An ounce of prevention is worth a pound of cure. It’s a cliché, but the old adage holds true in the world of network security. With so much of our valuable business and personal information residing within computer networks and productivity so interconnected with uptime, it is more important than ever to ensure that our network security is as robust as possible. In this article, we’ll provide an overview of an important component of network security: the Intrusion Prevention System (IPS). We’ll start by defining what an IPS is, compare it to other network security technologies like IDS, review functionality, and close with software products that can help you get started with your next IPS/IDS deployment to block malicious activity. If you’re already familiar with the basics of intrusion prevention and detection, feel free to
What is an IPS?
An IPS is an IT security system that monitors for malicious activity on a network (e.g. a DoS or DDoS attack) and proactively attempts to mitigate the damage created by the activity or prevent it altogether.
Oftentimes, IPS solutions are dedicated hardware appliances that run IPS software. A popular example of these hardware IPS devices is Cisco’s Firepower NGIPS (Next Generation Intrusion Prevention System) product line. These robust cybersecurity devices are often found in enterprise networks. In home networks these dedicated IPS devices would generally be overkill and IPS is handled by a router or software running on a computer. In both use cases the purpose of the IPS is the same: identify and mitigate security risks on the network.
How is an IPS different from a firewall?
Given what we have covered to this point, you may be wondering “why do I need an IPS if I have a firewall?” If a firewall is properly configured, what benefit can an IPS provide? These are good questions, and the answer becomes clear once you understand that firewalls and IPS operate in different ways and solve different problems.
A traditional firewall implements rules that prevent network traffic based on protocol, source/destination address, and/or source/destination port. Firewalls can help you implement access control lists and prevent the use of insecure protocols. For example, if you need to block all traffic on TCP port 23 (Telnet’s default port), a firewall rule is the way to go.
However, oftentimes attacks occur in ways that do not violate firewall rules.
For example, consider a brute force SSH attack on a server. If the server generally accepts connections via SSH, there will not be a firewall rule blocking the port. This is where IPS could come in. IPS works by analyzing the headers and payloads of packets and if suspicious behavior is detected, it can drop the packets. In short, by analyzing the entirety of network packets, IPS can detect potential malicious behavior that does not inherently violate firewall rules.
Host Based IPS and Network Based IPS
IPS can be deployed either at the host level or the network level. Host-based IPS monitors and protects the specific host (e.g. a single PC) it is installed on. Network-based IPS on the other hand focuses on protecting an entire network. Generally, a network-based IPS gives you better overall visibility and protection by mitigating issues before they make it onto network endpoints that contain critical data. On the other hand, a host based IPS make sense when you consider the benefits of defense in-depth, monitoring changes to local files, and detecting attacks that begin from within those endpoints (for example a program launched from a flash drive).
IPS vs IDS
The terms IPS and IDS (Intrusion Detection System) can sometimes be confused with one another. This makes sense given that many products support both and IPS is essentially a extension of IDS. In fact, IPSes are sometimes referred to as “reactive IDS” or “proactive IDS”. The fundamental difference between an IPS and an IDS is that an IPS proactively attempts to mitigate threats while an IDS simply detects them.
To help conceptualize the difference, let’s consider what an IPS and IDS would do if malicious activity is detected. To detect the threat, both technologies scan packets looking for suspicious activity (more on how this works in the next section). Once the threat is detected, an IDS will write to a log file and/or send a notification, whereas an IPS would also drop the packets. The tradeoff here is that an IPS offers the benefits of preventing an attack while IDS lowers the likelihood of false positives affecting performance.
Signature based detection vs anomaly based detection
At a high level, IPS detects threats using one of two methodologies: signature-based detection or anomaly-based detection. Signature-based detection compares network traffic to a database of known threats, and takes action when the traffic matches the patterns (or “signature”) of a predefined threat.
On the other hand, anomaly-based detection first creates a baseline of network activity and then compares traffic to that baseline. If network traffic deviates significantly from the baseline, it can be interpreted as a threat. Given the heuristics involved in anomaly-based detection it can be a good way to help reduce the threat of zero-day attacks on a network that signature-based methods would not yet have a signature to compare to. Given their complexity, anomaly-based detection systems can be more difficult and expensive to develop.
The Importance of SIEM Software
Security information and event management software products, or SIEMs help aggregate and analyze data related to network security. This includes data from endpoints running IDS or IPS software. SIEMs help make IPS and IDS more scalable and can better enable organizations to achieve compliance, improve reporting, and identify correlations that can indicate a broader threat. In short, SIEMs enable organizations to scale their IDS and IPS data into a more complete security solution.
