Page 71 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 71

Unit 5: Physical Security




          This extensive protection scheme may be warranted for a laptop computer frequently operating  Notes
          in untrusted environments (e.g., on cafe or airport Wi-Fi networks), but the heavy defenses may
          take their toll on battery life and noticeably impair the generic responsiveness of the computer
          as the HIPS protective component and the traditional AV product check each file on a PC to see
          if it is malware against a huge blacklist.
          Alternatively if HIPS is combined with an AV product utilizing whitelisting technology then
          there is far less use of system resources as many applications on the PC are trusted (whitelisted).
          HIPS as an application then becomes a real alternative to traditional anti-virus products.

          Network-based IPS (NIPS)

          A network-based IPS is one where the IPS application/hardware and any actions taken to prevent
          an intrusion on a specific network host(s) is done from a host with another IP address on the
          network (This could be on a front-end firewall appliance.)
          Network intrusion prevention systems are purpose-built hardware/software platforms that are
          designed to analyze, detect, and report on security related events. NIPS are designed to inspect
          traffic and based on their configuration or security policy, they can drop malicious traffic.

          Content-based IPS (CBIPS)

          A content-based IPS (CBIPS) inspects the content of network packets for unique sequences, called
          signatures, to detect and hopefully prevent known types of attack such as worm infections and
          hacks.

          Protocol Analysis

          A key development in IDS/IPS technologies was the use of protocol analyzers. Protocol analyzers
          can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols
          are fully  decoded, the IPS analysis engine can evaluate  different  parts of  the protocol  for
          anomalous behavior or exploits.

                 Example: The existence of a large binary file in the User-Agent field of an HTTP request
          would be very unusual and likely an intrusion.
          A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop
          the offending packets.
          Not all IPS/IDS  engines are full protocol analyzers. Some  products rely on simple pattern
          recognition techniques to look for known attack patterns. While this can be sufficient in many
          cases, it  creates an  overall weakness in the detection capabilities. Since many vulnerabilities
          have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines
          can be evaded.


                 Example: Some pattern recognition engines require hundreds of different signatures (or
          patterns) to protect against a single vulnerability. This is because they must have a different
          pattern for each exploit variant.
          Protocol analysis-based products can often block exploits with a single signature that monitors
          for the specific vulnerability in the network communications.








                                           LOVELY PROFESSIONAL UNIVERSITY                                   65
   66   67   68   69   70   71   72   73   74   75   76