Unit 14: Intrusion Detection System and Secure E-mail




          cases, it creates an overall weakness in the detection capabilities. Since many vulnerabilities  Notes
          have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines
          can be evaded. For example, some pattern recognition engines require hundreds of different
          signatures (patterns) to protect against a single vulnerability. This is because they must have a
          different pattern for each exploit variant. Protocol analysis-based products can often block
          exploits with a single signature that monitors for the specific vulnerability in the network
          communications.

          14.3.4 Rate-based

          Rate-based IPS (RBIPS) are primarily intended to prevent Denial of Service and Distributed
          Denial of Service attacks. They work by monitoring and learning normal network behaviors.
          Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify
          abnormal rates for certain types of traffic, e.g. TCP, UDP or ARP packets, connections per second,
          packets per connection, packets to specific ports, etc. Attacks are detected when thresholds are
          exceeded. The thresholds are dynamically adjusted based on time of day, day of the week, etc.,
          drawing on stored traffic statistics.
          Unusual but legitimate network traffic patterns may create false alarms. The system’s effectiveness
          is related to the granularity of the RBIPS rulebase and the quality of the stored statistics.
          Once an attack is detected, various prevention techniques may be used such as rate-limiting
          specific attack-related traffic types, source or connection tracking and source-address, port or
          protocol filtering (black-listing) or validation (white-listing).




              Task  Compare different types of intrusion prevention system software.

          Implementation Challenges

          There are a number of challenges to the implementation of an IPS device that do not have to be
          faced when deploying passive-mode IDS products. These challenges all stem from the fact that
          the IPS device is designed to work in-line, presenting a potential choke point and single point of
          failure.
          If a passive IDS fails, the worst that can happen is that some attempted attacks may go undetected.
          If an in-line device fails, however, it can seriously impact the performance of the network.
          Perhaps latency rises to unacceptable values, or perhaps the device fails closed, in which case
          you have a self-inflicted Denial of Service condition on your hands. On the bright side, there will
          be no attacks getting through! But that is of little consolation if none of your customers can reach
          your e-commerce site.
          Even if the IPS device does not fail altogether, it still has the potential to act as a bottleneck,
          increasing latency and reducing throughput as it struggles to keep up with up to a Gigabit or
          more of network traffic.
          Devices using off-the-shelf hardware will certainly struggle to keep up with a heavily loaded
          Gigabit network, especially if there is a substantial signature set loaded, and this could be a
          major concern for both the network administrator – who could see his carefully crafted network
          response times go through the roof when a poorly designed IPS device is placed in-line – as well
          as the security administrator, who will have to fight tooth and nail to have the network
          administrator allow him to place this unknown quantity amongst his high performance routers
          and switches.




                                           LOVELY PROFESSIONAL UNIVERSITY                                   175