Frequently Asked Questions About Intrusion Prevention Systems

What is network intrusion prevention?

Why do I need an intrusion prevention system (IPS) if I currently have a firewall and an intrusion detection system (IDS)?

What is the return on investment for an intrusion prevention system?

What are the essential characteristics of an IPS?

Many IPS vendors rely heavily on signatures to identify and block exploits; why is this not the best method?

Why should an IPS be stateful?

What protection mechanisms does Corero's IPS solution use to block remote exploits?

How does Corero's IPS meet demanding performance requirements so it does not become a network bottleneck?

What is network intrusion prevention?

A network intrusion prevention system (IPS) is an in-line security appliance that inspects network traffic, identifying malicious, harmful, and/or unwanted network activity and blocking it. The inspection performed by an IPS is done in real time to ensure that good network traffic is able to pass through the IPS without noticeable delay.

As a networking component, unlike most firewalls that also act as routers, an IPS is a transparent device on the network that does not have a visible IP address, and requires no network reconfiguration to deploy. While a firewall's basic task is to regulate the type of network "conversations" that are allowed between computer systems of differing trust levels, the job of an IPS is to inspect protocol and application content on the network to ensure that it does not contain harmful, malicious and/or unwanted content. Both firewalls and network IPS are frequently deployed at network perimeters. While both may be used internally in the network, the use of IPS to protect internal data centers and to perform internal network segmentation is far more common than the use of firewalls.

Another characteristic of IPS products is their suitability for both perimeter and core deployments. Perimeter deployments typically place the IPS behind the firewall, allowing the firewall to apply its access controls first, and then the IPS further inspects traffic that the firewall allows through. NOTE: Corero's IPS has advanced DDoS protection capabilities, which make it well-suited to be deployed in front of the firewall to prevent the firewall from becoming a single point of failure in the event of a botnet attack.]

Why do I need an intrusion prevention system (IPS) if I currently have a firewall and an intrusion detection system (IDS)?

Many organizations still rely on firewalls for network access control and IDS for monitoring and identifying malicious network traffic. With the proliferation of hacking tools that are easy to obtain and use, and the enormous profits that can be gained from stealing personal data and confidential corporate information, these organizations remain at high risk of a successful breach.

The firewall is generally an organization's first line of defense. A firewall's basic task is to regulate the type of network "conversations" allowed between computer systems of differing trust levels. Typically, they block unauthorized access while permitting authorized types of communications. They are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. Modern firewalls can filter traffic based on many packet attributes like source IP address, IP source, source port, destination IP address or TCP/UDP ports. Since they are not designed to inspect application content, an attack from an allowed IP address will simply pass straight through the firewall. This is particularly a problem when it comes to handling services that must be open to the general Internet (web service, DNS, etc.). Also, consider an employee, third party contractor, or visitor who logs on to the corporate network inside the perimeter with an infected laptop computer. In this case, any firewall security is circumvented altogether.

A network IDS is software and/or hardware that is deployed as a network monitoring tool and is designed to detect unwanted attempts at accessing, manipulating and/or disabling of computer systems, mainly through a network, such as the Internet. IDS products were not designed to operate in line, since they would become unacceptable choke points on the network. Although IDS might be effective at detecting suspicious activity, it does not provide any protection against attacks since it does not block the malicious packets or terminate the connection. Most IDS products have a very large database of known attack signatures, which can provide valuable forensic information after an attack has occurred.

Unlike IDS, most IPS products are deployed in line to block malicious traffic. However, using an IPS that relies primarily or solely on signature-based detection is inadequate because of attacker evasion techniques, zero-day (previously unknown) exploits, and the sheer number of unique malware and their variants. It would not be practical to have all possible rules or signatures enabled for automatic blocking as that could cause an unacceptably high level of false positives (blocking of legitimate network traffic). Moreover, enabling all signatures and rules will results in performance degradation, and the IPS becomes a network bottleneck. Since all networks are not alike, an IPS may require tuning during the deployment process.

An IPS that does not rely too heavily on signatures, with flexible protection policies, will not degrade performance and provides an excellent balance of automatic blocking (without false positives) of harmful, malicious, and/or unwanted network activity.

What is the return on investment for an intrusion prevention system?

