

Some packet filters also provide the ability to “look inside” and block a threat. Examples include the OpenDPI and Fwsnort projects. The latter is a program for converting the Snort signature database into equivalent blocking rules for iptables. But initially the firewall was designed for other tasks, and the DPI technology is “expensive” for the engine, so the functions for processing additional data are limited to blocking or marking strictly defined protocols. IDS just flags (alert) all suspicious actions. To block the attacking host, the administrator independently reconfigures the firewall while viewing statistics. Naturally, there is no real-time response involved here. That is why IPS (Intrusion Prevention System, attack prevention system) is more interesting today. They are based on IDS and can independently rebuild the packet filter or terminate the session by sending a TCP RST. Depending on the principle of operation, IPS can be installed “burst” or use mirroring of traffic (SPAN) received from several sensors. For example, the explosion is set to Hogwash Light BR, which works second OSI level. Such a system may not have an IP address, which means it remains invisible to an attacker.

In ordinary life, the door is not only locked, but also protected by leaving a guard near it, because only in this case can you be sure of safety. BIT, host IPS act as such security (see “New defensive line” in][_08_2009), protecting local system from viruses, rootkits and hacking. They are often confused with antiviruses that have a proactive protection module. But HIPS, as a rule, do not use signatures, which means they do not require constant updating of the database. They control much more system parameters: processes, integrity system files registry, journal entries and much more.

To fully control the situation, it is necessary to control and correlate events both at the network level and at the host level. For this purpose, hybrid IDS have been created that collect data from different sources (such systems are often referred to as SIM - Security Information Management). Among the OpenSource projects, an interesting one is Prelude Hybrid IDS, which collects data from almost all OpenSource IDS/IPS and understands the log format of various applications (support for this system was suspended several years ago, compiled packages can still be found in Linux repositories and*BSD).

Even a professional can get confused in the variety of proposed solutions. Today we will meet the most prominent representatives of IDS/IPS systems.

Unified Threat Control

The modern Internet brings great amount threats, so highly specialized systems are no longer relevant. It is necessary to use a comprehensive multifunctional solution that includes all protection components: firewall, IDS/IPS, antivirus, proxy server, content filter and antispam filter. Such devices are called UTM (Unified Threat Management, unified threat control). Examples of UTM include Trend Micro Deep Security, Kerio Control, Sonicwall Network Security, FortiGate Network Security Platforms and Appliances or specialized Linux distributions such as Untangle Gateway, IPCop Firewall, pfSense (read their review in the article “Network regulators”, ] [_01_2010).

Suricata

The beta version of this IDS/IPS was released to the public in January 2010 after three years of development. One of the main goals of the project is to create and test completely new attack detection technologies. Behind Suricata is the OISF association, which enjoys the support of serious partners, including the guys from the US Department of Homeland Security. The most relevant release today is number 1.1, released in November 2011. The project code is distributed under the GPLv2 license, but financial partners have access to a non-GPL version of the engine, which they can use in their products. To achieve maximum results, the work involves the community, which allows us to achieve a very high pace of development. For example, compared with the previous version 1.0, the code volume in 1.1 increased by 70%. Some modern IDS with a long history, including Snort, do not use multiprocessor/multi-core systems very effectively, which leads to problems when processing large amounts of data. Suricata natively runs in multi-threaded mode. Tests show that it is six times faster than Snort (on a system with 24 CPU and 128 GB of RAM). When building with the '--enable-cuda' parameter, hardware acceleration on the GPU side becomes possible. IPv6 is initially supported (in Snort it is activated by the ‘—enable-ipv6’ key); standard interfaces are used to intercept traffic: LibPcap, NFQueue, IPFRing, IPFW. In general, the modular layout allows you to quickly connect the desired element to capture, decode, analyze or process packets. Blocking is done using the standard OS packet filter (in Linux, to activate the IPS mode, you need to install the netlink-queue or libnfnetlink libraries). The engine automatically detects parsing protocols (IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, SMTP and SCTP), so rules do not need to be tied to a port number (as Snort does), you just need to set the action for the desired protocol . Ivan Ristic, the author of Mod_security, created a special HTP library used in Suricata to analyze HTTP traffic. Developers primarily strive to achieve detection accuracy and increase the speed of rule checking.

The output of the results is unified, so you can use standard utilities for their analysis. Actually, all back-ends, interfaces and analyzers written for Snort (Barnyard, Snortsnarf, Sguil, etc.) work without modifications with Suricata. This is also a big plus. HTTP communications are logged in detail in a standard Apache file format.

The detection mechanism in Suricata is based on rules. Here the developers did not invent anything yet, but allowed the connection of wheel sets created for other projects: Sourcefire VRT (can be updated via Oinkmaster), and Emerging Threats Pro. In the first releases, support was only partial, and the engine did not recognize and load some rules, but now this problem has been solved. A proprietary rules format has been implemented, which outwardly resembles Snort's. A rule consists of three components: an action (pass, drop, reject or alert), a header (source and destination IP/port) and a description (what to look for). The settings use variables (flowint mechanism), allowing, for example, to create counters. In this case, information from the stream can be saved for later use. This approach to tracking password guessing attempts is more effective than Snort's threshold-based approach. It is planned to create an IP Reputation mechanism (like Cisco’s SensorBase, see the article “Touch Cisco” in][_07_2011).

To summarize, I note that Suricata is a faster engine than Snort, fully compatible with backends and capable of checking large network flows. The only drawback of the project is the sparse documentation, although an experienced administrator will not need to figure out the settings. Installation packages have already appeared in the distribution repositories, and clear instructions for independently assembling the source code are available on the project website. There is a ready-made distribution Smooth-sec, built on Suricata.

Samhain

Released under an OpenSource license, Samhain is a host-based IDS that protects an individual computer. It uses several analysis methods to fully capture all events occurring in the system:

• creating a signature database on first launch important files and its further comparison with a “living” system;
• monitoring and analysis of log entries;
• control of entry/exit into the system;
• monitoring connections to open network ports;
• control of files with the installed SUID of hidden processes.

The program can be started stealth mode(kernel module is used) when kernel processes cannot be found in memory. Samhain also supports monitoring of multiple nodes running different OSes, recording all events at the same point. In this case, agents installed on remote nodes send all collected information (TCP, AES, signature) to an encrypted channel to the server (yule), which stores it in a database (MySQL, PostgreSQL, Oracle). In addition, the server is responsible for checking the status of client systems, distributing updates and configuration files. Several options have been implemented for alerts and sending collected information: e-mail (mail is signed to avoid tampering), syslog, log file (signed), Nagios, console, etc. Management can be carried out using several administrators with clearly defined roles.

The package is available in the repositories of almost all Linux distributions; the project website contains a description of how to install Samhain on Windows.

StoneGate Intrusion Prevention System

This solution was developed by a Finnish company that creates enterprise-class network security products. It implements all the popular functions: IPS, protection against DDoS and 0day attacks, web filtering, support for encrypted IT traffic. d. Using StoneGate IPS you can block viruses, spyware, certain applications (P2P, IM, etc.). For web filtering, a constantly updated database of sites divided into several categories is used. Special attention focuses on bypass protection of AET (Advanced Evasion Techniques) safety systems. Transparent Access Control technology allows you to split a corporate network into several virtual segments without changing the real topology and set individual security policies for each of them. Traffic inspection policies are configured using templates containing standard rules. These policies are created offline. The administrator verifies the created policies and downloads them to the remote IPS hosts. Similar events in StoneGate IPS are processed according to the principle used in SIM/SIEM systems, which greatly facilitates analysis. Several devices can easily be combined into a cluster and integrated with other StoneSoft solutions - StoneGate Firewall/VPN and StoneGate SSL VPN. Management is provided by a single management console (StoneGate Management Center), consisting of three components: Management Server, Log Server and Management Client. The console allows you not only to configure the operation of IPS and create new rules and policies, but also to monitor and view logs. It is written in Java, so versions are available for Windows and Linux.

