IPSs instantly grant or deny access

Intrusion-prevention systems can provide a scalable front line of defense for vulnerable unpatched or misconfigured servers

A surge of new security vulnerabilities has caused an increase in sophisticated attacks, generated internally and externally, that bypass traditional firewalls. Intrusion-prevention systems placed at the perimeter or on internal network segments can stop these attacks, providing a scalable front line of defense for vulnerable unpatched or misconfigured servers.

Whereas intrusion-detection systems monitor network traffic and send alerts regarding suspicious activity, they aren't designed to block attacks. IPSs thoroughly examine all packets that come through and make instant decisions on whether to grant access or block them.

An IPS is loaded with filters that halt attacks against all types of system vulnerabilities. When a new vulnerability is discovered, a filter is created and added to the IPS. Any malicious attempt to exploit these vulnerabilities is blocked immediately.

IPSs are capable of total flow inspection to detect all types of attacks that exploit Layer 2 (media access control) to Layer 7 (application) vulnerabilities. Traditional firewalls are limited to Layer 3 or Layer 4 inspection and cannot detect attacks at the application level that are contained within the packet payload.

The IPS packet-processing engine is based on a set of highly specialized, custom application-specific integration circuits. Total inspection of every bit in a packet is required. Deep packet inspection doesn't examine every single byte in a payload, so it could miss attacks.

Flow data inspection requires that the payload of each packet in a flow be reassembled. Then, the IPS device applies filters to the full context of the flow every time a new packet for that flow arrives.

Packets are classified and fully inspected against all relevant filters before being allowed to exit. The classification is based on packet header information such as source and destination IP addresses and ports, and application fields.

Each filter consists of a set of rules defining conditions that must be met to ascertain that a packet or flow is malicious. These rules can be extensive to ensure accuracy. When classifying traffic, the engine must assemble a flow payload and parse it into meaningful fields for contextual analysis. For example, a buffer overflow attack could require the engine to identify the reference to a buffered parameter at the application layer and then evaluate its characteristics to detect the attack.

To prevent an attack from reaching its target, the instant a flow is determined to be malicious the latest packet is dropped along with any subsequent packets belonging to the offending flow.

To detect traffic intended to exploit system vulnerabilities, a variety of filters is required. Some attacks such as known exploits can be detected with specific signatures or pattern-matching filters. Others, such as buffer overflows, require more-sophisticated filters that can be expressed with rules that utilize protocol- and application-level decoders. Finally, multi-flow attacks such as network sweeps and packet flooding require filters that gather statistics and expose anomalies over an aggregation of flows.

The filter engine combines pipelined and massively parallel-processing hardware to perform thousands of filter checks on each packet simultaneously. Parallel filter processing ensures that the packet continues to move through the system quickly regardless of the number of filters applied. This hardware acceleration is critical because traditional software solutions must check filters serially and consequently sacrifice performance.

The IPS is a transparent device and becomes part of the link it splices. To avoid becoming the weak link, the IPS is equipped with intrinsic redundancy and failover mechanisms to ensure the network will continue to operate in the event of a failure.

In addition to serving a front line of defense, IPS is also a network cleansing tool that eliminates malformed packets and controls non-mission-critical applications to protect bandwidth. For example, IPSs have been effective in stemming the illegal transfer of copyrighted files through peer-to-peer file-sharing applications.

Intrusion prevention: How it works

Willebeek-LeMair is CTO for TippingPoint Technologies. He can be contacted at marc@tippingpoint.com.

Learn more about this topic

Why IPS products haven't taken off

Network World Fusion, 05/12/03

Internet security may rest with intrusion prevention

IPSs act to identify attack signatures and block traffic before it invades the enterprise.

Network World, 03/17/03

IPS: A technology, not a product

Network World, 11/25/02

"Intrustion prevention" raises hopes, concerns

Network World, 11/04/02.

Intrustion detection and prevention research center

Latest news, analysis and resource links from Network World Fusion.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2003 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)