-- PAGE 4 --

<< previous page next page >>

Intrusion Prevention Systems – A Review cont...

As the diagram (Figure 2 - previous page) shows, the use of multiple filters makes an IPS significantly more effective when inspecting, identifying and blocking attacks in a timely manner. The IPS creates new filters once a new attack method is located and identified, and it is in this capability for fluid evolution that the strength of the IPS resides.

The IPS data packet inspection engine is normally a bespoke integrated circuit which is designed for deep data inspection. Any attacks attempting to exploit vulnerabilities and breach security over OSI module layer 2 (MAC) through to layer 7 (Application) will be filtered by the IPS engine whereas, traditionally, the capability of a firewall extends only to layer 3 (Network) or layer 4 (Transport). The packet-filter technologies of the traditional firewall do not perform inspections for each byte of the data segment meaning that firewalls cannot identify all attacks. In contrast, the IPS is capable of performing such inspections, and all data packets are classified and sent to relevant filters according to the heading information found in the data segment in question, such as source address, destination address, port, data fields etc. Each filter is responsible for analyzing corresponding packets, and those containing harmful signatures will be dropped or, if found to be harmless, passed through. Uncertain packets are sent away for further inspection.

For each different type of attack behavior, an IPS needs a corresponding filter with pre-defined filtering rules. These rules have wide definitions for the purpose of accuracy, or ensuring that as wide a range activity is encapsulated within a definition as possible. When classifying a data flow, the filter engine will also refer to packet segment information, analyzing the context of particular fields in order to improve the accuracy of the filtering process.

The IPS engine is an integrated assembly line and mass parallel ASIC, and can execute thousands of packet filter inspections per second. Parallel ASIC can assure the performance of the network. This hardware based accelerated technique is of paramount importance to the efficacy of the IPS.

IPS Implementation Methods

The IPS is normally implemented by a host based IPS (HIDS) or network based IPS (NIDS) or a mixed environment.

Host Based IPS (HIPS)

The Host Based IPS (HIPS) prevents attacks upon OSs and applications by a series of agents and a set of management reporting interfaces. It works by enforcing a group of fundamental software conventions which remain constant. This is known as a named Application Binary Interface (ABI). It is almost impossible to hijack an application without modifying the Application Binary Interface, because these conventions are universal among compiled applications.

The Host Based IPS (HIPS) is a multi-layer prevention system, using packet filtering, state inspection and real-time intrusion prevention methods to protect the host under circumstances of reasonable performance efficiency. The agents’ working mechanism prevents malicious code that enters the host from being executed without the need for checking against threat signatures. Based on this mechanism, therefore, the HIPS is very accurate and the host upon which HIPS is deployed can be an external to the core network.

-- PAGE 4 --

<< previous page next page >>

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Glossary | References

Xuhua Ji, September 2007

(You are free to reproduce any of the information in this article or part thereof, so long as the byline remains intact and a link is provided back to this page)

    add to del.icio.us

Comment on this article >>