StoneGate IPS is supplied both as a hardware package and as a VMware image. The latter is intended for installation on your own equipment or in a virtual infrastructure. By the way, unlike the creators of many similar solutions, the development company allows you to download a test version of the image.

IBM Security Network Intrusion Prevention System

IBM's attack prevention system uses patented protocol analysis technology that provides proactive protection against 0day threats. Like all products in the IBM Security series, it is based on a protocol analysis module - PAM (Protocol Analysis Module), which combines the traditional signature method of attack detection (Proventia OpenSignature) and a behavioral analyzer. At the same time, PAM distinguishes 218 application level protocols (attacks via VoIP, RPC, HTTP it. d.) and data formats such as DOC, XLS, PDF, ANI, JPG, in order to predict where malicious code may be embedded. More than 3,000 algorithms are used to analyze traffic, 200 of which “catch” DoS. Firewall features allow you to restrict access to only certain people ports and IP, eliminating the need to attract additional device. Virtual Patch technology blocks viruses as they spread and protects computers until an update that fixes a critical vulnerability is installed. If necessary, the administrator himself can create and use a signature. Application control module allows you to manage P2P, IM, ActiveX elements, using VPN etc. and, if necessary, block them. A DLP module has been implemented that monitors attempts to transmit confidential information and move data on the protected network, which allows you to assess risks and block leaks. By default, eight types of data are recognized (credit card numbers, telephone numbers...), the administrator sets the rest of the organization-specific information independently using regular expressions. Currently, most of the vulnerabilities occur in web applications, so the IBM product includes a special Web Application Security module that protects systems from common types of attacks: SQL injection, LDAP injection, XSS, JSON hijacking, PHP file-includers, CSRF, etc. d.

There are several options for action when an attack is detected - blocking the host, sending an alert, recording the attack traffic (to a file compatible with tcpdump), quarantining the host, performing a user-configurable action, and some others. Policies are written down to each port, IP address or VLAN zone. High Availability mode ensures that if one of the several IPS devices on the network fails, traffic will flow through another, established connections will not be interrupted. All subsystems inside the hardware - RAID, power supply, cooling fan - are duplicated. Setup using the web console is as simple as possible (training courses last only one day). If you have multiple devices, you typically purchase IBM Security SiteProtector, which provides centralized management, log analysis, and reporting.

McAfee Network Security Platform 7

IntruShield IPS, produced by McAfee, was once one of the popular IPS solutions. Now McAfee Network Security Platform 7 (NSP) has been developed on its basis. In addition to all the functions of classic NIPS, the new product has tools for analyzing packets transmitted from the internal corporate network, which helps detect malicious traffic initiated by infected computers. McAfee uses Global Threat Intelligence technology, which collects information from hundreds of thousands of sensors installed around the world and evaluates the reputation of all unique files, IP and URL addresses and protocols that pass through. Thanks to this, NSP can detect botnet traffic, identify 0-day threats and DDoS attacks, and the wide coverage of the attack reduces the likelihood of false positives.

Not every IDS/IPS can work in virtual machines, because all exchange occurs on internal interfaces. But NSP has no problems with this, it can analyze traffic between VMs, as well as between VMs and the physical host. To monitor nodes, an agent module from Reflex Systems is used, which collects traffic information in the VM and transmits it to the physical environment for analysis.

The engine distinguishes more than 1100 applications running at the seventh OSI layer. It examines traffic using a content analysis engine and provides simple management tools.

In addition to NIPS, McAfee produces host IPS - Host Intrusion Prevention for Desktop, which provides comprehensive PC protection using threat detection methods such as behavior and signature analysis, monitoring connection status using a firewall, and reputation assessment to block attacks.

Where to deploy IDS/IPS?

To get the most out of IDS/IPS, you should adhere to the following recommendations:

• The system must be deployed at the entrance of a protected network or subnet and usually behind a firewall (there is no point in controlling traffic that will be blocked) - this way we will reduce the load. In some cases, sensors are installed inside the segment.
• Before activating the IPS function, you should run the system for some time in a mode that does not block IDS. In the future, the rules will need to be adjusted periodically.
• Most IPS settings are based on typical networks. In certain cases, they may turn out to be ineffective, so it is necessary to specify the IP of the internal subnets and the applications (ports) used. This will help the piece of hardware better understand what it is dealing with.
• If an IPS system is installed “exploding”, it is necessary to monitor its performance, otherwise the failure of the device can easily paralyze the entire network.

Conclusion

We will not determine the winners. The choice in each specific case depends on the budget, network topology, required security functions, the administrator’s desire to tinker with settings and, of course, risks. Commercial solutions receive support and are supplied with certificates, which allows the use of these solutions in organizations involved in the processing of personal data. Distributed under an OpenSource license, Snort is well documented, has a large enough database and a good track record to be in demand among administrators. A compatible Suricata image can protect a network with high traffic and, most importantly, is absolutely free.

In this article you will learn some both broadly and little-known characteristics attack prevention systems.

What is an attack prevention system

Attack prevention systems (Intrusion Prevention Systems, or IPS for short) are a development of attack detection systems (Intrusion Detection Systems, or IDS for short). IDS initially only detected threats by listening to traffic on the network and on hosts, and then sent alerts to the administrator in various ways. IPS now block attacks immediately at the moment they are detected, although they can also work in IDS mode - only by notifying about problems.

Sometimes IPS functionality is understood as the joint functioning of both IDS and firewall in one device. This is often caused by the fact that some IPS have built-in rules for blocking packets based on the source and destination addresses. However, this is not a firewall. In a firewall, blocking traffic entirely depends on your ability to configure rules, and in IPS, on the ability of the manufacturer’s programmers to write error-free algorithms for searching for attacks in traffic moving through the network. There is one more “similarity”: the firewall technology, known as statefull inspection, is very similar to one of the technologies used in IPS to identify whether different connections belong to the same network protocol, and here it is called port following. There are much more differences, for example, Firewall cannot detect tunneling of one protocol to another, but IPS can.

Another difference between the theory of building an IPS and a firewall is that when a device fails, the IPS must PASS traffic through, and the firewall must BLOCK traffic. To operate in the appropriate mode, a so-called bypass module is built into the IPS. Thanks to it, even if you accidentally turn off the IPS power, traffic will flow freely through the device. Sometimes IPS is also configured to block traffic when it fails - but these are special cases, most often used when two devices are used in High Avalability mode.
IPS is a much more complex device than a firewall. IPS is used for threats that the latter could not cope with. IPS contains the concentrated knowledge of a huge number of security specialists who have identified, found patterns and then programmed code that identifies problems in the form of rules for analyzing content moving across the network.

IPS in corporate networks are part of multi-layered defense because they are integrated with other security tools: firewalls, security scanners, incident management systems and even antiviruses. As a result, for each attack there are now opportunities not only to identify it and then notify the administrator or block it, but also to conduct a full analysis of the incident: collect packets coming from the attacker, initiate an investigation, and eliminate the vulnerability by modifying the package.

In combination with the right system security management, it becomes possible to control the actions of the network administrator himself, who must not only eliminate the vulnerability, for example by installing a patch, but also report to the system about the work done. Which, in general, brought tangible meaning to the operation of such systems. What is the point of talking about problems on the network if no one reacts to these problems and is not responsible for them? Everyone knows this eternal problem: the one who suffers losses from disruption computer system and those who defend this system are different people. Apart from extreme cases, e.g. home computer connected to the Internet.

Traffic delays

On the one hand, it’s good that it’s possible not only to receive information about an ongoing attack, but also to block it with the device itself. But on the other hand, the attack prevention system has to be installed not on the SPAN port of the switch, but through all network traffic directly through the switch itself. protective device, which inevitably introduces delays in the passage of packets through the network. And in the case of VoIP, this is critical, although if you are going to protect against attacks on VoIP, then there is no other way to protect against such attacks.

Thus, one of the characteristics by which you need to evaluate an attack prevention system when purchasing is the amount of network latency that such systems inevitably introduce. As a rule, this information can be obtained from the manufacturer itself, but you can read research from independent testing laboratories, such as NSS. Trusting the manufacturer is one thing, but checking it yourself is another.

Number of false positives

The second characteristic you need to look at is the number of false positives. Just as we get annoyed by spam, false positives have the same effect on security administrators. In the end, administrators, in order to protect their psyche, simply stop responding to all messages from the system and purchasing it becomes a waste of money. A typical example of a system with a huge number of false positives is SNORT. To configure this system more or less adequately specifically to the threats in your network, you need to spend a lot of time.

Some attack detection and prevention systems have built-in correlation methods that rank detected attacks by severity using information from other sources, such as a security scanner. For example, if a security scanner saw that the computer was running SUN Solaris and Oracle, then we can say with one hundred percent certainty that the Slammer worm attack (which targets MS SQL) this server it won't work. Thus, such correlation systems mark some of the attacks as failed, which greatly facilitates the administrator’s work.

Modernity of protective technologies

The third characteristic is methods for detecting (and at the same time blocking) attacks and the ability to tune them to the requirements of your network. Initially there are two different approaches: signature-based IPS look for attacks based on previously found exploits, and protocol-analysis IPS look for attacks based on knowledge of previously found vulnerabilities. If you write a new exploit for the same vulnerability, then IPS of the first class will not detect and block it, but IPS of the second class will detect and block it. Class II IPS is much more effective because it blocks entire classes of attacks. As a result, one manufacturer needs 100 signatures to detect all types of the same attack, while another only needs one rule that analyzes the vulnerability of the protocol or data format used by all these types of attacks. Recently the term preventive protection has appeared. It also includes the ability to protect against attacks that are not yet known and protection against attacks that are already known, but the manufacturer has not yet released a patch. In general, the word “preventive” is just another Americanism. There is a more Russian term: “timely” - the protection that works before we are hacked or infected, and not after. Such technologies already exist and must be used. Ask the manufacturer when purchasing: what preventive protection technologies they use and you will understand everything.

Unfortunately, there are no systems yet that simultaneously use two well-known attack analysis methods: protocol analysis (or signature analysis) and behavioral analysis. Therefore, for complete protection, you will have to install at least two devices on the network. One device will use algorithms to search for vulnerabilities using signatures and protocol analysis. Another will use statistical and analytical methods to analyze anomalies in the behavior of network flows. Signature-based methods are still used in many attack detection and prevention systems, but unfortunately they are not justified. They do not provide proactive protection because an exploit is required to release a signature. Why do you need a signature now if you have already been attacked and the grid has been broken? Signature antiviruses now cannot cope with new viruses for the same reason - the reactivity of the protection. Therefore, the most advanced attack analysis methods now are full protocol analysis. The idea of ​​this method is that it is not a specific attack that is analyzed, but a sign of exploitation of a vulnerability by the attacker that is looked for in the protocol itself. For example, the system can track whether, before the start of a TCP attack packet, there was a three-packet exchange to establish a TCP connection (packets with the SYN, SYN+ACK, ACK flags). If a connection needs to be established before carrying out an attack, the protocol analysis system will check whether there was one and if a packet with an attack without establishing a connection is sent, it will find that such an attack was unsuccessful because there was no connection. But the signature system will give a false positive, since it does not have such functionality.

Behavioral systems work completely differently. They analyze network traffic (for example, about a week) and remember which network flows usually occur. As soon as traffic appears that does not correspond to the remembered behavior, it is clear that something new is happening on the network: for example, the spread of a new worm. In addition, such systems are connected to an update center and once an hour or more often receive new rules for the behavior of worms and other updates, for example, lists of phishing sites, which allows them to immediately block them, or lists of botnet management hosts, which immediately allows them to detect infections some host as soon as it tries to connect to the bot network control center, etc.

Even the appearance of a new host on the network is an important event for the behavioral system: you need to find out what kind of host it is, what is installed on it, whether it has vulnerabilities, or maybe the new host itself will be an attacker. For providers, such behavioral systems are important because they allow them to track changes in “cargo flow”, because it is important for the provider to ensure the speed and reliability of packet delivery, and if suddenly in the morning it turns out that all the traffic goes through one channel and does not fit in it, and the rest several channels to the Internet through other providers are unused, this means that somewhere the settings have gone wrong and we need to start balancing and redistributing the load.
For the owner of a small network, it is important that there are no attackers inside, so that the network is not blacklisted by spammers, so that attackers do not clog the entire Internet channel with garbage. But you have to pay money to the provider for the Internet channel and traffic. Every company director would like to promptly detect and stop wasting money on traffic that is useless for business.

Analyzed protocols and data formats

If we are talking about technical specialists who are deciding on which attack prevention system to choose, then they should ask questions about the specific protocols that the system analyzes. Perhaps you are interested in something specific: for example, analyzing attacks in javascript, or repelling sql injection attempts, or DDoS attacks, or you generally have a SCADA (sensor control and management system) and need to analyze the protocols of your specialized system, or it is critical for you to protect VoIP protocols , which already have implementation vulnerabilities due to their complexity.
In addition, not everyone knows that IPS events are not only of the “attack” type, there are also “audit” and “status” types. For example, IPS can catch connections and all ICQ messages. If your security policy prohibits ICQ, its use is an attack. If not, then you can simply track all connections and who communicates with whom. Or just disable this signature if you think it's inaccurate.

Specialists

The question arises: where can we get such specialists who understand what needs to be bought, and who will then know how to react to each message from the attack prevention system and will even be able to configure it. It is clear that you can take courses to learn how to manage such a system, but in reality a person must first understand network protocols, then network attacks, and then in response methods. But there are no such courses. This requires experience. There are companies that offer outsourcing for managing and analyzing messages received from security system consoles. They have been employing specialists for many years who understand and have a deep understanding of Internet security and they provide effective protection, and you, in turn, get rid of the headache of finding personnel who understand the whole variety of available protection tools, from VPN to antiviruses. In addition, outsourcing involves 24/7 monitoring, seven days a week, seven days a week, so protection becomes complete. And you can usually hire a specialist only to work from Monday to Friday from 9 to 18, and sometimes he gets sick, studies, goes to conferences, goes on business trips, and sometimes unexpectedly quits.

Product support

It is important to emphasize such a point in IPS as the support of its products by the manufacturer. Unfortunately, updates to algorithms, signatures and rules are still necessary, since technologies and attackers do not stand still and new classes of vulnerabilities in new technologies need to be constantly closed. Several thousand vulnerabilities are found every year. Surely, your software and hardware contain several of them. How did you find out about the vulnerabilities in them and how did you protect yourself later? But we need constant monitoring of the relevance of the protection. Therefore, an important component is the constant support of the security tools to which you have entrusted the security of your company: the presence of a professional team that constantly monitors new vulnerabilities and writes new checks in a timely manner, which itself looks for vulnerabilities in order to stay ahead of attackers. So when you buy a complex system like IPS, look at what support the manufacturer offers. It would be useful to know how well and in a timely manner he dealt with attacks that had already happened in the past.

Protection against IPS bypass methods

The IPS itself is very difficult to attack because it does not have an IP address. (IPS is managed through a separate management port.) However, there are methods to bypass IPS that allow you to “deceive” it and attack the networks they protect. These methods are described in detail in the popular literature. For example, the NSS test lab actively uses bypass methods to test IPS. It is difficult for IPS manufacturers to counteract these methods. And how the manufacturer deals with workarounds is another interesting characteristic attack prevention systems.

The importance of using IPS in corporate networks has been long overdue; new preventive technologies that protect organizations from new attacks have already been developed, so all that remains is to install and operate them correctly. The article specifically did not mention the names of manufacturers in order to make the review of IPS properties as unbiased as possible.