Most of the Corero's IPS customers tell us that the payback from their IPS investment is rapid. Customers cite several reasons for this, including:

  • Dangerous cyber attacks are stopped in real time, eliminating the probable loss of data and almost certain remediation costs.
  • The security team has adequate time to properly test operating system patches.
  • Mission-critical server downtime is reduced, maximizing revenue and maintaining high user/customer satisfaction.
  • Unwanted network traffic is eliminated and available bandwidth and perceived network performance is increased.
  • Operating expenses incurred by maintaining and running older, ineffective security solutions are reduced.
  • Regulatory compliance standards are met, reducing expensive remediation costs for audit findings.

In addition to ROI, Corero customers say a key factor in their buying decision was the fact that the TCO was approximately 50% of other leading IPS solutions over a three-year period.

What are the essential characteristics of an IPS?

For an IPS to provide effective nonstop protection against network and application-level attacks, a complete solution must:

  • Accurately block known and unknown (including zero-day) attacks.
  • Through its security research team, provide fast protection for newly discovered vulnerabilities and exploits.
  • Not rely on signatures as the primary form of defense.
  • Always allow good traffic to flow even when under attack.
  • Provide real-time security event reporting and alerting.
  • Have a centralized management solution that has configurable reporting capabilities.
  • Report relevant data for incident response and forensic analysis.
  • Since it operates in line, it must be a resilient hardware solution that will not be a single point of network failure.
  • Not add any discernable latency under extreme load or attack.
  • Provide protection in complex network topologies such as asymmetrical networks.

Many IPS vendors rely heavily on signatures to identify and block exploits. Why is this not the best method?

Signatures, or pattern matching, is one of a number of methods that are used in an IPS to detect exploits of vulnerabilities. However, if signatures are used as the primary protection mechanism, you will face limitations in what will be successfully blocked. Signatures are notorious for generating false positives, which means that legitimate traffic will be blocked. In addition, attackers have found ways around pattern-matching methods by making relatively small changes to the attack code that renders the detection useless, and, therefore, not successfully blocked by the IPS. Another trick is an attack that employs a packet reorder engine and is fully stateful, so the attack will never be recognized and will simply pass through to the ultimate target. It is therefore important to have multiple protection mechanisms all working simultaneously.

Corero's IPS inspects 100% of the packets and integrates many protection mechanisms, including its Deep Packet Inspection and Stateful Analysis Engines to understand an application's behavior and usage across the entire session. The reordered packets that comprise a transmission are inspected to establish whether it is legitimate or malicious. If deemed malicious, the entire packet stream is discarded before reaching its intended target.

Why should an IPS be stateful?

Every operating system implementation has security leaks that are known to hackers throughout the world. In the 1990's, stateful inspection became the industry standard for network security solutions to address malicious attacker behavior. An IPS should also incorporate "always on" stateful inspection to allow continuous monitoring of packets. In addition to examining header information, stateful inspection allows the entire packet content (up through the application layer) to be examined to determine more context about the packet beyond its source and destination information. In addition, stateful inspection monitors the state of a connection and compiles historic information in a state or session table. As a result, dynamic filtering decisions can be expanded beyond administrator-defined rules that simply block known IP addresses or TCP ports (as in static packet filtering) to take into account the context of a packet that has been established by packets that previously passed through the IPS.

It is well known that many "IDS-based" IPS solutions are capable of some stateful inspection while operating in an offline IDS mode. IDS-based intrusion prevention systems were spawned from the IDS vendors that had their roots firmly planted in their ability to alert, report and correlate attacks. The concept of taking these off-line devices and putting them in line and allowing them to block attacks based primarily on signature- or pattern-matching techniques was quite logical. In fact, most of these vendors utilize a form of stateful inspection to complete simple pattern-matching (also known as signature matching) on packets to establish whether the packet contains a known exploit. As a result, these IPS vendors will claim that their products have stateful inspection capabilities.

However, as soon as these "IDS-based" IPS products are deployed in line to perform proactive blocking rather than simple offline detection, many of these devices lose their stateful inspection capabilities and simply inspect packets coming in, without maintaining full context across the session. Typically, if these devices try to maintain an "always on" state, the performance declines and latency increases dramatically.

