Intrusion Prevention and Active Response 88
nazarijo writes "The security world has been taken by storm by intrusion prevention
system (IPS) products in the past couple of years. After all, a typical
intrusion detection system (IDS) only alerts you that something malicious
may have happened, and an IPS reacts to it and can prevent the attack.
Action in this scenario is obviously preferred to a passive bystander.
Still, the IPS solution space is confusing to many." Read on for the rest of Nazario's review of a book designed to erase that confusion.
Intrusion Prevention and Active Response: Deploying Network and Host IPS | |
author | Michael Rash, Angela D. Orebaugh, Graham Clark, Becky Pinkard, and Jake Babbin |
pages | 424 |
publisher | Syngress |
rating | 7 |
reviewer | Jose Nazario |
ISBN | 193226647X |
summary | An overview of host- and network-based IPS solutions |
The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
You can purchase Intrusion Prevention and Active Response: Deploying Network and Host IPS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I'm sorry... (Score:5, Insightful)
program? identity token? software? shelf? algorithm? application? office suite? server hardware? server software? virus scanner? product? network? method? word processor? network protocol? scheduling software? email client? vendor? invention? operating system? windows manager? website? web application? authoring software? network client? web browser? API? ABI? encoding standard? bug tracking software? revision control system? wiki? contact manager?
(Yep, stolen shamelessly from an earlier journal entry.)
Re:I'm sorry... (Score:1)
you're quite the spammer (Score:2, Funny)
Re:you're quite the spammer (Score:2)
Please call me at (800)IBM-RAPE if you're interested.
Let me get back to you on that... (Score:1)
Re:Let me get back to you on that... (Score:2)
Re:I'm sorry... (Score:2)
That's one of the funniest sites I've seen in recent memory. I think I'm gonna change my title to "Vision Guidance Leader", and stiff Huh? Corp on the royalties.
Re:I'm sorry... (Score:1)
Re:I'm sorry... (Score:2)
A solution is 'bullshit that we want to sell you'.
Re:I'm sorry... (Score:5, Insightful)
"Solution" means "whatever is capable of solving the problem". So in the context of "Still, the IPS solution space is confusing to many.", it means "choosing between all the different methods of detecting and responding to intrusions is confusing to many".
Yeah, I know that "solution" is an over-used buzzword. But that doesn't mean all uses of it are nonsensical. Solution is a vague term because it's a vague concept. In some contexts, it could be a library, in others it could be a platform.
Re:I'm sorry... (Score:1)
Re:I'm sorry... (Score:2)
No, solution is a word spoken only by the salesman (and perhaps the most brainwashed of his customers) and it means "the thing I have to sell right now."
I like to give vendors the buzzword challenge: they pick a buzzword from a hat and if they speak it during their pitch, out the door they go. Favorites: solution, technology, and enterprise.
Re:I'm sorry... (Score:1)
write-up says it all (Score:5, Insightful)
NBAD will (Score:2)
Re:NBAD will (Score:2)
National Bank of Abu Dhabi?
National Bass Association of the Deaf?
Oh, wait... Network Behavior Anomaly Detection -- for those who didn't know.
Re:NBAD will (Score:2)
NBAD=worthless for large networks. large networks are too big and too dynamic for any software to decide what is "normal"
Re:write-up says it all (Score:2)
IPSs will block traffic which may be bad. All of these systems have false positives. All of them will eventually block something really important that shouldn't be blocked. And all will eventually lead you to be fired because of that reason. And none of them will detect an intelligent, targeted attack.
Bzzzzzt! Wrong! Thanks for playing. There are indeed IPS systems that will detect intelligent, targeted attacks. They work by knowing what talks to what on your network and finding anomalous behavior. Sur
Re:write-up says it all (Score:1)
While everything you say is true, I submit that it is not a full view of the picture. I've been studying IPS for over a year now for a government study that has recently been given the go ahead for a large scale pilot program.
Modern IPS do more than Snort does, which is more or less signature detection (please, I'm aware of the protocol anomaly stuff Snort does, but let's be honest with ourselves and say that it is limited in scope). IPS today have the concept of a "Vulnerability Filter" or "Virtual Pat
Be careful with your wording... (Score:2)
This is not necessarily true, and I'm not just talking about honeynets/honeypots, either.
