Network Security

An overview of IPS – Intrusion Prevention System and types of Network Threats

This article gives a general introduction to IPS – Intrusion Prevention System for Network Security and also gives a list of network threats that can be identified and mitigated by such Intrusion Prevention Systems.

What is an Intrusion Prevention System (IPS)?

An Intrusion Prevention System is a network device/software that goes deeper than a firewall to identify and block network threats by assessing each packet based on the network protocols in the application layer, the context of the communication and tracking of each session.

A network based Intrusion Prevention System sits in-line on the network monitoring the incoming packets based on certain prescribed rules (which can be tweaked by the security administrator) and if any bad traffic is detected, the same is dropped in real-time. It is useful to detect and prevent attacks like DoS/DDoS attacks, brute force attacks, vulnerability detection, protocol anomaly detection and prevention of zero day unknown attacks. IPS technologies are mostly session based and traffic flow is examined based on session flow.

What are the ways in which Intrusion Prevention Systems work?

Signature based threat detection: Intrusion detection/prevention systems contain a large repository of signatures that help identify attacks by matching attempts to known vulnerability patterns.

Anomaly threat detection: Anomaly detection techniques protect against first strike or unknown threats. This is done by comparing the network traffic to a baseline to identify abnormal and potentially harmful behaviour. They basically look for statistical abnormalities in the data traffic as well as protocol ambiguities and atypical application activities.

Passive Network Monitoring: IPS can also be set to passively monitor network traffic at certain points and identify abnormal behaviour/ deviation of certain security threshold parameters and report the same by generating reports/alerts (like email alerts) about the device communications to the security administrator.

What are the important IPS performance metrics?

IPS performance metrics are measured in terms of:

¤ Dynamic alerting capability
¤ Lower false positives
¤ Threat blocking capability
¤ High availability/ redundancy/ speed of working
¤ Ability to correctly identifying attacks and dropping packets accurately

Some IPS solutions offer the flexibility to implement different protection options (rules) for different segments of the networks, which is especially useful for large networks. Some of them are capable of isolating the attack traffic to a network segment and limiting the bandwidth to reduce the effect of network threats. IPS help identify and mitigate the following types of network threats.

Types of Network threats:

¤ ICMP Storms: High volumes of ICMP echoes may indicate maliciously intended transmissions such as scanning for IP addresses etc.

¤ Ping to Death: A ping command is sent across a network to determine if another computer is active. This ping command can be misconfigured by a user to send n unusually large packet of information to the target computer, which might cause it to crash or go down temporarily.

¤ SSL Evasion: An attacker tries to bypass the security device by launching attacks using encrypted SSL tunnels as these are not verified by the security devices.

¤ IP Fragmentation: Programs like Flag route intercepts modifies and rewrites egress traffic destined for a specific host thereby perpetuating an attack.

¤ SMTP mass mailing attacks: SMTP DoS attacks from malformed email addresses causes unnecessary load on mail server.

¤ DoS/DDoS attacks: Attackers launch an attack on enterprise network server by flooding it with a high number of connection requests which appear genuine to the server. If the number of such connection requests exceed the server request rate, it would prevent the genuine users from accessing the server. This is called a Denial of Service (DoS) attack. In a Distributed Denial of Service attack, attackers place malicious code on lot of individual computers and use them to simultaneously launch DoS attacks from various locations.

¤ SYN Flood attacks: Attacker sends a lot of ‘Please start a communication with me’ packets to a server but doesn’t send any follow up packets, thus wasting the memory resources that were allocated for these requests by the server.

¤ Http obfuscation: A number of attacks on web servers are carried out by obfuscating URL characters (like using hexadecimal numbers, for example) which gives unwarranted access the attackers.

¤ Port Scanning: This is an attempt by the attackers to find out which ports are open on a specific host or multiple hosts on the network by scanning different ports. Once this information is obtained, attacks for known vulnerabilities for these services are tried.

¤ ARP Spoofing: An Address Resolution Protocol (ARP) is used to find a MAC address in a local network, when its IP address is already known. A sending host usually broadcasts an ARP packet (request) on the network requesting the MAC address of the host with a particular IP address and the same is sent back. By spoofing fake ARP requests from outside the network, the network traffic is redirected to some other location with the information that might be useful to the attackers.

¤ CGI Attacks: It is possible for remote attackers to submit a malicious web request containing Shell meta characters (such as ‘|’ etc) to execute arbitrary commands on a host running vulnerable CGI script. If these commands are executed, an attacker can gain local or interactive access to the host.

¤ Buffer Overflow attacks: A buffer overflow occurs when a program or a process tries to store more data in a buffer than it was intended to hold. This additional data can overflow into certain buffers and can contain code to make specific actions to damage the user’s files, for example.

¤ OS Fingerprinting attacks: OS Fingerprinting is a process of learning which Operating System is running on a device. Based on that information, a hacker can perform a reconnaissance process on the network prior to launching an attack. The vulnerabilities of certain Operating Systems are exploited with this information.

¤ SMB Probes: A Server Message Block (SMB) protocol operates as an application layer network protocol mainly used to provide shared access to printers, files, serial ports etc. SMB probe attacks involving file sharing or print sharing in MS Windows environment focus on scenarios where users put SMB protocol to work across different subnets across the internet.

Click here to read about an open source intrusion detection system called Snort

In case you have any questions, you can contact us using the contact form or leave a comment below. You can also subscribe with your email address (on the right side of this site) to get intimated when a new article is published on this site.