Slashdot Mirror
Intrusion Prevention and Active Response
nazarijo writes "The security world has been taken by storm by intrusion prevention
system (IPS) products in the past couple of years. After all, a typical
intrusion detection system (IDS) only alerts you that something malicious
may have happened, and an IPS reacts to it and can prevent the attack.
Action in this scenario is obviously preferred to a passive bystander.
Still, the IPS solution space is confusing to many." Read on for the rest of Nazario's review of a book designed to erase that confusion.
Intrusion Prevention and Active Response: Deploying Network and Host IPS
author
Michael Rash, Angela D. Orebaugh, Graham Clark, Becky Pinkard, and Jake Babbin
pages
424
publisher
Syngress
rating
7
reviewer
Jose Nazario
ISBN
193226647X
summary
An overview of host- and network-based IPS solutions
The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
You can purchase Intrusion Prevention and Active Response: Deploying Network and Host IPS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
You can purchase Intrusion Prevention and Active Response: Deploying Network and Host IPS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
program? identity token? software? shelf? algorithm? application? office suite? server hardware? server software? virus scanner? product? network? method? word processor? network protocol? scheduling software? email client? vendor? invention? operating system? windows manager? website? web application? authoring software? network client? web browser? API? ABI? encoding standard? bug tracking software? revision control system? wiki? contact manager?
(Yep, stolen shamelessly from an earlier journal entry.)
Carousel is a lie!
Like the submittor said, IDSs will inform you when something that may be bad has happened. IPSs will block traffic which may be bad. All of these systems have false positives. All of them will eventually block something really important that shouldn't be blocked. And all will eventually lead you to be fired because of that reason. And none of them will detect an intelligent, targeted attack.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
...when there truly has been an intrusion, but the underlying system may be complex enough that the intrusion detection software can't be entirely sure something unauthorized is happening, and the consequences of preventing access might outweigh the risk of automatic action.
The real problem with the IDS/IPS space is false positives, because they are a non-starter for many businesses, including mine.
[ home ]
Prevention eventually fails
Quit looking for the security silver bullet.
That's the thing about the modern IPSes though.
/, su to root, etc.
You don't plug and pray. You install and interate as you learn the product. You don't turn the tool to IPS everything mode from the get go.
You start out in IDS mode, monitoring for everything. Then you decide which of the types of alerts it is capturing properly, say worms in this instance.
Then you flip the bit for IPS mode for those signatures or anolomies ONLY. And the traffic of that specific type gets blocked, not everything to or from the hosts. Specific traffic only.
If you get reports of something getting blocked, you 'detune' it to IDS mode until you can figure out why it is triggering. Luckily you can get packet capture for most of the enterprise IPSes, so it is usually fairly easy to peg why something false-positived. Some even have an emergency 'flip to IDS mode only'.
You iterate this process until you have a comfort level for the IPS and IDS balancing act. Sigs or types of traffic you're worried false positive too much? Keep them in IDS mode or feedback to the provider that you're getting too much noise! Pretty sure that something on Kazaa ports using Kazaa commands is probably Kazaa or a Kazaa worm? Use IPS to block that specific traffic.
None of the enterprise network people I've talked to would enable to 'Big Red Button' automation script, though. Definitely have the SoC or NoC check the alert and then have them make routing changes. Otherwise, just let the IPS drop/reset the 'bad' traffic.
The 'unknown application breakage' is definitely a problem, especially the closer to the data core you get. I would slowly enable things one at a time, and take a slow and steady approach. The last thing you want to do is break some 100M USD application because you set a sig to block!
As other posters have commented, this does relatively little against a well prepared intruder, but it will hopefully clear off the bottom 90% of your incidents so that you can watch or react to things in a more focused manner. Also, some of the IPSes do check for common single intruder commands , like rm -rf
I fight with 50+ Cisco IDS devices every day. Run far, far away.
:-)
These devices are as dumb as they come with poor support, poor management control, buggy software. We steer customers away from active traffic blocking as it more often than not will block legimate traffic. To the customer it appears they have intermittent traffic failures as different support groups will be unaware of the blocking capabilities and chase their tails for hours.
Proper profiling and signature tuning can only take it so far before you have to reply on the signatures provided by the vendor.
Run away.
Marcus Ranum said it best: Six dumbest Ideas in Computing Security.
Having worked on the 10Gbps IPS, I can tell you that this is becoming a rapidly dumb idea (along with firewall). My experience in signature writing was telling me that this is becoming an exercise in futility.
If you can ascertain that your network-based application are secured (via code-review), none of these ancillary cash-burning network security add-on infrastructures would matter. A fool is soon parted with his money.
Spending some time reviewing the application code may be more cost effective.
Web Server? Go tinyHTTP. Fewer codes, less (or no) exploits.
Simplify, simplify, simplify (K.I.S.S.)
Sheesh.
Having said that, I am generally against deploying any fully-automated IPS responses, due to the possibilities of false positives and potential for new attack vectors (i.e., a crafty attacker using the defenses against you.)
Until expert systems are as smart as experienced IDS analysts, the best defense is a dedicated team of people who deploy early-warning systems, and who watch the network carefully, 24x7, aided by tools like RNA. If you're really serious about security, however, you will develop two teams: Read Team and Blue Team. Let one handle defense, the other run attacks, and let the games begin... and don't forget to cycle people between the teams!
Paul Gillingwater
MBA, CISSP, CISM