Page 222 - DCAP403_Operating System
P. 222
Unit 11: System Security
to implement prevention commands to firewalls and access control changes to routers. This Notes
technique fell short operationally for it created a race condition between the IDS and the exploit
as it passed through the control mechanism.
Inline IPS can be seen as an improvement upon fi rewall technologies (snort inline is integrated
into one), IPS can make access control decisions based on application content, rather than IP
address or ports as traditional firewalls had done.
However, in order to improve performance and accuracy of classification mapping, most IPS use
destination port in their signature format. As IPS systems were originally a literal extension of
intrusion detection systems, they continue to be related.
Intrusion prevention systems may also serve secondarily at the host level to deny potentially
malicious activity. There are advantages and disadvantages to host-based IPS compared with
network-based IPS. In many cases, the technologies are thought to be complementary.
An Intrusion Prevention system must also be a very good Intrusion Detection system to enable a
low rate of false positives. Some IPS systems can also prevent yet to be discovered attacks, such
as those caused by a Buffer overfl ow.
The role of an IPS in a network is often confused with access control and application-layer
firewalls. There are some notable differences in these technologies. While all share similarities,
how they approach network or system security is fundamentally different.
An IPS is typically designed to operate completely invisibly on a network. IPS products do not
typically claim an IP address on the protected network but may respond directly to any traffi c
in a variety of ways. (Common IPS responses include dropping packets, resetting connections,
generating alerts, and even quarantining intruders.) While some IPS products have the ability
to implement firewall rules, this is often a mere convenience and not a core function of the
product.
Moreover, IPS technology offers deeper insight into network operations providing information on
overly active hosts, bad logons, inappropriate content and many other network and application
layer functions.
Application firewalls are a very different type of technology. An application firewall uses proxies
to perform firewall access control for network and application-layer traffic. Some application-
layer firewalls have the ability to do some IPS-like functions, such as enforcing RFC specifi cations
on network traffic. Also, some application layer firewalls have also integrated IPS-style signatures
into their products to provide real-time analysis and blocking of traffi c.
Application firewalls do have IP addresses on their ports and are directly addressable. Moreover,
they use full proxy features to decode and reassemble packets. Not all IPS perform full
proxy-like processing. Also, application-layer firewalls tend to focus on firewall capabilities, with
IPS capabilities as add-on. While there are numerous similarities between the two technologies,
they are not identical and are not interchangeable.
Unified Threat Management (UTM), or sometimes called “Next Generation Firewalls” are also a
different breed of products entirely. UTM products bring together multiple security capabilities
on to a single platform.
A typical UTM platform will provide firewall, VPN, anti-virus, web filtering, intrusion prevention
and anti-spam capabilities. Some UTM appliances are derived from IPS products such as 3Com’s
X-series products.
Others are derived from a combination with firewall products, such as Juniper’s SSG or Cisco’s
Adaptive Security Appliances (ASA). And still others were derived from the ground up as a
UTM appliance such as Fortinet or Astero. The main feature of a UTM is that it includes multiple
security features on one appliance. IPS is merely one feature.
LOVELY PROFESSIONAL UNIVERSITY 215
