Page 183 - DCAP516_COMPUTER

Page 183 - DCAP516_COMPUTER_SECURITY

P. 183

Unit 14: Intrusion Detection System and Secure E-mail

Self Assessment Notes

Fill in the blanks:
1. …………….. are primarily intended to prevent Denial of Service and Distributed Denial of
Service attacks.

2. A ………………………. could detect this anomalous behavior and instruct the IPS engine
to drop the offending packets.
3. A…………….. is one where the intrusion-prevention application is resident on that specific
IP address, usually on a single computer.
4. ……………………….. or sometimes called “Next Generation Firewalls.
5. ……………………….. is a legitimate user who accesses data, programs, or resources for
which such access is not authorized
6. The …………………………….. intruder can be either an outsider or an insider.

14.4 Requirements for Effective Prevention

Having pointed out the potential pitfalls facing anyone deploying these devices, what features
are we looking for that will help us to avoid such problems?
1. In-line Operation: Only by operating in-line can an IPS device perform true protection,
discarding all suspect packets immediately and blocking the remainder of that flow.
2. Reliability and Availability: Should an in-line device fail, it has the potential to close a
vital network path and thus, once again, cause a DoS condition. An extremely low failure
rate is thus very important in order to maximize up-time, and if the worst should happen,
the device should provide the option to fail open or support fail-over to another sensor
operating in a fail-over group. In addition, to reduce downtime for signature and protocol
coverage updates, an IPS must support the ability to receive these updates without requiring
a device re-boot. When operating inline, sensors rebooting across the enterprise effectively
translate into network downtime for the duration of the reboot.
3. Resilience: As mentioned above, the very minimum that an IPS device should offer in the
way of High Availability is to fail open in the case of system failure or power loss (some
environments may prefer this default condition to be “fail closed” as with a typical firewall,
however – the most flexible products will allow this to be user-configurable). Active-
Active stateful fail-over with cooperating in-line sensors in a fail-over group will ensure
that the IPS device does not become a single point of failure in a critical network deployment.

4. Low Latency: When a device is placed in-line, it is essential that its impact on overall
network performance is minimal. Packets should be processed quickly enough such that
the overall latency of the device is as close as possible to that offered by a layer 2/3 device
such as a switch, and no more than a typical layer 4 device such as a firewall or load-
balancer.
5. High Performance: Packet processing rates must be at the rated speed of the device under
real-life traffic conditions, and the device must meet the stated performance with all
signatures enabled. Headroom should be built into the performance capabilities to enable
the device to handle any increases in size of signature packs that may occur over the next
three years. Ideally, the detection engine should be designed in such a way that the number
“signatures” (or “checks”) loaded does not affect the overall performance of the device.

LOVELY PROFESSIONAL UNIVERSITY 177

178 179 180 181 182 183 184 185 186 187 188