Archive for February, 2012

“The network is protected by a firewall; isn’t a firewall enough?”

While a firewall is a critical component of secured network infrastructure, it only examines individual packets in isolation. The benefit of an IPS/IDS is that it can scrutinize the comprehensive behavior of a network attack spread out over dozens, even hundreds, of individual packets.

A real world comparison would be the security guard at the entrance to a building. The guard checks each person’s ID before allowing or denying access to the building. This guard would certainly be effective against a majority of villains; however, imagine a scenario where a team of attackers legitimately enter the building, all at different times, and then coordinate their attack once safely inside.

The guard at the front door would be completely ineffective against this type of attack. What’s required to defend against such tactics is a second security guard, that monitors the video feeds of multiple security cameras placed at key locations throughout the building. In the scenario above, these seemingly legitimate persons are now seen exhibiting suspicious behavior; for example all of them taking the service elevator and rendezvousing just outside the datacenter in the basement.

The point being, that while a firewall is a critical layer in a defensive architecture, it is simply not designed to detect more complex attacks.


Short for Intrusion Prevention System and Intrusion Detection System, respectively. At a high level, what differentiates the two is how they’re implemented in a network.

Intrusion Detection’s primary function is to alert on suspicious activity. It does not sit in the pathway of inbound/outbound traffic, like a firewall, but rather is placed to the side where traffic that traverses the network’s core is replicated out of a “span port” that is then fed to the IDS. The main disadvantage of this model is that if suspicious activity is detected, it cannot be effectively prevented. The best a deployment such as this can do is respond with TCP resets for any malicious connections. However this is not an efficient mechanism, and an IPS unit can quickly become overwhelmed. Furthermore, the replication of all traffic to the “span port” places an significant burden on core switch resources

Intrusion Prevention, on the other hand, is equally effective at detecting or blocking network attacks. The primary difference is that an IPS sits inline, directly between the path of traffic entering and leaving the protected network. Because of this, malicious traffic can be dropped before entering the network’s perimeter, and because it sits inline, there is no need to burden core switches with the task of replicating “span port” traffic. Additionally it can still function as an IDS by sending alerts exclusively without acting on any traffic it inspects.


Implementing an IPS system is not an arbitrary task. Because of the complexity of analysis, it’s important to first establish a base-lining period, to properly differentiate attack traffic from legitimate traffic. This essentially involves a period of monitoring & adjustment, where the number of “false positives” can be minimized.

A false positive is the misidentification of legitimate network sessions for attack traffic. It’s easy to see how disruptive this could be for a production network; the IPS blocking communication that is critical for business applications to run.

That is the reason for this preliminary monitoring phase; alerts generated by the IPS unit must be carefully examined and signature actions adjusted accordingly.


From a high level you have to identify potential threats and correlate them to applicable vulnerabilities.

A threat is essentially a network attack. Viruses, Denial Of Service, SQL Injections are all examples of threats.

A vulnerability is a point of weakness that allows a particular attack to succeed. Protocols such as TCP and HTTP have multiple vulnerabilities. Operating Systems like Linux and Windows also have vulnerabilities. Some of these vulnerabilities can be mitigated with security updates or specific configuration settings, but the reality is not all of them can be  fixed. These vulnerabilities are sometimes inherent to the technology and a fix isn’t always feasible.

The correlation of vulnerability to threat is a critical step in implementing an effective IPS solution. For example, is it necessarily a point of concern that your logs show a high amount of attacks that target http and IIS? Well that depends; if you’re running PostFix on a Linux server, then those attacks clearly aren’t as relevant.


Again, because of the nature of network security, implementing and IPS is not a “plug & play” solution. Technology evolves, threats evolve; you don’t simply lock the front door to your house and never return, naively assuming all will be well. The same is true for networks. Once the IPS is properly setup, it must be monitored on a daily basis to ensure not only that it is effectively securing the customer’s network, but that it is operating correctly and not prohibiting legitimate business applications from running.