How does the Intrusion Prevention System work?
An intrusion prevention system is typically behind a firewall; every packet moves past it and is inspected by the system. When it spots an anomaly, the IT administrator or SOC staff is notified, while the IPS deactivates any threat.
This system is always working non-stop, and in real-time to protect a network against any form of attack, and it doesn't require the input of a SOC personnel or network manager because it has been programmed to prevent invasion with or without help.
In an inline configuration, we have;
Internet ‒ firewall ‒ IPS ‒ Core Switch
The IPS sits inline between the firewall and the core switch and actively monitors traffic. As traffic passes between the core switch and firewall the IPS examines all traffic for potential threats, if there is, it instantly blocks traffic in the IPS.
Being an inline system, one of its limitations is that it can fail occasionally. The failure could be a hardware issue, a software bug, or a power issue. When the network fails, the system can be configured or engineered to operate in different failure modes.
Fail-Open Mode: When there’s a system failure, data will continue to flow through the connection, meaning there won’t be any security processes occurring during this time and the network will continue to run.
Fail-Closed Mode: When the system fails or crashes data doesn’t flow, and the security processes would not operate, and the network connection would halt all communication.
Having a system that is fail open or fail closed is important when the device is inline and performing active monitoring. The default configuration of IPS is often active monitoring; however, some organizations prefer passive monitoring.
Let's explore what these terms mean;
Active Monitoring: In active monitoring, the IPS is connected inline. In an active monitoring system, when the IPS detects a threat or an outage occurs, it can lead to network downtime. Another concern is that the IPS might block legitimate traffic due to its aggressive approach to identifying potential threats, even when they are not malicious.
The advantage of active monitoring is that when traffic passes through the network and the IPS, threats can be identified and blocked immediately, preventing them from reaching the core switch.
Key Points
The system is connected inline.
Data can be blocked in real-time.
Intrusion Prevention is active.
Passive Monitoring: In passive monitoring, devices communicate through a switch, which takes a copy of the traffic and sends it to the IPS for analysis. Since the IPS is not inline with the normal network communication between the devices and the switch, it cannot cause network downtime. However, because it is not inline, its ability to block traffic is limited.
Passive monitoring requires a method for receiving a copy of network traffic, such as SPAN (Switched Port Analyzer) or a physical network TAP to break into a physical connection without disrupting it. When a traffic is sent to the switch, it is duplicated; one copy is sent to the destination, and the other is sent to IPS for evaluation.
This way, identifying and alerting on malicious traffic does not interfere with the traffic flow.
Key Points:
A copy of the network is examined using a tap pr port monitor
Data cannot be blocked in real-time
Intrusion detection is commonly passive
Types of Intrusion Prevention System
Types of Intrusion Prevention Systems include;
Network Intrusion Prevention System (NIPS): NIPS is a security solution designed to prevent unauthorized attacks, and malicious activities on a network, it also extends its feature by taking automated actions to stop or mitigate threats in real-time. Example - Cisco Firepower
Key Functions:
Traffic monitoring
Threat prevention
Automated responses
Host Intrusion Prevention System (HIPS): HIPS monitors inbound and outbound traffic from devices. It is installed on individual endpoints such as servers or laptops and protects specific devices by monitoring log files, system behaviour, and other activities. Example - OSSEC
Key Functions:
Detect and Prevent attacks against individual host
Blocks unauthorized changes to system files
Provides security for a specific device
Network Behavioural Analysis (NBA): NBA detects abnormal traffic patterns without relying on predefined attack signatures. It collaborates with NIPS to provide a more efficient security solution. Example - Cisco Stealthwatch
Key Functions:
Identifies behaviour like unauthorized access attempts
Detects Zero-day attacks and other unknown threats
WIPS uses machine learning and AI to enhance threat detection.
Wireless Intrusion Prevention System (WIPS): WIPS monitors Wi-Fi networks and secures them by detecting and preventing unauthorized access points and other malicious activities. Example - Aruba WIPS
Key Functions:
Scans Wi-Fi access points
Detects man-in-the-middle attacks and rogue clients.
Automatically removes unauthorized devices
These solutions can handle different types of attacks including;
Buffer Overflow: An attacker exploits vulnerabilities in a buffer (temporary storage area in memory) by writing more data than it can hold. This excess data overflows into adjacent memory causing corruption or crashing the execution of an application.
DDOS Attack: The attacker floods a network with traffic from distributed computers to overwhelm the system causing it to become unavailable for users.
Ping of Death: The attacker uses a ping command to send malformed packets to crash a system
Port Scanning: The attack is directed at a port, to find an opening that can be exploited.
SYN Flood: A large volume of SYN(Synchronised) packet is sent as a connection request to overwhelm a firewall or server.
Secure Socket Layer Evasion: The attacker uses secure socket layer (SSL) and transport layer security (TLS) encryption to hide malicious traffic, allowing it to bypass network security undetected.
Common IPS tools include;
Snort
Snort is an open-source network intrusion detection and prevention system. It uses a series of rules that help define malicious network activities. Those rules are used to find packets that match against these activities and generate alerts for users.
Suricata
Suricata is an open-source intrusion detection and intrusion prevention system that keeps the network safe from sophisticated threats. It can inspect multi-gigabit traffic and its engine is built around a multi-threaded, modern, clean, and scalable code base. It will automatically detect protocols such as HTTP on any port and apply detection and logging logic to help find malware.
Cisco IPS
Cisco IPS can detect, flag, and analyze suspicious files and unidentified threats. It enhances security and visibility by sharing data from your network, which helps optimize and improve security measures and threat response.
OSSEC
OSSEC is a free, open-source host-based intrusion detection system that can be used for intrusion prevention. It is designed to protect networks and endpoints. Its features include real-time log analysis, windows registry monitoring, policy monitoring, file integrity monitoring, and more.
Palo Alto Networks
Palo Alto Networks uses AI to prevent threats including Zero-day attacks and evasive malware. It offers multiple layers of protection during each phase of an attack, leveraging deep and machine-learning models to detect, block, and stop threats in real-time.