Intrusion Detection - Prevention

Intrusion Detection System (IDS)

• Monitors for malicious behavior
  • Performing Deep Packets Inspection (DPI)
  • If I see traffic on a webserver, on TCP port 80, I want to sent any of that traffic to IDS, IDS will monitor for malicious behavior
• Standalone or integrated
  • As an IDS looks at more and more traffic overtime its gonna need more and more resources
  • If we got the budget we want an Standalone device.
• Heavy reliance upon signatures
  • Signatures means there was an Attack that was used out there in the wild, we have seen it and it behaves the same way every single time.
  • A signature is an if condition, is a rule.
  • A false positive is when an attack was somehow detected but it was not really an attack, it was legitimate traffic.
  • A false negative is when the IDS tells you everything's fine and an attack just went by.
• More effective with tuning
  • We go as an administrator and define what is important, turn down and on signatures that are more important for us or based in our environment.
• Warns about attacks
• Can block subsequent attacks
  • IDS sees an attack and while it cannot stop the attack itself, it can automatically SSH into another device and execute commands to set up a block, or it can communicate through API to a central controller, and that controller can block traffic.

Intrusion Prevention System (IPS)

• Operates inline
  • Means that before reaching a destination, for example getting to a web server, the packets have to go through an IPS first, then reach the destination.
  • Ex: Router -> IPS -> Web Server
• Has dropping capability
  • If something matches a signature, I can throw it away
  • The attack never reaches the web server for example.
• Target devices are better protected
  • IPS is a better solution but it has to be deployed in line.
  • Is it the best solution? Not necessarily, this can depend on the environment
• Fail Open / Fail Closed
  • Fail Closed: Anytime the sensor can't scan traffic we don't forward traffic.
  • Fail Open: Anytime we can't protect traffic, let it go ahead and pass through anyhow. Much more lenient, but it could leave you exposed to an attack
    • This is decided at the financial level.

Intrusion Prevention Components

Essential Ingredients

• IP reputation
  • When a packet comes in, what's the source IP, if that IP is been doing malware attacks, spamming etc. I will throw this packet.
• Protocol Analysis
  • Is the protocol safe? Is it behaving like it should?
  • How do we know? There is Request for Comments (RFC), there's white papers that say, thou shalt behave in this order, if there is a different order it is not good.
  • Protocol Analysis will catch a lot of attacks that do not have a signature for because somebody is trying to break the rules.
• Signatures definitions
  • Rules of what an attack looks like
  • They only come out after the attack is publicly well known
• Anomaly detection
  • It's smart
  • Ex: We see somebody trying to do OSPF injection on your network. How did we catught that? Well the environment only runs on EIGRP and you never have OSPF in the environment, that's not normal.
  • You have to describe what normal is!
• Learning capability
  • Learning gives us the capability to define normal
  • We only know that the behavior of an application is strange because we've got this sometimes called a histogram, but a record of what's normal, what does traffic usually look like, etc.