Better Safe Than Sorry: Understanding Intrusion Prevention Systems

Protecting the networks from malicious content hidden in everyday data traffic is one of the most critical tasks that network security engineers have to handle.

Any miss of such threats could lead to a potentially compromised network or internal hosts becoming infected with different types of malware — an increasingly challenging problem for companies.

According to a study by security consultancy Flashpoint, 22 billion personal and business records were exposed in hacks on U.S. companies in 2022.

Although you can use different systems for securing networks, not all provide the same level of protection. Some rely on policies-based protection, while others use static rules. 

However, the best way to protect against malicious content is by analyzing traffic up to the application layer.   

In this article, we will provide the following:

• An introduction to intrusion prevention systems.
• An outline of their functionalities and the benefits they provide.
• An overview of the types of intrusion prevention systems.
• An overview of deployment options.
• An exploration of the methods of traffic inspection.  

View some of our popular articles:

• A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks 
• What Is a GRE Tunnel and How Do You Configure One? 
• Back to the Basics: Cisco ASA Firewall Configuration Guide

Introducing Intrusion Prevention Systems

Because intrusions come in many forms and shapes in networks, different security technologies have been developed over time. 

Firewalls are the most commonly used appliances and provide satisfactory protection. However, they provide protection mainly policy-based (at least for classic firewalls) without support for next-generation features. 

Another technology that you can use is intrusion detection systems (IDS). Even though IDS systems can filter traffic up to the application layer, they cannot act when there are signs of suspicious or malicious behavior because they work on a copy of the traffic instead of the original data. Therefore, they can only produce an alert when suspicious traffic is seen.

The solution comes from an intrusion prevention system (IPS). This technology is built upon IDS technology and can analyze traffic in many different ways, such as:

• Verifying that the rules of common network protocols such as IP, TCP, and UDP are followed in the network sessions. 
• Taking an insight into Layer 2 to Layer 3 mappings, such as those used by ARP and DHCP.
• Analyzing the payload to identify various malicious threats such as viruses, trojan horses, worms, or any other malware.

In contrast to IDS, IPS systems can take protective action when they discover the presence of malware. When an IPS receives traffic, it performs a deep analysis of network traffic and forwards it throughout the outbound interface only when considered clean.

Because of this approach, an IPS usually compliments a firewall in the networks, so it can block any suspicious behavior that would have usually passed undetected through a traditional firewall.

As you can see in the image above, the IPS is deployed behind the Cisco ASA firewall in the network because you don’t want first to inspect traffic for malicious content just to be dropped later by a policy defined on the firewall.

Therefore, a firewall first performs policy-based filtering, and only when traffic is permitted does an IPS search for signs of suspicious or malicious behavior. 

Remember that most of the next-generation firewalls (NGFW) today, such as Cisco Firepower NGFW supports IPS services, so instead of using an IPS system and firewall separately, you can have the same features in a single unit.

_________________

Options That You Can Choose From

PivIT offers a unique and wide selection of hardware and financing options. We also offer OEM options that give you the flexibility you need to develop your network.

_________________

Types of IPS

You can deploy two types of IPS: network-based IPS and host-based IPS. What we discussed in this article was based on a network-based IPS, which is the most commonly used in networks today. 

It takes responsibility for all traffic that enters or exits the network and takes appropriate action when necessary. It can be a separate appliance or integrated into other security devices, such as a firewall. 

Host-based IPSs are applied to all or just a group of hosts in the network that require protection. You must install lightweight connectors on these hosts to communicate with the Cisco cloud for IPS processing on the received traffic. Host-based IPS is best suited for small networks such as branch offices and for detecting activity that does not generate network traffic.

Keep in mind that there are some disadvantages with this type as well. This approach requires connectors (agents) to be installed on all machines that need to be monitored for suspicious and malicious traffic, and in large networks, it can be a real challenge.

On top of that, enough processing resources should be available so the IPS service can work without any limitations, and the host won’t experience any setbacks.  

IPS Deployment Options

An IPS can actively inspect traffic flowing within the network and take appropriate action when needed or passively by scanning and generating a notification message when an event occurs. Remember that deploying IPS in passive mode is just like running an IDS.

As you can see in the image above, the switch sends a copy of the traffic through the SPAN port to the IPS, while the original data is forwarded to the internal network.

Upon detection of suspicious activity, the IPS generates an event message, and additional security measures must be taken. This approach is appropriate for making network analysis and learning the network behavior. Another variant is ERSPAN passive mode.

Another option is to deploy the IPS in inline mode. This way, the IPS stands in the traffic path, and all traffic must be inspected. In this mode, the IPS works on the original traffic.

The traffic is allowed to pass only if it is clean. Any signs of suspicious or malicious activity will trigger a corresponding action based on which the traffic will get processed. 

The last deployment option is inline tap. The IPS is deployed inline with tap mode, but the network traffic is processed in passive mode. The IPS makes a copy of each packet to analyze the packets and generate event notification messages when suspicious activity happens.

In this mode, you can see which packets would have dropped if the IPS had been in an inline deployment without using the tap feature. And the best part is when you are ready to deploy the IPS in inline mode after confirming that it operates properly, all you need to do is only to disable the tap mode to begin dropping suspicious traffic without having to reconfigure the cabling between the IPS and the other network devices.

Exploring the Methods of Traffic Inspection

Regardless of the deployment mode, several methods of traffic inspection are used in various IPS systems based on which any suspicious activity gets denied:

• Signature-based (rule-based) inspection: With this method, the IPS inspects the headers and payloads of the packets flowing through the network and compares them against a database of known attack/malware signatures. Because everything depends on the rules in the database, it is crucial that the database in the IPS is regularly updated so the newest signatures are always available.
   
• Anomaly-based inspection: This method relies on establishing a normal behavior in a given network. The process is based on learning patterns of regular network activity, which generates a baseline profile for the given network over time. Any activity detected outside the established normal network behavior results in an anomaly, and appropriate action is taken.
  
  
• Policy-based inspection: With this method, the traffic is inspected against a configured traffic policy on the IPS system, and the corresponding action is applied upon a match. 

Keep in mind that besides the base inspection methods described above, modern next-generation IPS systems also use more sophisticated technologies such as reputation, context awareness, and cloud-based services, among many others.

Better Safe Than Sorry

Although there are various security systems that you can deploy in your network to protect against external threats, the IPS systems provide the best protection by applying deep packet inspection, and searching for suspicious and malicious activities in both incoming and outgoing traffic. 

Once discovered, all malware is denied, and only clean traffic is permitted to pass. Now, it is up to you to select the most suitable deployment option and tune it according to your network requirements.

_________________

If you need a helping hand to configure your network, consider PivIT's EXTEND SmartHands offering to gain access to engineers around the globe to locally access your infrastructure without ever leaving your desk. But don't take our word for it, here's what one of our clients had to say:

"Great response time by the PivIT team, they came through in a pinch and we really appreciate it." - Jarrod S. (Director of Infrastructure)

_________________