The need for active protection.
Because of their different locations in the network and detection technologies, host lPS (HIPS) and network lPS (NIPS) each offer specific benefits, including the ability to detect certain attacks, and, when combined, provide complementary layers of protection.
HIPS reside on individual systems such as servers, workstations or notebooks. These system-specific programs, or "agents," may protect only the operating system, or operating systems and applications running on the host (such as Web servers). The agents inspect traffic flowing into or out of that particular system, requests for services (e.g., applications) and the behavior of the applications and operating system for signs of an attack. Attack-detection techniques vary, but the most comprehensive products use three complementary technologies to detect attacks and reduce false-positives:
* Behavioral rules detect unusual or unauthorized activity in the system and issue commands to the application or operating system to stop the behavior initiated by the attack.
* Signatures detect known attacks by comparing the incoming traffic with a database of known attacks, and then block the attack before it can do damage. Signatures also provide exact descriptions of events, enabling security staff to fully understand the threat.
* A firewall blocks requests for applications and services into or out of the host, and controls access to the system based on ports, protocols and IP addresses.
HIPS solutions protect mobile systems from attack when outside the protected network (roaming notebooks are a primary vector for introducing worms into a protected network), and protect systems against local attacks, such as personnel that have physical access to a system and who can launch local attacks by executing programs introduced via a CD or USB memory stick, for example.
These systems also block encrypted attacks targeting the protected system because they inspect incoming traffic after being decrypted by the host. By operating independently of network architecture, HIPS allow for protection of systems located on obsolete or unusual network architectures, such as Token Ring and FDDI, or on those segments not protected by a NIPS.
NIPS are devices deployed in-line with the protected network segment. All data that flows between the protected segment and the rest of the network must pass through the NIPS device. As the traffic passes through the device, it is inspected for hostile content, allowing the traffic to pass through or blocking it. Attack-detection mechanisms vary between systems, but the most comprehensive systems integrate several techniques to detect attacks and minimize false-positives:
* Protocol normalization removes any evasion techniques an attacker might have employed to avoid detection (such as packet fragmentation or session splicing).
* Signature detection identifies both known, as well as unknown attacks that target a vulnerability within an operating system or application.
* Stateful inspection tracks the connection state of packets flowing through the device, and identities only those packets that may compromise a system and are part of a valid connection.
* Statistical anomaly detection can identify harmful traffic that suddenly exceeds expected or baseline values (signaling a denial-of-service attack).
* Decryption of encrypted traffic enables the inspection of traffic that often hides an attack.
NIPS enables IT administrators to have a broader view of the threat environment, such as scans, probes and attacks against non-system-based assets. It protects non-computer-based network devices, such as routers, firewalls and VPN concentrators. NIPS also protects the network itself against attacks, such as denial-of-service attacks, bandwidth-oriented attacks and SYN flood. NIPS operates independent of the platform, protecting legacy and custom operating systems and applications.
For more information from McAfee: www.rsleads.com/409cn-256
This article was provided by Patrick Bedwell, who specializes in intrusion prevention product marketing at McAfee, Santa Clara, Calif.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Network Security; intrusion-prevention systems|
|Comment:||The need for active protection.(Network Security)(intrusion-prevention systems)|
|Date:||Sep 1, 2004|
|Previous Article:||The trade-off.|
|Next Article:||Validating IPSec devices.|