In some cases, an "IDS-based" IPS device may turn on stateful inspection as soon as it detects an attack so that the device can more closely monitor packet flows and relevant context on future transmissions. This is typically a short-term burst of increased protection that, after a while, reverts to the stateless mode. The advantage this provides to those IPS vendors is that they are able to quote much higher performance numbers in their data sheets based on passing legitimate traffic through the device without performing stateful inspection. As previously stated, the moment these devices go into stateful mode, their performance drops off dramatically, and there is a high risk that legitimate packets will be dropped. Then, the IPS device becomes a performance bottleneck on the network.

Having an IPS that is sometimes stateful and sometimes not creates a real challenge to network security managers. For instance, hybrid attacks that split the malicious code across multiple packets are more likely to be missed by this type of IPS. Another problem is with asymmetrical network topologies, where packets can come in and go out on different network segments. If the IPS is not maintaining state for all transactions, it is again highly likely that attacks will not be identified and will be able to continue on their way to deliver their payload to their destination.

Corero's IPS overcomes the issue of performance bottlenecks when stateful inspection is enabled at all times through its Core Platform, in which highly flexible multicore network processors and seamlessly integrated software reduces latency concerns while passing good traffic under load or attack.

What protection mechanisms does Corero's IPS solution use to block remote exploits?

Corero's IPS has a multitude of threat detection engines with specialized hardware to maximize performance and minimize latency.

Most vulnerabilities are remotely exploitable, and exploit tools and frameworks are widely available. And the profits are astronomical.

Millions of new unique malware samples and variants appear every year, including Trojans, worms, viruses, downloaders, dialers, key loggers, rootkits and spyware. Most of this malware is quite harmless against patched systems, and a significant proportion of them are so old it is unlikely that an enterprise would even run systems and applications that could be compromised. There certainly is a benefit to an IPS having a good library of rules and signatures that cover the more important malware, but the focus should be on the capabilities surrounding updates for newly discovered exploits and vulnerabilities.

Corero's IPS uses a unique combination of detection and blocking mechanisms to provide comprehensive protection against both known and zero-day threats:

Protocol Anomaly Detection. Corero's IPS applies stateful protocol inspection, enabling it to make more intelligent decisions than those that rely primarily on signatures.

All protocols should adhere to standards such as Request for Comments (RFCs). An IPS must be able to determine whether the packets violate those standards, which may be indicative of malware being present. In addition to determining whether the packets violate the standards, it must also be able to determine whether the data within the protocol adheres to expected usage. For example, if corporate policy allows peer-to-peer (P2P) applications, but prohibit file sharing or other attachments, the IPS must be able to identify any attachments associated with the protocol and strip out the attachments to be discarded.

Data File Inspection. A significant proportion of attacks seen today results from malware contained in data that are used by applications, even though the transport protocol may adhere to the appropriate RFCs. For example, many attackers take advantage of vulnerabilities in Microsoft Office applications to launch their attack once the application runs the data with the embedded malware. Therefore, an IPS must have the ability to inspect the data files.

This presents an interesting architectural conundrum. Theoretically, you could create a signature for the exploit or vulnerability, but you would need to be able to apply that signature to the applicable data file regardless of the transport protocol. For instance, it is quite common to send the malformed data packets across P2P, email, HTTP and any number of other protocols. If there is no easy way to separately identify the data file format and therefore apply the relevant signature table, you would be forced to create a custom signature for every transport protocol. Not only would this become a time-consuming exercise, it may also lead to a greater incidence of false positives.

Corero's IPS, however, uses a state-of-the-art, multitiered "Protection Processor Architecture" that couples industry-proven protocol validation modules (PVM) with a new set of data validation modules (DVM) that inspect file content regardless of the protocol over which the files are being transported. This approach requires fewer rules or signatures than alternative solutions, which dramatically reduces the incidence of false positives compared to other IPS technologies.

Acceptable Application Usage. It is important that an IPS can restrict what an application is able to process thereby preventing unauthorized operations. The ability to combine access control and approved usage checks on application layer traffic is important. For example, a web server is able to process far more commands than a typical user would use in practice. By only permitting traffic to the web server that utilizes the allowed commands, you would eliminate complete classes of potential attacks. When applied by the IPS, this type of protection can be effective at blocking zero-day exploits.

