Cart
As we gear up for a series by reader request on Network Intrusion Prevention Systems (IPS) here at blog.ipexpert.com, a great starting point is to examine the overall approaches to IPS devices that are used by network vendors today. We begin with the technological approaches that Cisco employs, and then we move outward from there in our list below.
- Signature-based – Cisco’s approach to Intrusion Prevention and Intrusion Detection Systems (IDS) is primarily a signature-based approach. They use this as the main technology in the IPS devices themselves, as well as the IOS-based IPS approaches within Cisco routers. Since this is the main approach used by Cisco and this is a Cisco-biased blog, we will dedicate the most amount of time to this approach.
Signatures are rules that describe a pattern of network traffic that is consistent with particular forms of security breaches and attacks. For example, Web servers might be attacked frequently by specially designed URLs that are sent against the server. A signature can be written that matches the particular attack in order to guard against it. Notice that in order to be effective, signatures examine both packet headers and packet payloads.
Notice that the signature-based approach to IPS has a relatively low false positive rate, even upon initial deployment prior to tuning. False positives refer to an alarm on the IPS being triggered when the actual traffic was benign and safe. The false positive rate is so low because you are relying upon the expertise of the engineers at Cisco that have designed the signature database. In fact, another huge advantage to the signature-based approach is the overall ease with which you can implement the security mechanism in your network.
Challenges to this approach include the fact that your IPS is only as good as it is updated. If you have not updated the signature database in over a year, you are vulnerable to the new attacks that have been created in the last 12 months.
- Anomaly-based – what is an anomaly? It is something that is outside the “norm”. This approach to IPS has the system alert us about network traffic that is outside the “normal” behavior that is typical to our environment. As you might guess, the big challenge with this approach is defining what is normal. I have struggled with this in my own personality for years!
IPS devices will typically try to accomplish anomaly-based approaches in two ways. Statistical anomaly detection (or network behavior analysis) seeks to observe traffic over a time period and build a statistical profile of “normal”. The protocol verification approach observes the network traffic and ensures that it matches known standards-based behaviors.
While this approach to IPS might seem very exciting because it could catch an attack that has not yet been defined in a signature, it does suffer in that it requires much administrator intervention and monitoring in order to interpret the many false positives that could result.
Cisco relies on this approach for things like worm prevention in their Network IPS devices.
- Policy-based - with a policy-based approach, a network administrator will configure an approved traffic policy and the device can alert or prevent traffic that is outside of that designed policy. For the most part, Cisco abandons this approach with its Network-based IPS devices as it would place a tremendous burden on the admins of the organization to design the correct policies. We certainly have our hands full with these types of considerations on the perimeter firewalls of the organization already.
- Honey Pot – with this approach, the IPS device is a trap! It is crafted to impersonate as many vulnerable network devices as possible and attract the attackers like a honey pot would to a swarm of bees. This allows the administrator to gain valuable information about the attackers, and to distract them against their ultimate targets. Cisco does not employ this approach in their IPS/IDS devices.
Now that we understand common approaches to Network Intrusion Prevention (and the particular technologies that Cisco is biased toward), we can examine Cisco Network IPS in greater detail in upcoming posts.
Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv
