Next up in our line of network security fundamentals, we’re going to break down Intrusion Prevention fundamentals. If you missed my first piece about some network security fundamentals, you can read it here.

Intrusion Prevention Fundamentals

intrusion prevention techniques are often talked about as one of the features of Next Generation Firewalls, commonly known as NGFW. Intrusion prevention comes in various flavors of different sensors and we’ll break down a few of them.

IDS (Intrusion Detection System) monitors traffic on a network, analyzes traffic for signatures (more on that in a bit) matching known attacks, and alerts you when something suspicious happens. However, it does not block traffic when something suspicious is detected, just alerts.

IPS (Intrusion Prevention System) also monitors traffic but when a signature is matched, it has the ability to block the suspicious traffic. IPS also works on real data packets and is considered “inline” when it comes to traffic flow.

There are two deployment methods when working with IDS/IPS. The first option is Promiscuous/Passive mode where the device is set up on a SPAN or RSPAN port. The other option is what is considered “inline” where it’s often used as the layer 3 device (such as Cisco Firepower). The one drawback to that is throughput or bottleneck issues, the IDS/IPS has to be beefy enough to handle all that traffic as it’s analyzing data in real-time.

There are two other types of deployment methods, those are network-based sensors (often referred to as NIPS) and host-based sensors (often referred to as HIPS). NIPS evaluates traffic BEFORE it enters a network and HIPS evaluates traffic before it enters an actual host or endpoint. Examples of NIPS are Cisco’s Firepower 9300 series or it can be attached as a module for Cisco’s ASA or IOS platforms. In today’s world, HIPS is often deployed from the cloud and has the cloud reached through the connectors installed on the endpoint. HIPS often beats out NIPS due to a few advantages. HIPS has full visibility into encrypted traffic (HTTPS, SSL, etc), it also can detect attacks that don’t generate any network traffic but it can be hard to deploy and monitor, so there is a drawback.

Attack Detection Strategies

So how does the IDS/IPS detect threats and protect your environment?

There are a few pieces that these IDS/IPS sensors use to protect the environment. The first one is something we mentioned earlier, and that is Signatures. Signatures are a set of rules/conditions describing an attack. They’re forever “evolving” and must be updated frequently, often auto-downloading from a central location (ex Cisco Talos). The signatures must already know about an attack in order for it to be effective/block traffic. Since the threat landscape changes so frequently, signatures are updated quite often.

Anomaly Detection is another piece that’s used and in its simplest terms, Anomaly Detection learns what “normal” network traffic is and then sets a baseline profile. Then going forward, it constantly compares current traffic against the baseline profile.

Policy-based is another type of strategy that IDS/IPS uses, basically that comes down to a policy being written to allow certain types of traffic and if real-time traffic is outside of that policy, an alarm is triggered to investigate.

Lastly, Reputation-based is looking at traffic based on - shockingly, it’s reputation! What does that exactly mean? Well, traffic is evaluated based on the reputation of IP addresses, URLs, and domain names.

Sensor Actions

So now that we know about all the sensors and how they evaluate traffic, what actions can they do?

Once a sensor recognizes an attack, it has several actions it can take. The first one up is Alarm/Alert, which is pretty straightforward, it generates a log. The next action is Drop, which kills the malicious packets. Block action means it kills the session from the attacker or between the attacker and the victim. Reset action disconnects a TCP session and lastly, Shun asks other devices to block malicious traffic.

Allowed and Block Lists

An allow list and a block list are very helpful in today’s environments. Although self-explanatory, an allow list is a list that consists of IPs, domains, and URLs that you specifically allow into your environment. As a side note, these lists are evaluated before any ACLs/policies, signatures, reputation, etc. For example, if you have a public-facing server (FTP, etc) you would create an allowed list of IPs or domains that would be allowed to communicate with said server, everyone else is blocked by default. As a note, in recent years Cisco has incorporated Cisco Umbrella for DNS filtering. For example, it acts as an allowed list for FQDNs/URLs that are allowed outbound. When a host does a DNS lookup for a particular URL, Umbrella then looks at the URL and allows/denies based on policies the company has set up in Umbrella.

Block lists are exactly that. Lists that contain malicious/suspicious IPs. Most companies have their own block lists that accrue over time but you can also get pre-defined lists from your firewall vendor centralized SOC/intelligence (ex, Cisco Talos).

Sensor Decision Classification

How do all these sensors classify the decisions that they make? The most straightforward answer is based on their correctness. A “true” statement means that the behavior was correct, and “false” means it was not. As a note, if “false” is selected, a tweak to the signature/policy is required. “Positive” means a signature fired, and “negative” means it did not. Confused? Let me sum it up a bit in the various scenarios.

True Positive means that offending traffic caused a signature to fire

True Negative means that normal traffic did NOT trigger a signature

False Positive means that a signature fired for normal traffic (wrong)

False Negative means that the attack went undetected (also wrong)

Summary

There was a lot to chew on in this blog focusing on Intrusion Prevention Fundamentals. We broke down what types of Intrusion Prevention there are (IPS/IDS), we also spoke about the different types of sensors that they use to look at traffic. We then looked at attack detection strategies, the various types of actions the sensors can take, allowed and blocked lists, and how the sensors classify their detections.

Stay tuned for the next blog where we talk about content security! As always, keep studying!