Slashdot Mirror
Intrusion Prevention and Active Response
nazarijo writes "The security world has been taken by storm by intrusion prevention
system (IPS) products in the past couple of years. After all, a typical
intrusion detection system (IDS) only alerts you that something malicious
may have happened, and an IPS reacts to it and can prevent the attack.
Action in this scenario is obviously preferred to a passive bystander.
Still, the IPS solution space is confusing to many." Read on for the rest of Nazario's review of a book designed to erase that confusion.
Intrusion Prevention and Active Response: Deploying Network and Host IPS
author
Michael Rash, Angela D. Orebaugh, Graham Clark, Becky Pinkard, and Jake Babbin
pages
424
publisher
Syngress
rating
7
reviewer
Jose Nazario
ISBN
193226647X
summary
An overview of host- and network-based IPS solutions
The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
You can purchase Intrusion Prevention and Active Response: Deploying Network and Host IPS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
You can purchase Intrusion Prevention and Active Response: Deploying Network and Host IPS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
program? identity token? software? shelf? algorithm? application? office suite? server hardware? server software? virus scanner? product? network? method? word processor? network protocol? scheduling software? email client? vendor? invention? operating system? windows manager? website? web application? authoring software? network client? web browser? API? ABI? encoding standard? bug tracking software? revision control system? wiki? contact manager?
(Yep, stolen shamelessly from an earlier journal entry.)
Carousel is a lie!
Like the submittor said, IDSs will inform you when something that may be bad has happened. IPSs will block traffic which may be bad. All of these systems have false positives. All of them will eventually block something really important that shouldn't be blocked. And all will eventually lead you to be fired because of that reason. And none of them will detect an intelligent, targeted attack.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I wish IPS would block your posts.
Action in this scenario is obviously preferred
This is not necessarily true, and I'm not just talking about honeynets/honeypots, either.
akad0nric0
This sentence no verb.
infect the systems at work with my pwn trojans so other peeps' trojans get crowded out... like how your good intestinal bacteria keep out bad bacteria.
...when there truly has been an intrusion, but the underlying system may be complex enough that the intrusion detection software can't be entirely sure something unauthorized is happening, and the consequences of preventing access might outweigh the risk of automatic action.
The real problem with the IDS/IPS space is false positives, because they are a non-starter for many businesses, including mine.
[ home ]
Sort of on opic in a way, but what do people think of Cisco's IPS/Firewall/Solutions?
I do read some bad things about them, but nothign that explains why (other than price) And most the good stuff is usually marketing.
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
which always somehow spits out the message "baby not now I'm sleeping"....
Prevention eventually fails
Quit looking for the security silver bullet.
Those page-the-admin-in-his-sleep systems assume an intrusion is spread over minutes and can be dealt with like a cop intervening during a burglary.
Next-gen intrusion will be scripted/automated to such a level that everything the hacker wanted to do will be done after 1 second.
This stuff can't cope with that kind of attack. Only a secure system can.
In a former life (large financial company), we looked closely at IPS as a possibility. The big concern was that IPS was based on IDS and it still had way too many false positives and false negatives.
So hooking that stuff up to the "Emergency Shutoff" switch for even rarely used network services was a little scary. We had some events where we put in router rules by hand (block this traffic or that traffic), and they still broke applications we never dreamed of.
In the end, we decided to funnel all of those types of actions through our 24x7 command center. The delay caused by human response time was worth the tradeoff for not killing our own network.
Sigs are for lusers. Hey! wait a second...
Here is the best IPS in the world..
a pers/a1-firewall/
http://www.ranum.com/security/computer_security/p
- thewalled
I defy you to define IPS as anything other than a firewall, without using any buzzwords in the definition!
Vista:XPSP2::ME:98SE
I don't have a spare PC to use as a linux firewall, so assuming windows what is the best firewall with IPS? Sygate has been bought out and Kerio's stopped developing their firewall. What firewall w/ IPS is left for windows thats decent?
a Cisco pix box is great - it (the cheep one) has two ether ports (some have more) on it packets go in both sides and it just collects them - have no idea what it does with them.. figured mabey they are trying to get enough to create their own black hole but not sure.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
I got another guy on the line about some whitewalls...
Save yourself SEVENTEEN ($17) BUCKS by buying the book here: Intrusion Prevention and Active Response. And if you use the "secret" A9.com discount, you can save an extra 1.57%!
IDS/IPS and other signature based systems are yesterday's news. NBAD is where it is at when it comes to detecting targetted attacks.
I've deployed both TippingPoint (now 3COM) and Lucid IPS and am quite happy with both.
No false positives to date. Med.>Large company.
Working hard to put food on your family.
The Church of Cisco, most holy retainers of the sacred IOS, are pleased that you like they almost-so-holy PIX product. In the name of the IOS, the Ethernet Hub and the Resellers. Amen.
The world's burning. Moped Jesus spotted on I50. Details at 11.
When I read the heading, I thought it was a review of the system that we installed last year from ForeScout called Active Response. This may sound like a product plug, but it is the only thing I have seen that ACTUALLY works.
I work for a very large media company with offices all over the place. I used to know about worms before they would show up in the news because there was always some office in asia that would get it at night and it would spread over our network before morning. Because it was my job to disinfect everyone's computer, my life revolved around these things.
I can tell you that I we haven't seen anything since we installed it.
I know it works because I got hit by the zotob worm on that first Monday when I was at home (I blame my wife) and was kicked off the network as soon as I plugged in. My Symantec (up to date!) didn't catch it.
