Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Prevention Systems

Published byNorma Murphy Modified over 5 years ago

Similar presentations

Presentation on theme: "Intrusion Prevention Systems"— Presentation transcript:

1 Intrusion Prevention Systems
Ahmed Saeed Team Leader (Cisco Division) CTTC (PVT) Limited

2 What is IPS? Intrusion Prevention System
A system located on the network that monitors the network for issues like security threats and policy violations, then takes corrective action. Performs Deep Packet Inspection

3 What can an IPS do? IPS can detect and block:
OS, Web and database attacks Spyware / Malware Instant Messenger Peer to Peer (P2P) Worm propagation Critical outbound data loss (data leakage)

4 Difference between IDS and IPS
Intrusion Detection System (IDS) Passive Hardware\software based Uses attack signatures Configuration SPAN/Mirror Ports Generates alerts ( , pager) After the fact response Intrusion Prevention System (IPS) Inline & active Inline w/fail over features. Real time response

5 IPS Types IPS can be grouped into 3 categories Signature Based
Anomaly Based (NBAD) Hybrid

6 Signature Based Use pattern matching to detect malicious or otherwise restricted packets on the network Based on current exploits (worm, viruses) Detect malware, spyware and other malicious programs. Bad traffic detection, traffic normalization

7 Signature Based Products
Sourcefire / Snort StillSecure NFR Cisco IOS IPS

8 Signature: Pro’s & Con’s
Very flexible. Well suited to detect single packet attacks like SQL Slammer. Con’s Relatively little Zero Day protection. Generally requires that the attack is known before a signature can be written.

9 Anomaly Based Anomaly based IPS look for deviations or changes from previously measured behavior like: Substantial increase in outbound SMTP traffic New open ports or services Analyzes TCP/IP Parameters changes

10 Anomaly Based Products
Mazu Networks Arbor Networks Q1 Labs Top Layer

11 Anomaly: Pro’s & Con’s Pro’s Con’s
Better protection against Zero Day threats Better detection of “low and slow” attacks Con’s Cannot protect against single packet attacks like SQL slammer Cannot analyze packets at layers 5 – 7 of the OSI model

12 Hybrid IPS Hybrid IPS combine Signature Based IPS and Anomaly Based IPS into a single device

13 Hybrid Products Juniper Cisco IBM-ISS TippingPoint McAfee

14 Hybrid Pro’s & Con’s Pro’s Con’s
Superior protection for both known and Zero Day threats Each plays off the weakness of the other Con’s Generally more expensive than either Anomaly or Signature based products Can be slower depending on architecture

15 Architecture: Software vs. Hardware
Software based Generally runs Linux or a BSD variant EG: Snort / Sourcefire, NitroSecurity, StillSecure Hardware based Uses ASIC / FPGA technology EG: TippingPoint, Top Layer, McAfee

16 Software Pro’s & Con’s Pro’s Con’s More flexible
Generally easier to add major functionality Cheaper Generally has more functionality Con’s Usually slower than hardware Latency is usually higher than hardware

17 Hardware Pro’s & Con’s Pro’s Con’s Speed, Speed, Speed
Lower latency than software Less moving parts to fail Con’s Expensive Not easily upgradeable Major upgrades usually mean new ASIC chips

18 What about UTM? Unified Threat Manager All-in-one devices that can do:
Firewall Antivirus IPS VPN Etc. This is being discussed because vendors very often push UTM devices when customers are looking for IPS solutions

19 UTM Products Fortinet Radware SonicWall ISS-Proventia
Cisco (ASA appliance) Juniper (SSG and ISG Firewalls)

20 UTM Pro’s & Con’s Pro’s Con’s
Cost effective for remote branch offices where other capabilities like Firewall are also needed Con’s Usually a limited subset of IPS functionality and signatures as compared to stand alone IPS products

21 Thinking about an IPS? Why? What problem are you trying to solve?
What other problems may be solved? What problems may arise? If Networking is a different group than Security, do you have their buy in?

22 Tips when selecting an IPS
Prepare an RFP You can get a sample one from Internet Do an on-site POC of your top choices It’s vital to see how the device works in your network. Make sure you test their support, especially if you are going to buy 24x7 Look for products certifications ICSA, NSS Group, Neohapsis

23 What to consider when buying
Speed / latency Will the device perform under load? Is the latency acceptable? Very important if you have VOIP! Accuracy How many attacks did it miss? How many false attacks did it block? Signature Updates Absolutely critical. How often the signatures are updated is a key indicator of how serious they are about selling IPS High Availability Will it do Active-Passive, Active-Active? "Fail Open“ Will the device pass traffic in the event of a device failure?

24 IPS Testing and Certifications
Testing & certifications are done by ICSA Labs NSS Group Neohapsis ICSA is the newest NSS is arguably the most respected, for now. The IPS should have at least one certification

25 Questions?

26 Thank You

Download ppt "Intrusion Prevention Systems"

Similar presentations

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
EDUCAUSE Security 2006 Internet John Brown University.

EDUCAUSE Security 2006 Internet John Brown University.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
1 Monday, June 27, 2011Copyright© 2011 Dragnet Dragnet ® Cloud Service Introduction Matthew McLeod, Managing Director

1 Monday, June 27, 2011Copyright© 2011 Dragnet Dragnet ® Cloud Service Introduction Matthew McLeod, Managing Director
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.

Similar presentations

Ads by Google