Re:Be careful with your wording... (Score:1)
one day i found someone trying to get into one of our jetdirect print servers.. i am not sure why or even if they knew it was a printserver - to be honest it looked like some script kiddy just trying things to breake a telnet server..
i watched for a little bit, then went to close the port off and then realized.. what is the worst he can do . print something.. paper is cheep toner is cheep . mabey i will mail it to him if he manages to print something..
nothin
Re:Be careful with your wording... (Score:2)
FYI, you're wrong about the worst case... it's been demonstrated that one can get an HP printer to send a copy of everything printed to a remote printer or other IP... Do you really want your TPS reports stolen?
My Intrusion Prevention System (Score:5, Funny)
Re:My Intrusion Prevention System (Score:1)
Re:My Intrusion Prevention System (Score:3, Funny)
Re:My Intrusion Prevention System (Score:1)
I doubt that dropping an ethernet connection you'll receive a "NO CARRIER" message, but let's give a tr..................... Session timed out
Action is almost always preferred... (Score:5, Insightful)
The real problem with the IDS/IPS space is false positives, because they are a non-starter for many businesses, including mine.
What do people think of Cisco's IPS/Firewall/Solut (Score:1)
I do read some bad things about them, but nothign that explains why (other than price) And most the good stuff is usually marketing.
Re:What do people think of Cisco's IPS/Firewall/So (Score:1)
Blessings (Score:2)
Re:What do people think of Cisco's IPS/Firewall/So (Score:1, Insightful)
These devices are as dumb as they come with poor support, poor management control, buggy software. We steer customers away from active traffic blocking as it more often than not will block legimate traffic. To the customer it appears they have intermittent traffic failures as different support groups will be unaware of the blocking capabilities and chase their tails for hours.
Proper profiling and signature tuning can only take it so far befo
Re:What do people think of Cisco's IPS/Firewall/So (Score:5, Funny)
You fool! You weren't supposed to turn them on! You're supposed to just buy a few so you can check off the box on your plan. Looking at the output is highly counterproductive.
Re:What do people think of Cisco's IPS/Firewall/So (Score:1)
My Girlfriend has a great IDS (Score:1, Funny)
Re:My Girlfriend has a great IDS (Score:2)
IPS (Score:4, Insightful)
Quit looking for the security silver bullet.
Re:IPS (Score:2)
This stuff can't cope (Score:1, Interesting)
Next-gen intrusion will be scripted/automated to such a level that everything the hacker wanted to do will be done after 1 second.
This stuff can't cope with that kind of attack. Only a secure system can.
Put your network on autopilot? (Score:5, Interesting)
So hooking that stuff up to the "Emergency Shutoff" switch for even rarely used network services was a little scary. We had some events where we put in router rules by hand (block this traffic or that traffic), and they still broke applications we never dreamed of.
In the end, we decided to funnel all of those types of actions through our 24x7 command center. The delay caused by human response time was worth the tradeoff for not killing our own network.
Re:Put your network on autopilot? (Score:4, Insightful)
You don't plug and pray. You install and interate as you learn the product. You don't turn the tool to IPS everything mode from the get go.
You start out in IDS mode, monitoring for everything. Then you decide which of the types of alerts it is capturing properly, say worms in this instance.
Then you flip the bit for IPS mode for those signatures or anolomies ONLY. And the traffic of that specific type gets blocked, not everything to or from the hosts. Specific traffic only.
If you get reports of something getting blocked, you 'detune' it to IDS mode until you can figure out why it is triggering. Luckily you can get packet capture for most of the enterprise IPSes, so it is usually fairly easy to peg why something false-positived. Some even have an emergency 'flip to IDS mode only'.
You iterate this process until you have a comfort level for the IPS and IDS balancing act. Sigs or types of traffic you're worried false positive too much? Keep them in IDS mode or feedback to the provider that you're getting too much noise! Pretty sure that something on Kazaa ports using Kazaa commands is probably Kazaa or a Kazaa worm? Use IPS to block that specific traffic.
None of the enterprise network people I've talked to would enable to 'Big Red Button' automation script, though. Definitely have the SoC or NoC check the alert and then have them make routing changes. Otherwise, just let the IPS drop/reset the 'bad' traffic.
The 'unknown application breakage' is definitely a problem, especially the closer to the data core you get. I would slowly enable things one at a time, and take a slow and steady approach. The last thing you want to do is break some 100M USD application because you set a sig to block!
As other posters have commented, this does relatively little against a well prepared intruder, but it will hopefully clear off the bottom 90% of your incidents so that you can watch or react to things in a more focused manner. Also, some of the IPSes do check for common single intruder commands , like rm -rf
Re:Put your network on autopilot? (Score:1)
"IPS" is just marketing (Score:2, Troll)
Best Windows Firewall W/ IPS (Score:1)
$.02 (Score:1)
No false positives to date. Med.>Large company.
Re:Product Plug (Score:3, Informative)
In terms of "active," the way this thing works is by responding to port scans with false information. If that false information is subse
"Active" Response? (Score:4, Funny)
MPs? (Score:2)
tcpdump and The Cube of Potential Doom (Score:1)
If you find watching lines of packet information less than thrilling, you could try out something like the Cube of Potential Doom.
http://sourceforge.net/projects/net3d/ [sourceforge.net]
Although, I'm surprised to see this project go stagnant.
IPS is deliberately confusing marketoon jargon (Score:1)
Amusingly, it's a firewall with a default open policy. Sure, it inspects the contents of packets instead of making its decisions based on address and port information alone, which is a good thing in itself. But then an IPS by default allows everything else.
If you want the hell of signature-based anti-virus (signature lag all the way up to signature lack) as your primary network protection, by all means, ditch your real
Re:IPS is deliberately confusing marketoon jargon (Score:1)
The very interesting part of the presentation was the lucky draw, with prize an Ipod shuffle.
Properly designed systems don't need IPS (Score:2)
Day after day these boxes were subjected to all kinds of indignitites, and BSD woud just laugh in their general direction. Their only vulnerability was to properly executed DDoS attacks, which, as previous posters have pointed out, most IDS/IPS products are hard to configure against without running the risk of, say,
IPS/IDS and firewall are the dumbest ideas.... (Score:3, Insightful)
Having worked on the 10Gbps IPS, I can tell you that this is becoming a rapidly dumb idea (along with firewall). My experience in signature writing was telling me that this is becoming an exercise in futility.
If you can ascertain that your network-based application are secured (via code-review), none of these ancillary cash-burning network security add-on infrastructures would matter. A fool is soon parted with his money.
Spending some time reviewing the application code may be more cost effective.
Web Server? Go tinyHTTP. Fewer codes, less (or no) exploits.
Simplify, simplify, simplify (K.I.S.S.)
Sheesh.
Re:IPS/IDS and firewall are the dumbest ideas.... (Score:2)
Mark my word.
Disclaimer: And Marcus has left NFR at least three years ago and then arrived to this brilliant realization (so did I). He is an excellent engineer and technological guru --
You... you're just an poorly informed anonymous coward (prol'y from 3COM or TPTI).
Re:IPS/IDS and firewall are the dumbest ideas.... (Score:1)
Perhaps I see something you don't???
Re:IPS/IDS and firewall are the dumbest ideas.... (Score:1)
Evidently, you've perused through hundreds of thousands of lines of Windows/Linux source code, because if you haven't, one might take your claim to be some kind of naive joke.
Re:IPS/IDS and firewall are the dumbest ideas.... (Score:2)
Anyway, no joke on my part.
"Active response" is dangerous (Score:4, Interesting)
Think of it. Why should a system change its behavior when an attack is detected? Because the normal behavior is not secure enough? But then why should it change back when attack ends? Because the "secure" behavior can possibly include blocking something that should be available. There is no other possibility -- if there was, system would just run in a "secure" mode all the time, and there would be no need to sell a complex product to turn it on and off.
But then whoever can trigger "secure" mode for any particular set of addresses (what usually can be done blindly), can do it deliberately and cause a massive DoS. But what if "IPS" is smart enough to detect a "blind" attack? Then it's better! The only way to distinguish between "blind" attack from a spoofed address and a real attack is by keeping track of all connections and packet history. Create a horribly confusing sequence of packets, and you have anti-IPS equivalent of SYN flood. And then when "IPS" box is out of its RAM, start a real attack. Because you know that IPS was built for a reason -- someone have left his system insecure.
Sourcefire and RNA (Score:4, Insightful)
Having said that, I am generally against deploying any fully-automated IPS responses, due to the possibilities of false positives and potential for new attack vectors (i.e., a crafty attacker using the defenses against you.)
Until expert systems are as smart as experienced IDS analysts, the best defense is a dedicated team of people who deploy early-warning systems, and who watch the network carefully, 24x7, aided by tools like RNA. If you're really serious about security, however, you will develop two teams: Read Team and Blue Team. Let one handle defense, the other run attacks, and let the games begin... and don't forget to cycle people between the teams!