NIPS. NIPS essentially breaks down into two categories: Chokepoint devices Intelligent switches In...

NIPS

NIPS essentially breaks down into two categories:

Chokepoint devices

Intelligent switches

In addition to these architectural classes, NIPS designers make a choice

between two types of technology:

General-purpose CPUs

Application-specific integrated circuits (ASICs).

How Chokepoint NIPS Work

A chokepoint NIPS could be located outside of your firewall or on your screened

subnet in front of a device you want to protect, such as your web server.

They will often be configured without an IP address on either of the chokepoint

interfaces to minimize their impact on the network's architecture.

Traffic that originates from the Internet is passed through the NIPS to your

corporate firewall and beyond if it does not generate any alerts.

In IPS mode, traffic that does generate an alert can be dropped or rejected by the

NIPS and never delivered inside your network.

These can also be run in IDS mode, where a report is generated but the packet is

not dropped. These tend to either be a "firewall plus something" or an "IDS plus

something."

Firewall Plus Something

Firewalls fall into three major categories, listed in increasing security protection: packet

filter, stateful, and proxy or application gateway.

The overwhelming majority of deployed firewalls are stateful. Firewalls are the original IPS.

To be credible as an IPS, the firewall needs to add additional functionality, such as the

ability to run IDS-type rules.

The next logical progression for many firewall vendors is to add intrusion detection capacity

to their firewalls.

Because the firewall must collect and retransmit each packet that flows through it, a logical

advancement would be to allow policy to define whether traffic identified as malicious

should generate an alert and be forwarded to the destination or whether it should generate

an alert and be dropped, thereby preventing the attack from being successful

Check Point FireWall-1 NG

Check Point's central product is FireWall-1, which is the best-known example of

a "firewall plus something" positioned as a NIPS.

Check Point FireWall-1 NG has the following IPS features:

Attack protection with "Application Intelligence," a rudimentary content-

inspection capability that blocks many well-known, well-defined attacks.

Access control based on stateful inspection, the capability this firewall is best

known for.

Choice of software and appliance deployments. The software is available on

a number of platforms to balance needs versus costs. The high end is based on

the high-performance, secure, and expensive Nokia appliance.

Check Point and OPSEC

The OPSEC Alliance was founded in April of 1997. OPSEC has since grown to

over 350 partners, making it the leading platform alliance by far for integrated

Internet security solutions. Programmers find the interface very workable, which

is probably the reason for the large number of partners.

OPSEC has enabled FireWall-1 to be extended into a number of areas outside of

Check Point's core competency, including the following:

1. Authentication

2. Authorization

3. Content security

4. Intrusion detection and protection

5. Wireless

Modwall

Modwall was developed by Bill Stearns and is available from

http://www.stearns.org/modwall.

Modwall is a set of firewall/IPS modules that can be inserted into an existing

IPTables firewall on Linux.

Rather than focusing on the normal "allow this kind of traffic from here to here"

firewall rules, modwall focuses on illegal packet traffic, which includes invalid

or unassigned source or destination IP addresses, invalid TCP flag

combinations, and packets that have been intentionally fragmented.

Modwall then allows the administrator to define what action to take, including

dropping the traffic, logging it, and blocking traffic from the source for a limited

amount of time.

IDS Plus Something

The "IDS plus something" classification for IPS products refers to those

vendors who have traditionally had strong IDS tools and have added active

functionality to stop the activity that generates an alert before it is delivered

on the network or executed on a host.

An IDS plus something style IPS would generally be referred to as a NIPS,

where blocking is done at the network level.

IntruShield

IntruShield is an example of a commercial IDS plus something style of NIPS.

In 2002, McAfee (McAfee was formerly named Network Associates) acquired

the IPS company Entercept for integration into its product line.

The Entercept product line merged with the IDS products previously available

from Network Associates to offer both NIPS appliances and a host-based IPS

suite of products to protect desktops and servers.

IntruShield is a chokepoint architecture that uses classic IDS signature and

anomaly techniques to identify attacks.

The standard product is shipped with a base rule set that can be customized.

IntruShield

You can enable or disable features to best meet the demands of your

network. A lot of work has been put into the IntruShield user interface, and it

is easy to switch between IDS (passive) mode and IPS (active) mode.

NFR Sentivist

A NIPS that is directly positioned against IntruShield is NFR's Sentivist

appliance. Intrusion prevention is designed and built with a focus on three

distinctive areas in this "IDS plus something" NIPS technology:

NFR detection engine

Fine-grained blocking

Resistance to self-inflicted DoS

HogWash and Snort-Inline

HogWash was originally developed by Jed Haile and was the first to use Snort

rules in a security gateway device.

This development effort seems to have stalled, and the work is being continued

by Snort-Inline.

