Intrusion Prevention Systems
can help protect a network and its resources
or data from attack, theft,
destruction or even espionage
Intrusion Prevention is
a solution that protects applications, infrastructure and performance.
Host applications and operating systems are protected against
worms, trojans and viruses. Infrastructure elements, like routers,
firewalls, and DNS servers, are protected against DoS (denial
of service) attacks and other compromises. Mission-critical application
performance is protected by eliminating or throttling rogue applications
such as peer-to-peer file sharing and instant messaging.
Intrusion Prevention provides continuous benefits in any network
- Automatically Block Attacks: By blocking attacks and
allowing IT staff to test security patches before deployment,
system uptime is ensured.
- Eliminate Emergency Patching: IPS filters can act
as Virtual Software Patches, alleviating the need for ad-hoc
and emergency patching.
- Protect Unpatched Systems: Most environments cannot
control all end user desktops. Some environments such as service
providers or universities have very little control. An IPS can
provide network segmentation to stop the spread of malicious
traffic from infected users, while notifying the administrator
where attacks are originating.
- Reclaim Bandwidth: Blocking malicious traffic and
rate shaping rogue applications can increase bandwidth availability
by 40-70 percent.
- Accelerate Network Performance: By continually cleansing
the network of malicious and unwanted traffic network performance
is accelerated for mission critical applications.
Essential characteristics of an IPS:
- In-line Operation: only by operating in-line can an
IPS device perform true protection and block attacks or rate
- High Availability: As an in-line device, resilience
to adverse network conditions is paramount. Features such as
dual power supplies, Active-Active stateful network redundancy,
and L2-switch fallback are critical.
- Performance: The only way to guarantee high performance
and low latency under all conditions is with purpose-built hardware.
Architectures should include custom ASICs and high-speed backplanes.
The hardware should ensure that packets flow through the IPS
with a bounded latency measured in microseconds, independent
of the number of filters that are applied.
- Out-of-the-Box Accuracy: Attack recognition accuracy
is accomplished by combining the three broad categories of filtering
methods - Vulnerability-Based, Traffic Anomaly-Based and Signature.
Accuracy is imperative since false positives can lead to a Denial
of Service condition. Out-of-the-box, the user MUST be able to
trust that the IPS is blocking only malicious traffic without
- Usability: An IPS must deliver best-of-breed management
capabilities that are simple to use yet powerful. A combination
of centralized and local management is required to ensure 100%
accessibility. Centralized management should provide global vision
and control for enterprise-wide deployments. Management features
should include "big picture" analysis with trending
reports, network discovery, configuration and monitoring.
An IDS (Intrusion Detection System) is a network security
system designed to identify intrusive or malicious behavior via
monitoring of network activity. The IDS identifies suspicious
patterns that may indicate an attempt to attack, break in to,
or otherwise compromise a system. An IDS can be network-based
or host-based, passive or reactive, and can rely on either misuse
detection or anomaly detection.
IDS vs Firewalls. Firewalls specify
policies about what traffic may or may not enter a particular
computer network. An IDS monitors patterns of traffic and signals
an alert once it deems that an attack has taken place.
DARKNETS CAN SERVE AS AN EARLY WARNING
SYSTEM FOR NETWORK THREATS
In nature, vigilance and intelligence are essential for the
survival of any species. The ability to communicate information
quickly and uniformly, particularly threats, is often the difference
between evolution and extinction. Survival also depends on the
ability to respond appropriately to a detected threat. The faster
you can identify the location and intent of a possible threat,
the faster you can choose a response. Intrusion detection systems
(IDSs) act as a form of network "radar," but they generally
only benefit specific networks. As the importance and use of
the Internet increases, rapid identification of threats at a
global level becomes even more vital. Better advance warning
benefits the entire Internet, and this is where darknets and
network telescopes come into play. These terms describe both
a concept and actual tool used for sounding early warning of
Internet threats. By detecting port scanning activity early,
it's possible to gain valuable information about a threat before
it becomes widespread.
A darknet is basically a "dark" network, an area
of routed IP address space that has few or no valid services
or hosts. By default, you can consider any traffic entering a
darknet from any source as hostile (except, of course, traffic
you specifically know about). The larger the IP address space,
the better the darknet can monitor potential sources of malicious
Internet traffic. If you configure a darknet with public Internet
address space, you can use it to monitor malicious activity on
the Internet itself. However, due to the limitations of public
Internet address space, only organizations such as the Cooperative
Association for Internet Data Analysis (CAIDA) and universities
involved in Internet research generally set up darknets on public
Internet space. But you still have options on a private IP network.
You can use a darknet to track internal network activity indicative
of an internal host compromise or worm. Darknets aren't difficult
to set up; just take a large chunk of IP space you aren't using
for valid networks, and route it to a specific IP address. While
darknets are different from traditional IDSs, they use the same
type of detection. But with a darknet, you know immediately that
any traffic entering is hostile because there are no advertised
services in a darknet. This solves two problems associated with
- First, you don't need to classify the source of data. By
design, a darknet only monitors traffic and serves no other purpose,
so you know any data entering the darknet is hostile.
- Second, you don't need to inspect the data to know that it's
hostile. No one would be probing an empty network space unless
he or she was looking for something.
It's enough to identify the source and destination IP addresses
and protocol ports. Then, if you want to identify the specific
worm or exploit associated with the hostile traffic, you can
use an IDS such as Snort to fingerprint data packets rather quickly.
Whether darknets are valuable in the corporate environment depends
on your definition of security. Darknets don't stop hostile traffic
at the perimeter like a firewall, nor do they block viruses or
filter content. But a darknet specifically monitors traffic that
shouldn't occur at all, and it provides yet another tool for
your security arsenal. Darknets can provide early notification
of wide-scale Internet threats and therefore play a role in Internet
security. For example, you could use a darknet on an internal
corporate network to quickly identify hosts infected with a network
worm before the worm spreads to the entire internal network--and
possibly before antivirus software can even detect it.
Now available: Download the NIST (National Institute of Standards and
Technology) Intrusion Detection
Systems special publication 800-31 (1124 KB PDF) from Network Chico.
Check out the Network Chico
for links to more information.
Additional security pages:
| Anti-virus | Browser
cookies | Email | Firewall
| IPS |
| Network | Passwords
| Registry | Server
| Spyware | Terms
| Wireless |
View current Windows security threats from: