In today’s rapidly growing world of information sharing and private data collection, protecting your business’s information is becoming more and more complicated.
The question is no longer if an attempt to compromise our systems will occur, but when and how. There is no doubt that actions must be taken to protect our data and intellectual property from being breached by an intrusion, but what is the best way to do this? And what does this all really mean for your business?
What is an Intrusion?
A network intrusion is simply unauthorized activity on a computer network. To detect report and mitigate intrusion, you need to understand exactly how it happens. There are different modes of operation including:
· Asymmetric routing: an attacker uses more than one path to reach their targeted device. This increases the chances of significant malicious packets evading various intrusion sensors.
· Buffer overflow attacks: Overwriting specific parts of a computer’s memory and replacing the normal data in them with commands to be executed later. The attacker’s ultimate goal might be setting up a channel to get remote access or as a denial of service attempt.
· Trojans: Programs do not replicate like viruses or worms but instead instigate DoS attacks, erase data or open channels to let through outsiders.
Traffic flooding, worms, and protocol-specific attacks are some more ways in which your network may be compromised. In the wake of such possibilities, the only hope lies in intrusion protection because once some threats have passed through, it is impractical to try countering them.
What is an Intrusion Protection System (IPS)?
Intrusion protection is an approach to network security that is used to identify potential threats and promptly respond to them accordingly. An IPS monitors network traffic and has the ability to take rapid action according to a set of rules set by the administrator.
IPS is often confused with intrusion detection systems (IDS) but they are quite different. The technology used to detect threats is similar and fit in a common base but their role in the network is different. IPS and IDS work in different ways, have different functions and solve different problems. The closest comparison to an IPS is a firewall, but instead of port-based “pass rules” it utilizes application and packet based “deny rules” to completely block a suspicious act. When a packet shows up, the IPS goes through the list of rules looking for reasons to drop it. At the end of the rule list, though, is an implicit “pass rule: allow this packet through,” to let through any packets that passed all the checks.
Our business partners at AlienVault do a great job of explaining this:
Many IT security experts believe that an intrusion prevention system is an extension/improvement of the intrusion detection system. Instead of simply detecting and reporting threats, an IPS will also block or prevent the execution of malicious activity. The intrusion protection system sits behind the firewall, providing a complementary layer of analysis that carefully watches for malicious content. The actions taken by an IPS are generally:
· Dropping malicious packets
· Resetting connections
· Sending reports of malicious activity to the administrators
· Blocking all traffic from an IP that malicious content has been detected.
Types of IPSs
· Host IPS
A host IPS scans outbound and inbound traffic at a particular host where it is installed as software. The system runs as a normal process scanning executables, file access, and connections, to prevent malicious activities. The module of an IPS on a certain host is called the agent.
· Wireless IPS
A wireless IPS scans wireless traffic to prevent intrusion over resources that use wireless internet connection. It monitors for suspicious activity on the radio spectrum for suspicious access points and immediately alerts the system administrator.
· Network IPS
The network IPS works in multiple points on the network level to scan traffic at the application layer. There is some that can detect threats at internet and transport layers. If any suspect activity is witnessed, the IPS contacts the central server for log in info or commands prompting preventative action.
How Does an IPS detect threats?
It is important that the system works efficiently to prevent any degradation of a network’s performance. An IPS must work extremely fast to counter attacks in a near real-time way. Responses should also be accurate to remove mistaken identity and ensure elimination of threats. There are many threat detection mechanisms but some are more dominant than others.
· Statistical anomaly-based detection: Samples of network traffic are randomly selected, then compared with a pre-calculated base performance level. If it detects activity outside the base, an IPS will take relevant action. IPS was once sold as a separate device but today it is normally integrated into UTM (Unified Threat Management) solutions for SMEs.
· Signature-based mechanism: The system looks for patterns commonly used in attacks. This includes byte sequences in traffic and familiar instruction sequences by malware. The detected patterns are known as signatures, hence the name “signature-based” mechanisms. Continual monitoring over time allows for the creation of a baseline and any deviations from the standards indicates attacks. This method is particularly effective in the detection of DoS attacks but it could also find malware infection embedded in the system.
· Profile based IPS: Another method used by IPS is profile-based. In this case, the system collects pattern data to and from a computer and compares it to real-time data. Anything out of the ordinary is immediately blocked.
Why is Intrusion Protection Necessary for Businesses?
Small to medium enterprises are particularly vulnerable to intrusion because most do not factor in the need for protection against looming threats in their daily operations. Intrusion protection systems are not just for big organizations but also the smaller ones. It detects and stops threats where others have failed.
Intrusion protection systems can be customized to the organization with specific needs. By reducing the traffic reaching other controls, an IPS lowers workload and protects such controls from direct attacks. Protection of other controls means that the IPS is deployable in front of another enterprise control to protect it from direct attacks. It also prevents attackers from bypassing that control by making their activity at the network or app layer. Deploying IPS sensors before other security controls reduces traffic, thereby making an overload impossible. The system can be designed to handle a specific type of attack that an organization might be worried about. It can identify phishing attacks specific to the organization.