From what I can tell, it uses all the unused addresses on the network as a honeynet. I would write a review myself if I knew more about it, but I can say that it works.
seriously, if you're allowing that kind of traffic in from the internet to your printers chances are you're allowing other stuff as well.
If I were you I'd bone up on security basics.
When I was serving in the military, the term "active response" to an intrusion meant a half-dozen pissed-off MPs with automatic weapons.
....I'm not all-that sure the military doesn't have the right idea, either....
Regards;
I fight with 50+ Cisco IDS devices every day. Run far, far away.
:-)
These devices are as dumb as they come with poor support, poor management control, buggy software. We steer customers away from active traffic blocking as it more often than not will block legimate traffic. To the customer it appears they have intermittent traffic failures as different support groups will be unaware of the blocking capabilities and chase their tails for hours.
Proper profiling and signature tuning can only take it so far before you have to reply on the signatures provided by the vendor.
Run away.
The best detection and prevention I have found to date is simply watching tcpdump and taking action manually.
If you find watching lines of packet information less than thrilling, you could try out something like the Cube of Potential Doom.
http://sourceforge.net/projects/net3d/
Although, I'm surprised to see this project go stagnant.
A so-called "Intrusion Prevention System" is at heart and in practice, just a firewall.
Amusingly, it's a firewall with a default open policy. Sure, it inspects the contents of packets instead of making its decisions based on address and port information alone, which is a good thing in itself. But then an IPS by default allows everything else.
If you want the hell of signature-based anti-virus (signature lag all the way up to signature lack) as your primary network protection, by all means, ditch your real firewalls and shut down your IDSes in favor of the new buzz. Your attackers will thank you.
I got your's right here, buddy!
Intrusion Detection: Tinkling glass.
Active Response: Shotgun.
Yup..I'd say my house is pretty damn near secure as I can make it, thanks.
If you're lucky, your application is good enough it doesn't need IPS. Used to have some BSD boxes just sitting on the internet, no firewall, running postfix and running BIND 8 with no recursion.
Day after day these boxes were subjected to all kinds of indignitites, and BSD woud just laugh in their general direction. Their only vulnerability was to properly executed DDoS attacks, which, as previous posters have pointed out, most IDS/IPS products are hard to configure against without running the risk of, say, preventing the CEO from getting his precious email while he's vacationing in Abu Dhabi.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
You fool! You weren't supposed to turn them on! You're supposed to just buy a few so you can check off the box on your plan. Looking at the output is highly counterproductive.
"But all your emitter and collector are belong to me!"
Marcus Ranum said it best: Six dumbest Ideas in Computing Security.
Having worked on the 10Gbps IPS, I can tell you that this is becoming a rapidly dumb idea (along with firewall). My experience in signature writing was telling me that this is becoming an exercise in futility.
If you can ascertain that your network-based application are secured (via code-review), none of these ancillary cash-burning network security add-on infrastructures would matter. A fool is soon parted with his money.
Spending some time reviewing the application code may be more cost effective.
Web Server? Go tinyHTTP. Fewer codes, less (or no) exploits.
Simplify, simplify, simplify (K.I.S.S.)
Sheesh.
I recently called Rita Obey, the go between, as it were, for the individuals trying to set up the station and those 'in charge'. Apparently, those persons willing to set up a station requested multiple offices inside the dome and other supplies to broadcast their station (there must be a physical place to broadcast from ). These were not granted because, in her words, 'we dont have the resources to do this'. Its a good idea. I hope people figure out a way to make it work.
Until our children are no longer molded into castrated sheep democracy remains a fake and a danger. -A. S. Neill
Help save the critically endangered Blue Iguana
They usualy only track about 10% of traffic. They are also extreamly dificult to manage. Snort, Snort based, or Dragon IDSs are the only decent ones on the market. ~gp
The problem with all those things is that they are only good for making HORRIBLY INSECURE BUT RELIABLE system into KINDA INSECURE AND NOT RELIABLE AT ALL.
Think of it. Why should a system change its behavior when an attack is detected? Because the normal behavior is not secure enough? But then why should it change back when attack ends? Because the "secure" behavior can possibly include blocking something that should be available. There is no other possibility -- if there was, system would just run in a "secure" mode all the time, and there would be no need to sell a complex product to turn it on and off.
But then whoever can trigger "secure" mode for any particular set of addresses (what usually can be done blindly), can do it deliberately and cause a massive DoS. But what if "IPS" is smart enough to detect a "blind" attack? Then it's better! The only way to distinguish between "blind" attack from a spoofed address and a real attack is by keeping track of all connections and packet history. Create a horribly confusing sequence of packets, and you have anti-IPS equivalent of SYN flood. And then when "IPS" box is out of its RAM, start a real attack. Because you know that IPS was built for a reason -- someone have left his system insecure.
Contrary to the popular belief, there indeed is no God.
Having said that, I am generally against deploying any fully-automated IPS responses, due to the possibilities of false positives and potential for new attack vectors (i.e., a crafty attacker using the defenses against you.)
Until expert systems are as smart as experienced IDS analysts, the best defense is a dedicated team of people who deploy early-warning systems, and who watch the network carefully, 24x7, aided by tools like RNA. If you're really serious about security, however, you will develop two teams: Read Team and Blue Team. Let one handle defense, the other run attacks, and let the games begin... and don't forget to cycle people between the teams!
Paul Gillingwater
MBA, CISSP, CISM