Intrusion Prevention System Tools
Kinds of Intrusion Prevention System
Introduction
An intrusion prevention system is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology.
Intrusion prevention systems (IPS) were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related.
Intrusion prevention systems may also serve secondarily at the host level to deny potentially malicious activity. There are advantages and disadvantages to host-based IPS compared with network-based IPS. In many cases, the technologies are thought to be complementary.
An Intrusion Prevention system must also be a very good Intrusion Detection system to enable a low rate of false positives. Some IPS systems can also prevent yet to be discovered attacks, such as those caused by a Buffer overflow.
The role of an IPS in a network is often confused with access control and application-layer firewalls. There are some notable differences in these technologies. While all share similarities, how they approach network or system security is fundamentally different.
An IPS is typically designed to operate completely invisibly on a network. IPS products do not have IP addresses for their monitoring segments and do not respond directly to any traffic. Rather, they merely silently monitor traffic as it passes. While some IPS products have the ability to implement firewall rules, this is often a mere convenience and not a core function of the product. Moreover, IPS technology offers deeper insight into network operations providing information on overly active hosts, bad logons, inappropriate content and many other network and application layer functions.
Unified Threat Management (UTM), or sometimes called "Next Generation Firewalls" are also a different breed of products entirely. UTM products bring together multiple security capabilities on to a single platform. A typical UTM platform will provide firewall, VPN, anti-virus, web filtering, intrusion prevention and anti-spam capabilities. Some UTM appliances are derived from IPS products such as 3Com's X-series products. Others are derived from a combination with firewall products, such as Juniper's SSG or Cisco's ASA appliances. And still others were derived from the ground up as a UTM appliance such as Astaro or Fortinet. The main feature of a UTM is that it includes multiple security features on one appliance. IPS is merely one feature.
Access Control is also an entirely different security concept. Access control refers to general rules allowing hosts, users or applications access to specific parts of a network. Typically, access control helps organizations segment networks and limit access. While an IPS has the ability to block access to users, hosts or applications, it does so only when malicious code has been discovered. As such, IPS does not necessarily serve as an access control device. While it has some access control abilities, firewalls and network access control (NAC) technologies are better suited to provide these features.
Contrast with Intrusion Detection Systems (IDS)
IPS systems have some advantages over intrusion detection systems (IDS). One advantage is they are designed to sit inline with traffic flows and prevent attacks in real-time. In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP which provides greater awareness. However, when deploying network based IPS (NIPS), consideration should be given to whether the network segment is encrypted or not as many products are unable to support inspection of such traffic.
A host based IPS (HIPS) is one where the intrusion-prevention application is resident on that specific IP address, usually on a single computer.
A network based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network (This could be on a front-end firewall appliance.)
Network intrusion prevention systems (NIPS) are purpose-built hardware/software platforms that are designed to analyze, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic.
Hybrid IPS
This is combination of both Networked and host based IPS. Here the detection method based on Both Anamoly and Misused Detection.
Content based
A content-based IPS (CBIPS) inspects the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attack such as worm infections and hacks.
HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host.
NIPS do not use processor and memory on computer hosts but uses its own CPU and memory.
NIPS are a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. However, this attribute applies to all network devices like routers and switches and can be overcome by implementing the network accordingly (failover path, etc.). A Bypass Switch can be implemented to alleviate the single point of failure disadvantage though. This also allows the NIPS appliance to be moved and be taken off-line for maintenance when needed.
NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like host scan, worm) and can react, whereas with a HIPS, only the hosts data itself is available to take a decision, respectively it would take too much time to report it to a central decision making engine and report back to block.
Infomercial Intrusion Prevention System
here we have some of the Commercial Intrusion Detection, and its characteristics features as shown in figure 1.
figure 1 Intrusion Detection System and its characteristics feature
Recent Trend at IPS in Information Security