Rob Mcmillen was the next to lead the effort, hosted at

http://snort-inline.sourceforge.net/.

With Snort 2.3, Snort-Inline became part of the Snort distribution

Three new advancement were: drop (standard IPTables drop and log), sdrop

(silent drop, no logging), and reject, the noisiest rule (drop, log, forge a TCP reset

or "ICMP Port Unreachable" message, as appropriate).

LaBrea Technologies Sentry

http://snort-inline.sourceforge.net/

Switch-Type NIPS

Another classification of NIPS is an intelligent switch you plug your network

in to.

This is probably the most effective of the NIPS products available on the

market place today, making the best use of firewalls, IDS tools, and

routers/switches, ideally in a single parallel-processing, high-performance,

low-latency device.

These switches have enough processing power to do more than just

enhance the performance of a network by preventing Ethernet collisions.

Expect to see antivirus, traffic-shaping, load-balancing, and intrusion

prevention in the network itself.

Switch-Type NIPS

Of course, this next generation of switches that use massive arrays of

parallel ASICs to connect the internal and external segments of your

network together are going to be expensive. By using many of the

techniques employed by advanced NIDS tools,

The NIPS device can identify events on the network that are hostile.

Because of its position (inline with the traffic of your entire network), the

NIPS device can stop the hostile activity from ever being delivered to the

target system. This also strongly enhances anomaly detection and network

learning because all the traffic passes through the switch.

Protocol Scrubbing, Rate Limiting, and Policy Enforcement

A NIPS device can be used to clean garbage from the traffic stream, thus

reducing the overall network load.

Another feature of switch-type NIPS devices is the ability to use rate limiting

to apply Quality of Service (QoS) mechanisms to network traffic.

Because the NIPS device is already classifying traffic based on application,

administrators can use this functionality to enforce organizational policy to

drop traffic from unauthorized applications.

Environmental Anomaly Analysis

What is anomalous with a given application or protocol in one environment

may not be anomalous in the next environment.

One of the immediate benefits of this capability is the support of an active

change control program. NIDS and NIPS tools alike can detect a new

version of an operating system or application and raise an alert, or even

modify the rule set to take the new information into account.

This could help the operations administrators manage unauthorized change.

Obviously, you can only process so many alerts, so this would be managed

by the analyst or administrator to help determine where appropriate

thresholds should be set.

Environmental Anomaly Analysis

Because the NIPS device is simultaneously tracking connection state for

thousands or even millions of connections, it can take a "broad perspective"

view to detect anomalies that involve many connections across an entire

enterprise.

NIPS Challenges

In order for NIPS devices to be deployed as reliable, effective devices, they

must overcome several challenges:

1.Detection capabilities

2.Evasion resistance

3.Stable performance

4.High throughput

5.Low-latency, built-in security

6.The ability to passively determine operating systems and application versions

Security

The NIPS device must be secured against compromise because a

compromised NIPS would give an attacker the ability to establish a man-in-

the-middle attack against all the traffic entering or leaving the network.

This is typically performed by configuring the NIPS without IP or MAC

addresses on data interfaces, using a hardened operating system that

resists common attacks, and using a secured management interface that

strictly defines who is permitted to connect to and administer the system.

Attackers will seek opportunities to break NIPS, whether using denial of

service or to circumvent the protection the NIPS provides, so the NIPS

device must be able to withstand any direct attacks.

Passive Analysis

In order to help the NIPS identify false-positive traffic, vendors make use of

passive analysis techniques to identify host operating systems, network

architecture, and what vulnerabilities are present on the network.

Three of the most well-known standalone tools for this purpose are P0f

(available at http://www.stearns.org), RNA by SourceFire, and NeVO from

Tenable Security, and they should be available to some extent on every

NIPS.

Figure next provides a sample analysis using the NeVO system. Once this

information is gathered, the NIPS can use it to classify attacks against

internal systems based on their operating system and vulnerabilities.

Increased Security Intelligence in the Switch Products

Switch-based, "bump in the wire" NIPS is a fast growing market segment,

and there is no possible way to predict what all the players will do.

TippingPoint, Enterasys, and Radware. All our efforts to get Cisco to share its

plans have failed; however, between the existing Cisco Security Agent, the

Network Admissions Program, and educational efforts to help network

administrators get more security out of their existing IOS products, it seems

certain Cisco will be a player.

A subset of these products includes the true NIPS devices, which are

categorized as wire-speed switches, have IPS capability, and, in general, are

based on parallel ASICs. These products include TippingPoint's UnityOne

IPS and TopLayer Attack Mitigator.

TippingPoint's UnityOne IPS

TippingPoint's UnityOne IPS product was currently the overwhelming

market leader for a switch-type NIPS.

