Intrusion Prevention – SY0-601 CompTIA Security+ : 3.3

Intrusion prevention is a useful way to block known vulnerabilities. In this video, you’ll learn about passive monitoring, out-of-band responses, inline monitoring, and in-line responses.

A network based intrusion detection system or more commonly a network based intrusion prevention system. It’s designed to look at traffic going through your network identify any known attacks that may be inside of that traffic and block or mitigate those attacks in some way.

These attacks are commonly focusing on individual operating systems or application servers. And they are attacking known vulnerabilities such as buffer overflows, database injections, cross site scripting and other known vulnerabilities. The intrusion detection system is designed to simply alarm or alert if a problem occurs. And an IDS does not commonly have a way to block that communication in real time.

Because of that, we don’t commonly see a single IDS device on our network is usually an intrusion prevention system that may not be configured to block in real time. Sometimes we refer to that as an IDS. And intrusion prevention system has the ability to block information in real time as it’s going through IPS. This Prevention capability is very valuable, especially when you want to be sure that none of that malicious traffic is getting into your network.

One way to connect an IDS or IPS to your network is through a passive monitoring system. You might have an IPS off to the side that is receiving information from a switch that is redirecting traffic from other devices on the network. This can be done with a port mirror in the Cisco world that’s called a switch port analyzer or span. Or maybe a physical network tap that’s redirecting that traffic.

This means that information would be flowing from one device to another and a copy of that traffic is sent to the IPS during that process. The IPS then examines that copy of the traffic flow to see if there’s any known attacks inside of that traffic. If there is usually an alert or message is displayed. So that the system administrator can then decide what to do next.

Since this IPS is not in line with the actual traffic flows there’s no way for the IPS block that in real time. If the IPS is in one of these passive modes, then they’re not in line with the actual traffic flows and cannot block that traffic in real time.

However, there are some response methods that would allow the IPS to limit the amount of traffic that might be sent or received from a device once that particular malicious traffic is identified. We do that through an out-of-band response. We have traffic that’s going between systems, a copy of that traffic is sent the IPS. If the IPS identifies malicious traffic within those flows it can send a TCP reset frame to these devices effectively disabling that particular traffic flow.

This doesn’t stop the original packet from getting through this conversation. But it would prevent any subsequent information being sent over that same flow. This reset functionality is part of the TCP protocol. If the traffic flow was one that was UDP based, the IPS would not have a reset feature available to be able to disconnect that particular flow.

A much more common implementation for an IPS is to have the IPS in line on the network evaluating all traffic that sent through it. Traffic is sent into the network and received by the IPS. The IPS then examines the traffic make sure that nothing inside that traffic might be malicious. And if everything looks OK, it sends it on its way. Because the IPS is in-band it’s able to block the traffic in real time. And prevent any of the malicious traffic from getting inside the network.

So the same traffic flow would occur and as that traffic hits the IPS, the IPS would recognize there’s some type of attack inside of that packet. It would then drop that packet prevent any additional traffic from going through the network. And nothing would come out the other side of the IPS to cause any problems on the inside of your network.

There are many different ways for an IPS to be able to understand what might be malicious on your network. One of the most common ways is by looking at a signature. This is a signature for the Conficker worm. So if any traffic comes through your network that matches this exactly, the IPS will identify that as something malicious and drop that traffic from the network.

Many IPS systems can also examine what normal traffic might be. And if anything changes with that normal traffic flow it can block that particular traffic. We refer to that as anomaly based. But it requires that it set on the network for a certain amount of time to understand what might be normal on your network and what might be abnormal.

If the IPS normally sees that your network has relatively low utilization and not many file transfers. And suddenly there is a large amount of traffic that is performing file transfers it may recognize that as an anomaly and block that traffic. All the IPS may not have a specific signature that it can fire on but it does recognize certain types of behavior.

For example, an IPS may understand what a normal database request might look like. But it might also understand what SQL injection looks like. And even if there is not a specific signature for the SQL injection. It can identify that unusual behavior and block it in the IPS.

And more advanced IPS systems might use big data along with artificial intelligence and machine learning to be able to understand broadly the way that your network operates. And is able to identify malicious software based on that large amount of data and intelligence.