Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
September 2003
Intrusion Prevention:
Myths, Challenges, and Requirements
By Dr. Fengmin Gong, Chief Scientist
www.mcafeesecurity.com
White Paper
Table of Contents
I.
Introduction
II.
V.
Path to Prevention
10
www.mcafeesecurity.com
White Paper
I.
Introduction
In a recent survey commissioned by VanDyke
Software, some 66 percent of the companies said that
they perceive system penetration to be the largest
threat to their enterprises. The survey revealed that
the top eight threats experienced by those surveyed
were viruses (78 percent of respondents), system
penetration (50 percent), DoS (40 percent), insider
abuse (29 percent), spoofing (28 percent),
data/network sabotage (20 percent), and unauthorized
insider access (16 percent).
Although 86 percent of respondents use firewalls (a
disturbingly low figure in this day and age, to be
honest!), it is clear that firewalls are not always effective against many intrusion attempts. The average
firewall is designed to deny clearly suspicious traffic
such as an attempt to telnet to a device when
corporate security policy forbids telnet access
completelybut is also designed to allow some traffic
throughWeb traffic to an internal Web server, for
example. The problem is that many exploits attempt to
take advantage of weaknesses in the very protocols
that are allowed through our perimeter firewalls, and
once the Web server has been compromised, this can
often be used as a springboard to launch additional
attacks on other internal servers. Once a rootkit or
backdoor has been installed on a server, the hacker
has ensured that he will have unfettered access to
that machine at any point in the future.
The case has never been clearer for Intrusion
Detection Systems (IDS). The computer worlds equivalent to the burglar alarm, the IDS provides valuable
backup to the beleaguered firewall system (the equivalent of the locked door). As in the physical world, our
logical burglar alarm provides valuable notification that
someone has managed to breach our perimeter security measures, and should allow us to determine
exactly what happened during the attack, and hopefully provide indications of how the security weakness
might be addressed.
However, most IDS systems tend to be reactive rather
than proactivethat is, they often have to wait until
something has actually happened before they can raise
the alarm. The Intrusion Prevention System (IPS),
however, attempts to be proactive, and is designed to
stop intrusions dead, blocking the offending traffic
before it does any damage rather than simply raising an
www.mcafeesecurity.com
alert as, or after, the malicious payload has been delivered. It achieves this by sitting directly in-line with the
network trafficone network port accepts traffic from
the external system, and another port transmits it to the
internal system after it has been checked for anomalies
or suspicious content. Thus, problem packetsand all
subsequent packets from the same data flowcan
simply be discarded within the IPS appliance.
As with IDS systems, IPS products tend to fall into
two categories: Host IPS (HIPS) and Network IPS
(NIPS). Host IPS products rely on agents installed
directly on the host system being protected, and
which interacts closely with the underlying operating
system and resident services in order to detect and
prevent rogue system calls.
The Network IPS (sometimes known as an In-line IDS
or Gateway IDS (GIDS)), however, could be thought of
as something of a hybrid system, combining features
of a standard IDS and a firewall. Like a firewall, the IPS
appliance will sport at least two network interfaces
one designated as external and one as internal. Some
appliances may have more than two in order to monitor multiple network paths, but the basic requirement
is for two interfaces for data and one for management.
Placed in-line in a critical data path, the IPS detection
engine examines packets as they pass through the
device and processes them in a similar manner to an
IDS so as to determine which packets are suspicious
in nature. If a suspicious packet is detected, that packet
can be dropped immediately, and all subsequent packets from that particular data stream can be discarded
without further processing. Naturally, an IPS will also
raise an alert in the same manner as an IDS, and this
allows the IPS to operate in traditional IDS mode also,
useful to enable the administrator to tune the system
before placing it in full-blown prevention mode.
Legitimate packets are naturally passed straight
through to the internal interface and on to their
intended destination. A useful side effect of some
NIPS products is that as a matter of coursein fact as
part of the initial detection processthey will provide
packet scrubbing functionality to remove protocol
inconsistencies resulting from varying interpretations
of the TCP/IP specification (or intentional packet
manipulation). Thus any fragmented packets or packets with IP fragment overlaps will be cleaned up
before being passed to the destination host.
White Paper
II.
www.mcafeesecurity.com
White Paper
www.mcafeesecurity.com
White Paper
www.mcafeesecurity.com
White Paper
V.
Path to Prevention
As we mentioned earlier in this paper, a well-designed
IPS appliance would allow an administrator to progress
from working in pure IDS mode to pure IPS mode in a
number of easy-to-handle phases.
Phase IDetection/No Prevention: The device operates in passive IDS mode connected to a switch SPAN
port or tap device in order to monitor traffic. Multiple
ports on the IPS appliance would allow it to monitor
www.mcafeesecurity.com
White Paper
www.mcafeesecurity.com
White Paper
With DoS attacks, the sensor is automatically in learning mode by default, allowing it to monitor the normal
network traffic for a period of time so that it is able to
determine what constitutes an abnormal flood. For
those administrators who would prefer to have more
manual control over the DoS detection process, it is
also possible to switch to threshold mode, where he
can set the threshold level and interval for individual
DoS attacks. Sophisticated administrators can also
enable learning-based and threshold-based detections
simultaneously to achieve the best trade-off between
accuracy and coverage.
www.mcafeesecurity.com
White Paper
10
McAfee IntruShield
www.mcafeesecurity.com
White Paper
11
All Network Associates products are backed by our PrimeSupport program and Network Associates Laboratories. Tailored to fit your companys needs,
PrimeSupport service offers essential product knowledge and rapid, reliable technical solutions to keep you up and running. Network Associates Laboratories, a
world leader in information systems and security, is your guarantee of the ongoing development and refinement of all our technologies.
Network Associates, Sniffer, McAfee, Magic Solutions, Network Performance Orchestrator, nPO, InfiniStream, IntruShield, VIDS, and PrimeSupport are registered
trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer brand products are made only by Network
Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. 2003 Networks Associates
Technology, Inc. All Rights Reserved.
www.mcafeesecurity.com
6-avd-ins-ids-002-1003