In a study last August, Gartner argued that today's intrusion detection system (IDS) has struggled to accommodate customers ' needs. IDS does not provide additional level of security, but instead increases the complexity of enterprise security operations. Intrusion detection system has become inevitable in the direction of intrusion prevention system (IPS). In fact, IDs and IPs can be regarded as two kinds of mutually exclusive separation technology: IPs focus on access control, while IDs is network monitoring; IPs is based on policy implementation, IDS can only be audited and tracked; IDs is not about ensuring network security, it's about telling the degree of network security geometry.
IPS is not only the evolution of IDs, it has a certain degree of intelligent processing capabilities, real-time interception attacks. Traditional IDs can only passively monitor traffic, which is accomplished by tracking the packet of switch ports, while IPs enables online monitoring, proactively intercepting and forwarding packets. With online configuration, IPs can discard packets or abort connections based on policy settings, and traditional IDs response mechanisms are limited, such as resetting TCP connections or requesting changes to firewall rules.
IPs working principle
There are two key differences between real intrusion prevention and traditional intrusion detection: automatic interdiction and online operation, both of which are indispensable. Prevention tools (soft/hardware scenarios) must set policies to respond automatically to attacks, not just alerting the network supervisor when malicious traffic enters. To achieve automatic response, the system must be run online.
When a hacker attempts to establish a session with the target server, all data is passed through the IPs sensor, which is in the active data path. The sensor detects malicious code in the data stream, checks the policy, and blocks packets or data streams before forwarding to the server. Because it is an online operation, the processing method is guaranteed to be appropriate and predictable.
In this analogy, the usual IDs response mechanism, such as a TCP reset, is very different. Traditional IDs detects malicious code in the flow of information, but because it is reactive, it cannot handle any data flow. TCP packets must be embedded in the data flow to reset the sessions in the target server. However, it may be too late for the entire attack packet to arrive at the server before the TCP reset packet arrives. Resetting the firewall rule also has the same problem, the passive working state IDs detects malicious code and sends a request blocking session to the firewall, but the request may arrive too late to prevent the attack from occurring.
IPS detection mechanism
In fact, the really valuable part of IDs and IPs is the detection engine. The biggest hidden danger of IPs is that it may lead to misoperation, this kind of "initiative" MISOPERATION will block legitimate network events, cause data loss, and ultimately affect business operation and customer trust degree.
The response process of IDs and IPs to attacks
To avoid this, some IDs and IPs developers have used multiple detection methods in their products to maximize the correct judgment of known and unknown attacks. For example, Symantec's Manhunt IDs was initially dependent on exception protocol analysis, and later upgraded to allow the network administrator to write snort code (a rule-based open source language environment developed by Sourcefire company for writing detection signals) to enhance the anomaly detection capabilities. Cisco has also recently upgraded its IDs software, adding Protocol and communication exception analysis to the signal detection system. NetScreen's hardware tools include 8 types of detection methods, including status signals, protocol and communication anomalies, and backdoor detection.
It is worth mentioning that the snort system is based on a rule-based open source scheme, so it is easy to identify malicious attack signals. The Snort signaling system provides a lot of flexibility for the IDS operating environment, and users can write IDs rule sets based on their own network operations, rather than using common detection methods. Some commercial IDs signaling systems also have binary code detection capabilities.
Reduce active error operation
The integrated multi-class detection method can increase the type and number of IDs and IPs detection attacks, but it still can't avoid misoperation. Active Misoperation is the first problem that IPs should solve, because the interdiction of legal communication will cause many negative effects.
The effective way to solve the active misoperation is to carry out communication correlation analysis, that is, to enable IPs to recognize the network environment and reduce the error alarm. The key here is to gather trivial firewall logging, IDS data, application logging, and System vulnerability assessments to reasonably infer what will happen and respond appropriately.
A comprehensive and meticulous assessment of the network's operating environment is essential for detecting fatal attacks and locating potential vulnerabilities. At present, IDS developers have adopted this technology, which can help network managers to collect communication related information, so as to improve IDs efficiency. Cisco claims that its development of Cisco Threat Response (CTR) technology eliminates up to 95% of error alarms.
CTR is developed by Cisco's Psionic software company. CTR is installed in a dedicated server between the IDs sensor and the IDs management control platform, and when the sensor issues an alarm, CTR scans the target host to determine whether the attack that triggered the alarm will adversely affect the system. Ctr can perform quick and easy analysis, such as searching open ports, accurately identifying the operating system, or locating active communications. Further, it can scan registration settings, event logging, and system patch status to determine if the target host is vulnerable. If the CTR detects a host vulnerable to attack or attack, it increases the event alert level and sends the highest priority processing request to the console.
System Protection More attention
Today, many IDs developers are more concerned with system protection than just detection capabilities. ISS believes that system protection should include both prevention and detection techniques. ISS's RealSecure IDs is based on network and host implementations, capable of intercepting attacks online. The RealSecure Guard of ISS is a class of software IPs. RealSecure Guard detects attacks through an anomaly protocol and can intercept them in real time before they reach the target host.
NetScreen, which focuses on firewall development, is also developing in this field. IPs developed by NetScreen's Onesecure company is based on a dedicated ASIC implementation. NETSCREEN-IPD 100 has a Fast Ethernet interface with a maximum throughput of 200MBPS;NETSCREEN-IPD 500 with a gigabit interface and a peak throughput of 500Mbps per cent.
Ids/ips Selection Application
The use of IDs or IPs requires field consideration of the application environment. IPs are better suited to prevent large, targeted attacks, but attacks against individual targets may fail, and automatic prevention systems cannot prevent the operation of specialized malicious attackers. In the financial application system, users, in addition to the care of malicious intrusion, more worried about the disastrous consequences of misoperation. For example, the best way for users to worry about losing credit card accounts in the database is to encrypt the storage. It can be seen that this kind of network system is more suitable for using IDs.
Potential customers need to evaluate the risks and benefits of configuring IPs, that is, to block attacks or prevent errors. At present, IPs does not have enough intelligence to identify all the attacks on database applications, which is generally capable of detecting buffer overflows. In addition, IPS is closely related to firewall configuration. This type of online tool is not necessary if you do not have a firewall installed, and you can use this technique if you are familiar with the protocols in the network segment and are easy to use for statistical analysis.
Some organizations require high levels of network security, such as credit institutions, which require mixed ids/ips solutions, such as the Intrushield developed by IntruVert Company, which has ids/ips capabilities to automatically monitor communications and intercept attacks online.
Development prospects
IDS Market will continue to develop, product features will not be limited to testing, IDs in the direction of the development of protective functions is the trend. A customer survey has shown that IDs has the first priority in its functional requirements for intercepting attacks. Infonetics predicts that the IDs market will explode in the next few years and generate $1.6 billion trillion in revenue by 2006.
IPS products have emerged, and their development prospects depend on the improvement of attack interdiction capabilities. With its wide application base, traditional IDs will not disappear. In one case, the customer does not need the communication interdiction function, but only monitors the communication condition, some need to increase the intelligence processing function for the prevention system, but some customers are accustomed to the manual processing.
Gartner sees IPs as the next generation IDs and believes it is likely to become a next-generation firewall.