Intrusion Prevention and Active Response

nazarijo writes "The security world has been taken by storm by intrusion prevention system (IPS) products in the past couple of years. After all, a typical intrusion detection system (IDS) only alerts you that something malicious may have happened, and an IPS reacts to it and can prevent the attack. Action in this scenario is obviously preferred to a passive bystander. Still, the IPS solution space is confusing to many." Read on for the rest of Nazario's review of a book designed to erase that confusion. Intrusion Prevention and Active Response: Deploying Network and Host IPS author Michael Rash, Angela D. Orebaugh, Graham Clark, Becky Pinkard, and Jake Babbin pages 424 publisher Syngress rating 7 reviewer Jose Nazario ISBN 193226647X summary An overview of host- and network-based IPS solutions

The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.

It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.

In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.

The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.

For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.

By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.

The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.

The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.

Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.

There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.

You can purchase Intrusion Prevention and Active Response: Deploying Network and Host IPS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

I'm sorry...

[Saint+Aardvark]

...but when you (or the authors) say "solution", do you mean:

program? identity token? software? shelf? algorithm? application? office suite? server hardware? server software? virus scanner? product? network? method? word processor? network protocol? scheduling software? email client? vendor? invention? operating system? windows manager? website? web application? authoring software? network client? web browser? API? ABI? encoding standard? bug tracking software? revision control system? wiki? contact manager?

(Yep, stolen shamelessly from an earlier journal entry.)

Re:I'm sorry...

[Bogtha]

"Solution" means "whatever is capable of solving the problem". So in the context of "Still, the IPS solution space is confusing to many.", it means "choosing between all the different methods of detecting and responding to intrusions is confusing to many".

Yeah, I know that "solution" is an over-used buzzword. But that doesn't mean all uses of it are nonsensical. Solution is a vague term because it's a vague concept. In some contexts, it could be a library, in others it could be a platform.

write-up says it all

[Lord+Ender]

Like the submittor said, IDSs will inform you when something that may be bad has happened. IPSs will block traffic which may be bad. All of these systems have false positives. All of them will eventually block something really important that shouldn't be blocked. And all will eventually lead you to be fired because of that reason. And none of them will detect an intelligent, targeted attack.

My Intrusion Prevention System

[Spy+Handler]

infect the systems at work with my pwn trojans so other peeps' trojans get crowded out... like how your good intestinal bacteria keep out bad bacteria.

Re:My Intrusion Prevention System

Yeah, that sounds like a good idea. Right now I'm protecting my computer by pouring yogurt into the ethernGHGFJFOEWJK#@ NO CARRIER

Action is almost always preferred...

[squarooticus]

...when there truly has been an intrusion, but the underlying system may be complex enough that the intrusion detection software can't be entirely sure something unauthorized is happening, and the consequences of preventing access might outweigh the risk of automatic action.

The real problem with the IDS/IPS space is false positives, because they are a non-starter for many businesses, including mine.

IPS

[j_kenpo]

Prevention eventually fails

Quit looking for the security silver bullet.

Put your network on autopilot?

[Watchman_ds]

In a former life (large financial company), we looked closely at IPS as a possibility. The big concern was that IPS was based on IDS and it still had way too many false positives and false negatives.

So hooking that stuff up to the "Emergency Shutoff" switch for even rarely used network services was a little scary. We had some events where we put in router rules by hand (block this traffic or that traffic), and they still broke applications we never dreamed of.

In the end, we decided to funnel all of those types of actions through our 24x7 command center. The delay caused by human response time was worth the tradeoff for not killing our own network.

Re:Put your network on autopilot?

[foolish]

That's the thing about the modern IPSes though.

You don't plug and pray. You install and interate as you learn the product. You don't turn the tool to IPS everything mode from the get go.

You start out in IDS mode, monitoring for everything. Then you decide which of the types of alerts it is capturing properly, say worms in this instance.

