Which of the following is use to protect a network from malicious attack and unwanted intrusion?

Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion prevention systems (IPSs) focus primarily on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IPSs have become a necessary addition to the security infrastructure of nearly every organization. IPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IPS stopping the attack itself, changing the security environment (reconfiguring a firewall), or changing the attack’s content. This chapter describes the characteristics of IPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed.

Intrusion Prevention

Intrusion prevention is a system that allows for the active blocking of attacks while they are inline on the network, before they even get to the target host. There are many ways to prevent attacks or unwanted traffic from coming into your network, the most common of which is known as a firewall. Although a firewall is mentioned quite commonly and a lot of people know what a firewall is, there are several different types of controls that can be put in place in addition to a firewall that can seriously help protect the network. Here are the most common prevention technologies:

Firewalls. The purpose of a firewall is to enforce an organization’s security policy at the border of two networks. Typically most firewalls are deployed at the edge between the internal network and the Internet (if there is such a thing) and are configured to block (prevent) any traffic from going in or out that is not allowed by the corporate security policy. There are quite a few different levels of protection a firewall can provide, depending on the type of firewall that is deployed, such as these:

Packet filtering. The most basic type of firewalls perform what is called stateful packet filtering, which means that they can remember which side initiated the connection, and rules (called access control lists, or ACLs) can be created based not only on IPs and ports but also depending on the state of the connection (meaning whether the traffic is going into or out of the network).

Proxies. The main difference between proxies and stateful packet-filtering firewalls is that proxies have the ability to terminate and reestablish connections between two end hosts, acting as a proxy for all communications and adding a layer of security and functionality to the regular firewalls.

Application layer firewalls. The app firewalls have become increasingly popular; they are designed to protect certain types of applications (Web or database) and can be configured to perform a level of blocking that is much more intuitive and granular, based not only on network information but also application-specific variables so that administrators can be much more precise in what they are blocking. In addition, app firewalls can typically be loaded with server-side SSL certificates, allowing the appliance to decrypt encrypted traffic, a huge benefit to a typical proxy or stateful firewall.

Intrusion prevention systems. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents using a set of conditions based on signatures or anomalies.

IP290 IPS

The Nokia IP290 Intrusion Prevention with Sourcefire, also referred to as Nokia IP290 IPS, is optimized for Sourcefire 3D Sensor applications. Running Nokia IPSO-LX, a specialized Linux-based operating system, the Nokia IP290 IPS comes preinstalled with Sourcefire Intrusion Prevention System (IPS) and Real-time Network Awareness (RNA). Both products can run simultaneously on the IP290 IPS platform.

Nokia IP290 IPS appliances are ideally suited for growing companies and satellite offices that want high-performance intrusion detection and protection. The small size of Nokia IP290 IPS appliances makes them attractive for installations that need to conserve space. Two Nokia IP290 IPS appliances can be rack-mounted in a 1U space if they are installed in a rack-mountable shell, which can be ordered. Figure 1.7 shows two Nokia IP290 platforms in the rack-mountable shell.

Intrusion Detection and Prevention

Intrusion detection and intrusion prevention on a nationwide scale or even across the DoD, as we discussed in the previous section, is a difficult prospect. At present, the networks that comprise the Internet are not segmented along national boundaries, for the most part. Additionally, we have a wide variety of media that can be used to carry network communications, including: copper and fiber optic cables, satellite communications, purpose build wireless networks, packet radio, and any number of other means. This lack of network segmentation along physical borders and wide variety of communications methods makes IDS/IPS a technically challenging prospect to implement.

Two main strategies exist for accomplishing intrusion detection and/or prevention on this scale; we can either structure networks to provide a limited number of connections outside of the area that we wish to protect and monitor, or we implement massively distributed IDS/IPS; either method has its inherent issues. Restructuring our networks to provide only a few choke points is most certainly the cleanest route to take, and may be workable when building new networks, but would likely be prohibitively expensive for existing networks. It will also be impacted by the move to the cloud and mobile devices, the days of isolated networks is even coming to a close in classified networks as we see them looking at how to move to these new infrastructures. Likewise, massively distributed IDS/IPS, although having the benefit of not requiring us to alter our networks, is likely to miss some of the traffic entering and exiting said networks. In either case, at present, conducting such operations is likely to prove difficult in a variety of ways.

