Page 178 - DCAP516_COMPUTER_SECURITY
P. 178
Computer Security
Notes polymorphic genetics that constantly change the code, producing a different signature every
time the program is recreated.
14.2 Intrusion Prevention System
An Intrusion Prevention System is a network security device that monitors network and/or
system activities for malicious or unwanted behavior and can react, in real-time, to block or
prevent those activities.
Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious
code or attacks. When an attack is detected, it can drop the offending packets while still allowing
all other traffic to pass. Intrusion prevention technology is considered by some to be an extension
of Intrusion Detection System (IDS) technology. The term “Intrusion Prevention System” was
coined by Andrew Plato who was a technical writer and consultant for *NetworkICE.
Intrusion Prevention Systems (IPSs) evolved in the late 1990s to resolve ambiguities in passive
network monitoring by placing detection systems in-line. Early IPS was IDS that were able to
implement prevention commands to firewalls and access control changes to routers. This
technique fell short operationally for it created a race condition between the IDS and the exploit
as it passed through the control mechanism.
Did u know? Inline IPS can be seen as an improvement upon firewall technologies (snort
inline is integrated into one), IPS can make access control decisions based on application
content, rather than IP address or ports as traditional firewalls had done.
However, in order to improve performance and accuracy of classification mapping, most
IPS use destination port in their signature format. As IPS systems were originally a literal
extension of intrusion detection systems, they continue to be related.
Intrusion prevention systems may also serve secondarily at the host level to deny potentially
malicious activity. There are advantages and disadvantages to host-based IPS compared with
network-based IPS. In many cases, the technologies are thought to be complementary.
An Intrusion Prevention system must also be a very good Intrusion Detection system to enable
a low rate of false positives. Some IPS systems can also prevent yet to be discovered attacks, such
as those caused by a Buffer overflow.
The role of an IPS in a network is often confused with access control and application-layer
firewalls. There are some notable differences in these technologies. While all share similarities,
how they approach network or system security is fundamentally different.
An IPS is typically designed to operate completely invisibly on a network. IPS products do not
typically claim an IP address on the protected network but may respond directly to any traffic in
a variety of ways. (Common IPS responses include dropping packets, resetting connections,
generating alerts, and even quarantining intruders.) While some IPS products have the ability to
implement firewall rules, this is often a mere convenience and not a core function of the product.
Moreover, IPS technology offers deeper insight into network operations providing information
on overly active hosts, bad logons, inappropriate content and many other network and
application layer functions.
Application firewalls are a very different type of technology. An application firewall uses
proxies to perform firewall access control for network and application-layer traffic. Some
application-layer firewalls have the ability to do some IPS-like functions, such as enforcing RFC
172 LOVELY PROFESSIONAL UNIVERSITY
