Intrusion PreventionNetwork Security

Evan Roggenkamp

Summary Intrusion Detection Intrusion Prevention Types: NIPS, WIPS, NBA, HIPS Typical Components Overview

Common Detection Methodologies Signature-Based Detection Anomaly-Based Detection Stateful Protocol Analysis

IDPS TechnologiesTypical components of an IDPS solution are as follows: Sensor or Agent Management Server Database Server Console

Network BasedTypical components of Network Based IDPS are as follows: Appliance Software Only Sensors Information Gathered Detection Capabilities

Examples of Network-Based Intrusion Detection Tools

Snort (runs on Unix, Linux, Windows) RealSecure (Unix, Linux, Windows) Symantec Intrusion Detection (Unix, Linux)) Dragon (Unix and Linux) Network Flight Recorder (NFR) (Unix, Linux, Windows)

Inline

Passive

Network-Based IDPS Architecture

Wireless IDPS Typical Components are the same as network-based IDPS: Console,

Database, Servers (optional), management servers, and sensors.

Wireless sensors: Dedicated Fixed Mobile Bundled with AP Bundled with Wireless Switch Sensor Locations Information Gathered Detection Capabilities

Wireless IDPS Architecture

Network Behavior Analysis Typical Components are Sensors and Consoles, with some

products offering management servers (analyzers). Sensors Information Gathered Detection Capabilities

NBA Architecture

Host-Based IDPS Typical Components Agent Locations & Host Architectures Detection Capabilities

Host-Based IDPS Architecture

Performance Requirements Configuration and tuning Performance VS Detection Appliance-Based No open standards

Design and Implementation Reliability Interoperability Scalability Security

Sources http://

csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf http://

www.symantec.com/connect/articles/intrusion-prevention-systems-next-step-evolution-ids

Wikipedia http://

www.sfisaca.org/events/conference04/presentations/E21-Intrusion-Detection-and-Intrusion-Prevention.pdf