It offers an inline NIDS that provides multigigabit performance, low latency,

and multiple mechanisms to detect known and unknown attacks on the

network. In addition to providing IPS features, UnityOne provides the ability

to traffic-shape or rate-limit traffic for QoS measures.

It also provides policy enforcement by blocking applications that are

prohibited by your organization's acceptable-use policy (such as peer-to-

peer apps, web mail, or instant messaging).

TippingPoint's UnityOne IPS

When the UnityOne device identifies malicious activity or activities that violate

policy rules, the engine uses one of four available response mechanisms:

1.Monitor The UnityOne device monitors the activity, generating a log for later

analysis.

2.Report The UnityOne device simply reports the event without detailed logging

data.

3.Limit The UnityOne device restricts the throughput or rate of the malicious

activity.

4.Block The UnityOne device simply drops the traffic before it is delivered to the

destination

TopLayer Attack Mitigator

In the days before true gigabit IDS, TopLayer gained fame as the solution

for high-bandwidth monitoring via load balancing.

Like TippingPoint's product, this is a very fast box with high availability, hot-

swappable components, parallel ASICs, and a price tag to match the

performance.

Attack Mitigator's roots are more from suppressing distributed denial of

service resource exhaustion and protocol anomaly attacks than a true IPS,

but it certainly has the chassis to build on and, like FireWall-1, is very good

at well-known, well-understood attacks.

TopLayer calls its inspection technology TopInspect.

Switch NIPS Deployment Recommendations

Deploying a NIPS solution is a major project, Start off with reporting-only

mode, study the false positives and negatives for your chosen solution

carefully, invest the time in creating a sustainable process for configuration

management, make sure Operations is a full partner in the process of NIPS

deployment, and remember that your NIDS is still a valuable source of

information.

Begin Budgeting Now

You will probably be strongly considering the next generation of switches with

security intelligence sometime in the next two years. This is going to be

expensive, so speak to your manager and see what can be done to plan for

this expense in a technology refresh cycle.


Review Products in Report-Only Mode

Before you start using a NIPS device to start blocking attacks on your network, run the

device in report-only mode. Use this information to identify what events the NIPS would

have dropped on your network, and what the impact would have been to the network.

Work with Vendors Identifying Test Procedures for False Positives and False

Negatives

Ask your vendor to detail its testing procedure for new rules and anomaly analysis

techniques. Ensure the vendor uses a combination of "live" and "attack" scenarios at

rates that are appropriate for your network environment before shipping you updates.

Ask your vendor what techniques it uses to eliminate false-positive traffic, and how it

exercises auditing to ensure it isn't missing attacks.


Be Wary of Absence of Auto-Update Mechanisms

consider the purchase of expensive switch NIPS is worm management, this

makes being able to keep the device up to date with the latest signatures critical.

Be Wary of Auto-Update Mechanisms

Auto-update mechanisms ease the implementation and deployment of NIPS

products but can assert a new set of challenges on your organization. Ask your

vendor to support a mixed-reporting mechanism, where new rules are placed in

report-only mode for a specified amount of time. This way, the organization can take

advantage of existing functionality in the NIPS while the analyst has the ability to

identify false-positive alerts or performance burdens that affect throughput and

latency on the network.


Document a Change-Management Mechanism

Identify who should be responsible for managing updates to NIPS software,

and how often the software should be updated. Include information about how

the organization should react to updates based on new Internet threats, such

as a new worm or other exploitative threat. Having this policy in place before a

new threat emerges will define how well your organization will be able to

leverage NIPS technology.


Expect the NIPS to Be Blamed for All Problems

A new product like a NIPS is potentially invasive toward network operations.

At some point, someone in the organization is bound to experience a problem

and cast blame on the NIPS device. The best way to mitigate this problem is to

clearly document the use and functionality of the NIPS device and utilize the

logging features that come with the NIPS to identify traffic that is dropped,

shaped, or altered in any way.


Use a Combination of NIPS and NIDS Where Appropriate

NIDS investments don't go out the window after a NIPS device is deployed.

We can still leverage the technology of NIDS devices to aid in assessing

threats, baselining attack statistics, and troubleshooting network problems with

the addition of a NIPS device. After deploying a NIPS tool, many organizations

focus their NIDS tools to monitor internal networks, to aid in identifying attacks

that make it past the NIPS device, and to identify insider threats. We don't

expect NIDS technology to go away anytime soon; instead, we expect the

technology to continue to mature and add value to organizations that take full

advantage of the functionality available.

NIPS. NIPS essentially breaks down into two categories: Chokepoint devices Intelligent switches In...

Documents

Transcript of NIPS. NIPS essentially breaks down into two categories: Chokepoint devices Intelligent switches In...