Now that we have established an understanding of IPS, IDS, & SIEM;
SolarWinds Security Event Manager (SEM) is an enterprise log management solution with a focus on network security. SEM is a virtual appliance running a pre-hardened Linux operating system and can be deployed on VMware vSphere or Microsoft HyperV hypervisors. In addition to a variety of reporting and monitoring features, SEM includes features like a Snort log analyzer (more on Snort below) and threat intelligence feeds that help compliment and scale your network security efforts. To try a download a 30-day free trial.
SNORT is an extremely popular open source IPS with a large community of users. In addition to running as a network-based IDS/IPS in Network Intrusion Detection System Mode (you can specify if you want to alert or block detected threats, thereby dictating if you SNORT works as an IDS or IPS), SNORT can run in Sniffer Mode to work as a packet sniffer and Packet Logger Mode to log network traffic.
The IDS/IPS functionalities of SNORT are mostly signature based. SNORT comes with a set of base policies, but you can also write your own. While this may seem intimidating at first, the large community makes things a lot easier and helps contribute to a robust set of knowledge and rulesets available for SNORT.
As a bonus, if you are looking to get started working with a free IPS software that will have value even in enterprise applications, consider getting familiar with SNORT. Enterprise devices like Cisco’s 4000 Series Integrated Services Routers use SNORT for IPS and IDS.
Operating systems supported:
*Source code available
Security Onion is a Linux distribution that serves as a robust security solution, including IDS/IPS. Security Onion uses OSSEC for host-based IDS/IPS and SNORT & Suricata for network based IDS/IPS. According to the Security Onion website, in addition to the aforementioned tools, this Linux distro ships with Elasticsearch, Logstash, Kibana, Bro, Sguil, Squert, NetworkMiner, and a number of other security tools. While it may seem like an intimidating solution to get started with, it includes an easy-to-use setup wizard that helps streamline configuration.
Operating systems supported:
- Security Onion itself is a Linux distribution. Download the ISO for free here.
Bro is a sophisticated network analysis framework that includes network-based IDS and IPS functionality. First developed by Vern Paxson, the project is now lead jointly by Vern and a team consisting of members from the International Computer Science Institute in Berkeley, CA and the National Center for Supercomputing Applications in Urbana-Champaign, IL. Bro is popular in scientific, academic, supercomputing, and open source circles. Bro sponsors include Mozilla and the National Science Foundation.
Bro supports signature-based detection methods, but that is not its only means of mitigating and detecting threats. Bro takes a varied approach to detecting network threats that include anomaly-based detection and behavioral analysis. Additional benefits of Bro include application layer analysis, passive monitoring, scalability to 100G networks, and its large development community.
Operating systems supported:
- Mac OS X
- Free BSD
WinPatrol is significantly different from the other entries on our list as it is a Windows host-based solution. If you came to this article looking for an IDS software that can protect a Windows host against malicious traffic, this entry may be worth a look. The WinPatrol includes features that monitor changes in file type associations, creation of scheduled tasks, changes to your default search provider, changes to the registry, changes to hidden files, and more.
WinPatrol offers a free version with a limited feature set relative to their plus offering. You can download the free version of WinPatrol here.
Operating systems supported:
Osquery is a Facebook Open Source project that enables a very unique approach to intrusion detection. Osquery uses basic SQL commands to capture data on a device. While this may seem like a relatively trivial functionality at first, simply viewing the sample “Security” code that can be run from the osquery console help reveal the potential here:
osquery> SELECT name, path, pid FROM processes WHERE on_disk = 0; name = Drop_Agent path = /Users/jim/bin/dropage pid = 561
The above sample from Osquery’s home page demonstrates how you could use the tool to find a process that is running without an original binary on disk. This functionality can be extended and customized to meet your specific requirements for intrusion detection monitoring making Osquery a novel approach that could have significant security benefits.
To install osquery on Windows using Chocolatey, use the command “choco install osquery”.
Operating systems supported:
- Many other Linux operating systems
IPS and IDS are an important part of network security.
However, don’t expect these strategies to offer complete security solutions. Hackers have other methods to intrude into your network without having to break encryption or steal passwords. Social manipulation of employees is another growing entry point for data thieves and those intent on causing disruption. It is important to educate staff in controlling the information that they give out about themselves. You also need to introduce interactive identity authentication methods to prevent staff from being duped by an email or phone call from a hacker masquerading as an executive.
Other measures needed to protect your company’s assets include document access controls that prevent confidential information held in digital format from being printed, emailed out, or altered. Don’t overlook the shielding of wifi signals to prevent the wireless signal from being accessible from outside your premises and be careful to enforce encryption on all external communications. Implement device management policies if you integrate mobile devices into your network — both company-provided and employee-owned.
As attackers become more creative, we need to adopt more robust security tools and practices and IPS and IDS can play an important role in that, particularly in enterprises. There are a variety of solutions available, and what is best for you will vary significantly depending on the specific requirements of your use case. Do you have experience with any of the tools described above or is there a particular solution you think we left out? Let us know in the comment section below.