Intrusion Detection and Prevention

Intrusion detection and intrusion prevention on a nationwide scale, as we discussed in the previous section, is a difficult prospect. At present, the networks that comprise the Internet are not segmented along national boundaries, for the most part. Additionally, we have a wide variety of media that can be used to carry network communications, including: copper and fiber optic cables, satellite communications, purpose-built wireless networks, packet radio, and any number of other means. This lack of network segmentation along physical borders and wide variety of communications methods makes IDS/IPS a technically challenging prospect to implement.

Two main strategies exist for accomplishing intrusion detection and/or prevention on this scale; we can either structure networks to provide a limited number of connections outside of the area that we wish to protect and monitor, or we implement massively distributed IDS/IPS; either method has its inherent issues. Restructuring our networks to provide only a few choke points is most certainly the cleanest route to take, and may be workable when building new networks, but would likely be prohibitively expensive for existing networks. Likewise, massively distributed IDS/IPS, although having the benefit of not requiring us to alter our networks, is likely to miss some of the traffic entering and exiting said networks. In either case, at present, conducting such operations is likely to prove difficult in a variety of ways.

An example where this has been deployed as part of national defense in the Department of Homeland security Network Security Deployment National Cybersecurity Protection System (operationally known as EINSTIEN). EINSTEIN was deployed in accordance with Comprehensive National Cybersecurity Initiative directive 5—Connect current cyber ops centers to enhance situational awareness. There are multiple blocks but the first was built around IDS [9].

Details

Snort Inline is the intrusion prevention component of Snort, a popular network intrusion detection and prevention system capable of real-time IP network traffic analysis. Snort was originally developed by Martin Roesch and is currently owned and developed by Sourcefire, a company founded by Roesch. Snort Inline started as a separate project that used Snort for its packet logging and traffic analysis capabilities, but has since been included in the Snort distribution, providing the intrusion response capabilities that the popular IDS had hitherto lacked.

The Netfilter/IPtables software allows for the implementation of the response mechanism while Snort Inline provides the policies based on which IPtables make the decision to allow or deny packets. After an incoming packet to a network is provided by IPtables, Snort performs the rule matching against the packet. There are three new rule types included in Snort for Snort Inline to define the actions that IPtables might take after receiving an incoming packet. All three rule types drop the packet if it matches a predefined rule. The second type of rule also logs the packet and the third type sends a control message back. The rules are applied before any alert or log rule is applied. The current version of Snort also allows a system to replace sections of a packet payload when using Snort Inline. The only limitation is that the payload selected must be replaced by a string of the same length. For example, an adversary that is looking to propagate malicious code through the PUT command could have it replaced by the TRACE command, thus halting further propagation of the code.

In order for Snort Inline to interface with IPtables, two C libraries are needed: libipq and libnet. Libipq [23] is a library for IPtables packet queuing that allows Snort Inline to exchange messages with IPtables. Libnet is the popular networking interface to construct, handle, and inject packets into a network.

NFS mountd Overflow Attack

For our last example, we revisit the NFS mountd overflow attack. First, we modify Snort SID 316 to replace the content of the mountd attack with the hex code 0×65, which happens to correspond to the ASCII code for the letter e.

Again, we launch our attack from evilhost against the NFS server, but this time, we take a packet trace from the server itself, as shown in Code Listing 11.27. As we expect, the critical portion of the attack that instructs the remote system to point back into the exploit payload has been translated into a harmless series of e characters completely unrelated to the original attack by snort_inline (see Code Listing 11.28).

Code Listing 11.27

Modified NFS mountd Overflow Snort Rule (SID 316)

Code Listing 11.28

NFS mountd Overflow Attack

Damage & Defense…