RangerIPS - Intrusion Prevention System (IPS)

RangerIPS

Introduction

Intrusion Prevention Systems (IPS)

Host IPS (HIPS)

Network IPS (NIPS)

Implementations Challeges

Requirements for Effective Prevention

Introduction

In a recent survey commissioned by VanDyke Software, some 66 percent of the companies who responded said that they perceive system penetration to be the largest threat to their enterprises.

The survey revealed that the top eight threats experienced by those surveyed were viruses (78 percent of respondents), system penetration (50 percent ), DoS (40 percent ), insider abuse (29 percent ), spoofing (28 percent ), data/network sabotage (20 percent ), and unauthorized insider access (16 percent ).

Although 86 percent of respondents use firewalls (a disturbingly low figure in this day and age, to be honest!), it is apparent that firewalls are not always effective against many intrusion attempts. The average firewall is designed to deny clearly suspicious traffic - such as an attempt to telnet to a device when corporate security policy forbids telnet access completely - but is also designed to allow some traffic through - Web traffic to an internal Web server, for example.

The problem is, that many exploits attempt to take advantage of weaknesses in the very protocols that are allowed through our perimeter firewalls, and once the Web server has been compromised, this can often be used as a springboard to launch additional attacks on other internal servers. Once a “rootkit” or “back door” has been installed on a server, the hacker has ensured that he will have unfettered access to that machine at any point in the future.

Firewalls are also typically employed only at the network perimeter. However, many attacks, intentional or otherwise, are launched from within an organization. Virtual private networks, laptops, and wireless networks all provide access to the internal network that often bypasses the firewall. Intrusion detection systems may be effective at detecting suspicious activity, but do not provide protection against attacks. Recent worms such as Slammer and Blaster have such fast propagation speeds that by the time an alert is generated, the damage is done and spreading fast.