An IPS comes in especially handy in dealing with foreign attacks that signature-based methodologies wouldn’t handle. Intrusion detection systems typically have a good understanding of applications, which significantly increases the chances of identifying attacks launched from a particular app. Extensive knowledge of applications makes it possible for an IPS to employ unique detection capabilities for applications.
Administrators also enjoy the fact that IPSs provide a single point for security by detecting threats across several apps. From one point, they can pinpoint a variety of undesirable activities in the network including attacks and misuse.
All organizations do indeed need intrusion protection lest they suffer the brunt of targeted attacks. An IPS may receive reputation data, which would enable it to obstruct URLs, IPS and other entities according to the behavior they projected most recently. Today’s network intrusion prevention systems can analyze files moving through the network to identify abnormal activity. This is helpful in the prevention of familiar and unfamiliar attacks. Modern intrusion protection technologies come in three forms namely: Dedicated hardware and software, IPS enabled on other security controls and, cloud-based IPS services but the most popular among organizations is IPS provided through hardware and virtual appliances.
Thing to Consider With IPS
Like all things, intrusion protection systems have some important things to consider when setting them up.
· IPSs are likely to deny legitimate packages thereby denying much-needed services to valid users. It is also likely that there could be false negatives whereby a system allows malicious software to pass through. Network administrators can avert this issue by thoroughly training the IPS to become familiar with programs that do not present any dangers.
· You need IPSs deployed in multiple areas on the network for the best results, and the environment may need optimized for the best performance.
Things to remember when buying an IPS
There is no doubt that an intrusion prevention system is a powerful tool that has made significant strides across information systems. There are already several variations and more are expected as more companies come up with their own solutions. Through the five years of its existence, IPS has become an integral part of organizations that want to strengthen protection of their data. When choosing an IPS you should bear in mind the following:
·IPS that utilize both signature and protocol methods of attack detection are gaining popularity. This is a hybrid method where protocol headers can be scanned for RFC violations and also scan data packets for known attack signatures.
· The signature-based method is more popular among organizations. They choose this over the profile-based method which is known to cause many false alarms resulting in excessive monitoring and disruptions. There is a gap between detection and release of a patch from the vendor, which could be enough to expose the entire network to attack.
· The downside of a signature-based approach is that it is easily fooled by a slight variation. The stateful protocol method is far better as it thoroughly checks to ensure that all standards are met. This enables it to detect all RFC violations whether they are old or new.
Features to consider before deploying an IPS
If you are considering an IPS for your business, you need to know what to look for in various products. First, you should think of all the reasons for integrating IPS into your work environment. Your short-term objective should be making the network more secure. From there you can start sampling intrusion prevention systems from various lenders. Before committing to a certain system, you are supposed to consider the following:
· Location
Where to put the IPS in the network is important if you want to ensure seamless integration with your network. At this point, you must also make sure that your choice is compatible with already deployed network services. If not, you should make sure that the organization is capable of making necessary changes to accommodate the IPS. Switching things might be expensive, which is why most SMEs should turn to IPS that doesn’t demand special network configurations.
· Environment awareness
An IPS should be smart enough to accept data from services that are already deployed in the network. Some products in the market have the ability to query common information resources like Active Directory, which lend policy information to real-time risk evaluation. As opposed to simply looking at network flow for any oddities in the path it travels, an IPS with more understanding of vectors is more accurate. A smart system would reduce false positives and negatives by looking deeper into the network.
· Signatures
Most of an IPSs functionality is still signature-based, so you need to be sure that they are of high quality and take a short while to be released. Depending on the ultimate choice, you might be able to customize signatures for the benefit of your customers. Such signatures are able to detect problems that your business might be specifically worried about. Experts agree that this is often the difference between an IPS effectively handling the threat. If you are considering a product that allows for customization, make sure that your business has all resources needed to analyze traffic, create the signature, and effectively maintain it.
Before making a commitment to any IPS, it is important to test it in your environment because vendors tend to leave out any weaknesses during advertising. Judge different products according to your company’s needs but bear in mind that there might not be a product that meets them all. Try to find a system that seamlessly integrates into the network without hindrances to normal operations. Customer activity should never be compromised as you try to improve network security. If you are tight on funds to deploy an IPS all across the system, it is possible to target specific areas in the network that you feel are most vulnerable to attacks. In this age of unpredictable types of programs, organizations of all sizes must adopt sophisticated intrusion prevention systems. A secure environment might be all that you need to start enjoying greater profit margins.
We are just easing into the New Year but there has already been a stream of foreign attacks in areas that were considered invulnerable in the past. You cannot rest thinking that you have foolproof devices because attackers are getting wiser. In addition to ordinary methods of threat identification, you need a smart Intrusion Protection System that would detect the slightest hitch.