Signature Matching. Signatures are a dangerous term in the world of IPS. In the early days, IPS vendors touted the number of signatures they had as an indication of how good their products were. With a little probing, it was quite easy to see that there was a considerable difference between the numbers of signatures that could be applied to real time in-line blocking of attacks vs. those that could only be used for detection purposes only - in some cases the block-to-detect ratio was 1:10!

Several techniques have been created over the years for applying signatures to network traffic to determine whether the packets contain malware.

The earliest and most simple version was referred to as simple pattern matching. If the malware was buried deep within the packet payload, this technique may require inspecting a tremendous amount of data until the malware was discovered, causing an unacceptable performance degradation of the IPS.

A more efficient form of pattern matching referred to as regular expression defines complex search patterns that increase the accuracy of malware detection. In order to minimize latency, a significant amount of hardware acceleration needs to be built in to the IPS device. It also makes sense that a signature that targets a vulnerability is more effective than one that targets a single exploit for the simple reason that there may be hundreds of variants of an exploit for a single vulnerability and having a signature for each variant has a greater potential. Corero's IPS employs both vulnerability and attack signatures to supplement its non-signature detection capabilities and afford the most comprehensive protection available.

Real-time Shunning. Corero's IPS has an effective protection capability called shunning that can quickly block traffic from IP addresses, temporarily or permanently, that are suspected of originating or being related to an attack. The advanced protection capabilities from shunning can be summarized as follows:

  • Attack Source Identification: The Security Event Viewer enables users to identify a set of attacker IP addresses associated with blocked and detected attacks.
  • Malicious IP Address Shunning: This capability isolates "events of interest" and automatically shuns all IP addresses associated with a particular attack event. Users can set time periods for how long each address should be shunned, as well as manually restore acceptance of addresses that are determined safe.
  • Attack Defense Dashboards: The user interface allows Corero security operations center personnel to switch between "quiet time" monitoring and "under siege" incident response.
  • Additional Router Protection: Administrators can export a list of IP addresses being shunned so that they can be imported into a router for blocking by the router.

How does Corero's IPS meet demanding performance requirements so it does not become a network bottleneck?

Performance is critical for an in-line IPS. The key performance aspects for an in-line IPS are latency, throughput, DDoS rejection rates, operation load and scalability. Corero's IPS delivers industry-leading performance across all of these key attributes.

  • Lowest latency of any IPS device ever tested. NSS Labs has tested over 25 IPS appliances and the results showed that the Corero's IPS has the lowest latency of them all - generally measuring below 50 microseconds. Corero's Core Platform, built on the powerful, flexible and scalable Tilera multicore processor and CoreOS software, optimized for demanding network traffic inspection and processing tasks, is at the foundation of Corero's IPS performance and security capabilities.
  • Scalable performance and capacity. Corero's IPS ProtectionClusterâ„¢ technology is a proprietary load-sharing technology built in to each IPS. For example, two IPS devices can be connected directly to each other, and up to eight IPS devices can be interconnected using standard switches. In addition to increased throughput, attack defense capability and session capacity, this configuration provides a transparent solution in standard and asymmetric redundant network configurations.
  • Industry-leading DDoS rejection rates. Today, botnet attacks can be launched simultaneously from botnet armies of tens of thousands of compromised machines, delivering seemingly harmless legitimate traffic at multi-gigabit-per-second rates. Today, attackers target eCommerce sites, email servers, DNS servers and VoIP providers to prevent legitimate transactions or data from reaching the desired target. Only the most advanced DDoS capabilities, designed in hardware, can stop these attacks while allowing legitimate traffic to continue to flow to the intended destination. Corero has been at the leading edge of stopping high-volume DDoS attacks for many years. Corero's IPS incorporates this technology in all of its IPS products and allows customers to combine traditional IPS protection features with full DDoS protection.
  • Performance when under load. This is the one performance metric missing from most vendors datasheets. As a result of the tight integration of the protection mechanisms with the hardware architecture, datasheet performance for Corero's IPS is what you can expect when deployed in live networks (with small packets), even while under attack.