Then you flip the bit for IPS mode for those signatures or anolomies ONLY. And the traffic of that specific type gets blocked, not everything to or from the hosts. Specific traffic only.

If you get reports of something getting blocked, you 'detune' it to IDS mode until you can figure out why it is triggering. Luckily you can get packet capture for most of the enterprise IPSes, so it is usually fairly easy to peg why something false-positived. Some even have an emergency 'flip to IDS mode only'.

You iterate this process until you have a comfort level for the IPS and IDS balancing act. Sigs or types of traffic you're worried false positive too much? Keep them in IDS mode or feedback to the provider that you're getting too much noise! Pretty sure that something on Kazaa ports using Kazaa commands is probably Kazaa or a Kazaa worm? Use IPS to block that specific traffic.

None of the enterprise network people I've talked to would enable to 'Big Red Button' automation script, though. Definitely have the SoC or NoC check the alert and then have them make routing changes. Otherwise, just let the IPS drop/reset the 'bad' traffic.

The 'unknown application breakage' is definitely a problem, especially the closer to the data core you get. I would slowly enable things one at a time, and take a slow and steady approach. The last thing you want to do is break some 100M USD application because you set a sig to block!

As other posters have commented, this does relatively little against a well prepared intruder, but it will hopefully clear off the bottom 90% of your incidents so that you can watch or react to things in a more focused manner. Also, some of the IPSes do check for common single intruder commands , like rm -rf /, su to root, etc.

"Active" Response?

[Hasai]

When I was serving in the military, the term "active response" to an intrusion meant a half-dozen pissed-off MPs with automatic weapons.
 
....I'm not all-that sure the military doesn't have the right idea, either....

Re:What do people think of Cisco's IPS/Firewall/So

[Y2]

I fight with 50+ Cisco IDS devices every day. Run far, far away.

You fool! You weren't supposed to turn them on! You're supposed to just buy a few so you can check off the box on your plan. Looking at the output is highly counterproductive.

"Active response" is dangerous

[Alex+Belits]

The problem with all those things is that they are only good for making HORRIBLY INSECURE BUT RELIABLE system into KINDA INSECURE AND NOT RELIABLE AT ALL.

Think of it. Why should a system change its behavior when an attack is detected? Because the normal behavior is not secure enough? But then why should it change back when attack ends? Because the "secure" behavior can possibly include blocking something that should be available. There is no other possibility -- if there was, system would just run in a "secure" mode all the time, and there would be no need to sell a complex product to turn it on and off.

But then whoever can trigger "secure" mode for any particular set of addresses (what usually can be done blindly), can do it deliberately and cause a massive DoS. But what if "IPS" is smart enough to detect a "blind" attack? Then it's better! The only way to distinguish between "blind" attack from a spoofed address and a real attack is by keeping track of all connections and packet history. Create a horribly confusing sequence of packets, and you have anti-IPS equivalent of SYN flood. And then when "IPS" box is out of its RAM, start a real attack. Because you know that IPS was built for a reason -- someone have left his system insecure.

Sourcefire and RNA

[PGillingwater]

I've worked with IDS for more than 8 years, and Snort for at least 6 years. Currently, I recommend Sourcefire to my customers. Why? Well, Snort with commercial support is great, but it's not enough. Sourcefire however developed RNA, which does passive network protocol analysis, and builds a knowledge base of vulnerbilities and hosts -- and allows IDS rules to be tuned according to relevance. (Note that RNA doesn't help when it comes to IPS.)

Having said that, I am generally against deploying any fully-automated IPS responses, due to the possibilities of false positives and potential for new attack vectors (i.e., a crafty attacker using the defenses against you.)

Until expert systems are as smart as experienced IDS analysts, the best defense is a dedicated team of people who deploy early-warning systems, and who watch the network carefully, 24x7, aided by tools like RNA. If you're really serious about security, however, you will develop two teams: Read Team and Blue Team. Let one handle defense, the other run attacks, and let the games begin... and don't forget to cycle people between the teams!