Preventing hacker attacks with network behavior analysis IPS

News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal credit card information and into defense industry sites in search of top-secret military plans. Recent denial-of-service (DoS) attacks have made sites unavailable to legitimate users. Firewall and intrusion prevention systems across various enterprise networks routinely log hundreds of hacker attempts a day.

To prevent successful attacks, two key detection approaches have evolved: signature-based and anomaly-based network behavior analysis (NBA).

Signature-based intrusion protection and detection

Signature-based systems are extremely effective against attack types that have been detected in the past. They can be installed quickly and become effective immediately. These systems examine each incoming packet and compare its contents against a list of known attack mechanisms. False positives, legitimate activity that appears to be an attack, are rare. Generated reports are easy to understand because each incident indicates the type of attack that was detected.

While signature-based systems are effective against known attack types, they cannot detect zero-day attacks. Hackers understand that any new attack type will be quickly detected and countermeasures will be adopted by intrusion prevention vendors. They therefore launch attacks on a large number of sites as soon as a...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network security threats solved by risk management: John Pironti explains Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network Engineering How to test LAN switch energy efficiency Testing LAN switch power consumption: A best practices guide Desktop virtualization network requirements Internal cloud computing on the cheap: Free automated provisioning? Improved storage performance without adding more disk Troubleshooting -- 'Network Know-How' Chapter 17 Windows Server 2008 IP routing configuration: Static and dynamic RIPv2 Understand Windows tracert output to troubleshoot network connectivity Using tracert and TTL to troubleshoot network connectivity problems 10 Gigabit Ethernet interconnect solutions: Investigate carefully before choosing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

new attack method is developed.

Because of this, signature-based systems must be continually updated. Vendors collect and monitor attack reports from across the world. They also collect data from products installed at customer sites. When one customer experiences an attack, vendor staffs analyze it, develop a defense and distribute the update to all other customers' sites. While vendors can often detect new attack methods and devise a defense quickly, the first sites to be attacked have already been compromised.

Anomaly-based intrusion detection systems

Anomaly-based detection systems detect network activity that does not fit the pattern of expected behavior. The system must be configured, according to the product, with information on normal patterns of activity. For example, applications may legitimately access a single database record at a time. If the intrusion protection system detects access to a large number of records, the cause is likely to be an attack. Similarly, if a user with permission to access a restricted set of records begins to attempt access to other types of information, the user's workstation is likely to have been infected.

Unlike signature-based systems, zero-day attacks can be detected because the attacks do not have a pattern that is recognizable as legitimate to the anomaly-based intrusion system. All that is necessary is that something outside the ordinary is occurring. The downside is that anomaly-based systems must be carefully configured to recognize expected patterns of activity. Configurations must be updated when new applications are added or existing applications modified. False positives can occur when legitimate activity departs from its normal pattern.

Configuring IPS to defend against complex attacks

Attacks in which elements of the attack are spread across multiple commands such as HTTP messages for Web-based attacks present a difficulty for both signature-based and anomaly-based systems. For signature-based systems, the signature may be spread across a series of commands with no one packet matching an attack profile. Anomaly-based systems may fail to detect an attack that simultaneously targets several hosts. The sequence sent to each host may appear legitimate but may cause applications on the hosts to interact in such a way as to cause a breach.

Compounding the difficulty, not all of the packets may enter the network at the same point or gateway. Although enterprise networks often maintain more than one gateway to the Internet with intrusion prevention systems at each gateway, guarding all the gateways is not sufficient.

Viruses can penetrate a network through places other than gateways. Employees take home laptops for use on their minimally protected home networks. When they reconnect the infected laptop on the internal network, viruses enter the network without passing through an Internet gateway. Wireless networks are another vulnerable point and cannot be overlooked when implementing an intrusion prevention system. An outsider breaking in via the wireless LAN (WLAN) has also bypassed the network gateways.

Intrusion protection systems must also be installed at key points throughout the network (like a switch connecting network gateways to servers where applications run or connect to database servers) to detect these attacks. Systems must exchange information with each other and evaluate reports from sources such as router and host logs to correlate the sequence of packets to detect the attack.

While signature-based systems can be quickly installed and immediately become operational, designing, configuring and installing an anomaly-based system is more complex. The next article in this series explores the steps involved in configuring and installing an anomaly-based system.

About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.