Order Now

Intrusion Prevention Systems

In the current essay we will review the Intrusion prevention systems. It should be noted that Intrusion Prevention System prevents the activation of potentially malicious programs. These systems have a very low number of false positives and can be used in conjunction with the IDS to prevent the spread of viruses or worms.

The IPS can also serve as a secondary level service host, preventing potentially malicious activities. There are advantages and disadvantages between the host-based IPS and network-based IPS. In some cases, the technologies may be complementary. But we can not forget that much of the network IPS technology has evolved and today could very well perform the duties of host, according to Intrusion Prevention Systems (2011).

Already are almost forgotten the days when a combination of “intrusion detection system + firewall” was considered a perfect remedy, which allows you to completely secure the network. IPS (Intrusion Prevention System) firmly entrenched in modern architecture.

Performance issues that are fundamental limitation of applicability of a network intrusion prevention system in one way or another network is gradually being solved. Large manufacturers have long overcome the barrier of 1 Gb / s and are approaching 10 Gbit /: IBM is preparing to launch a system Proventia GX6116, McAfee is finalizing a device IntruShield 10 GbE. And that’s just two examples. Desire to improve performance of network systems for the prevention looks absolutely justified and reasonable.
The principal purpose of intrusion prevention systems is built into the very name of the class of systems – the main challenge is to ensure the safety of protected sites from the impact, which recognized the invasion or violation of security. However, the concept of “invasion”, “security breach” or “attack” may look slightly blurred and, to some extent, must be determined by the security policy of your organization. Thus, we can say that one of the factors influencing the trends of intrusion prevention systems, is the gradual evolution of the concepts of “threat” or “incursion” into a modern enterprise network. The more flexible system allows you to describe specific “threat” or “invasion”, the more it will demand in the market.

Classification of the IPS. What is an IPS “in the classic sense” of this term? As a rule, when considering the IPS “as the phenomenon”, applies classification inherited from intrusion detection systems – products division to “network” and “Host.”

Network IPS is a device that sits in the way of network traffic. The main objective of the network IPS – is the protection of hosts on the network from possible attacks by analyzing the traffic and block traffic that is associated with the attack. Host IPS is located on a particular host, and provides protection from the damaging effects by analyzing network traffic and application behavior activated by system calls, etc, according to Intrusion Prevention Systems Getting Better (2011).

In this era, when the discovery of the fact the attack was considered sufficient to find a characteristic pattern of traffic, or “signature” is gone. It is believed that a successful attack detection contemporary IPS must have the following features and functions:

Firstly, to analyze the interaction session based protocol used to transfer data (especially useful for application layer protocols model OSI). Secondly, to carry out the restoration of fragmented IP-packets to their analysis, do not send fragments IP-datagram without verification. Third, keep track of attempts to create overlapping fragments of IP-datagram, attempts to overwrite the contents of TCP-segments and prevent them. Fourth, to have knowledge about the topology of the protected network and possibly support mechanisms for the normalization of IP / TCP-traffic to prevent attacks on the IPS / IDS classes “insertion” or “evasion”. Fifth, to provide verification of compliance logic formats of the protocol relevant RFC. Sixth, we perform a statistical analysis of data. Seventh, the support mechanisms of the signature search. And also have the opportunity to study and learning.

In addition, since IPS can make decisions about blocking traffic, it is necessary to ensure reliable and secure remote management of IPS. IPS configuration tools must be easy to end users. Most of the IPS support the ability to specify “custom” rules of the IDS to be able to adjust the IPS for a specific environment / requirements of the customer.

The intrusion prevention system components are developed to improve computer security. They have been developed to prevent an unauthorized program to get running. The technology “Intrusion prevention ” is often regarded as an extension of the technology intrusion detection (IDS), although more akin to a list of access control of a firewall.

Intrusion prevention system was invented by Secure One. It was later acquired by NetScreen Technologies, which was in turn acquired by Juniper Networks in 2004. The intrusion prevention system, as mentioned above, is based on a list of access control similar to that used by a firewall, except that a firewall works on IP addresses and ports while the technology works on programs and users.

Intrusion Prevention System prevents the activation of potentially malicious programs. These systems have a very low number of false positives and can be used in conjunction with the IDS to prevent the spread of viruses or worms.

Microsoft Corporation is a multinational computer technology in the United States of America, which develops and manufactures licenses and supports a wide range of software products for computing devices. It employs about 89,000 people in 105 countries and its revenues were about 51.12 billion U.S. dollars in 2007. It was founded on April 4, 1975 by Bill Gates and Paul Allen whose aim is to develop and sell BASIC interpreters. Today it is one of the technology companies that invest more in research and development in the world. It was elected by the Great Place to Work Institute (GPTW) as the ninth best company to work in Brazil. Its name derives from the words Microcomputer (in Portuguese, Microcomputer) and Software. Prevention System intruder has evolved in the late nineties to resolve ambiguities in passive network monitoring by placing the on-line detection. In the beginning it was just an IDS IPS that allowed some interaction with the firewall to control access. Soon it was necessary to develop something more robust, since only control the firewall that has left at least one malicious packet traffic, the solution was to implement smart ways to lock in the IPS. Seen as an extension of the firewall, the IPS provides access decisions based on the content of the application, not just the IP address or ports as traditional firewalls work. However, nothing prevents to optimize performance using many IPS rules based on ports and IP address.

The IPS can also serve as a secondary level service host, preventing potentially malicious activities. There are advantages and disadvantages between the host-based IPS and network-based IPS. In some cases, the technologies may be complementary. But we can not forget that much of the network IPS technology has evolved and today could very well perform the duties of host. The quality of an intrusion prevention system is to be an excellent detector of malicious traffic with an average false positive and false negative low.

The most renowned technology research in the world in its latest edition (2012) restricted further the fight for market leadership of IPS. In the leaders’ quadrant there are only solutions Sourcefire, TippingPoint, McAfee and Juniper appear. This research examines two main points: the solution’s ability to predict market trends and the worldwide installed base. The first point focuses on precisely the unique features innovations and ability to always be ahead of the market. The second point analysis aims to understand the size of the installed base and how that can be supported. The market-leading solutions have excellent rates on these two questions evaluators.

Intrusion detection systems operate by analyzing network traffic using two methods: Heuristic analysis consists of defragmentation, combining packets of data streams, the analysis of packet headers and protocol analysis application. It allows to choose packages that could lead to destabilizing the target application, where the presence of the Implementation of errors. There are different brand names – such as protocol analysis (eg, IBM ISS) and preprocessing (Snort). Most IDS systems, heuristic analysis is carried out simultaneously with the normalization of the data before subjecting them to analysis Signature, according to Next-Generation Intrusion Prevention System (NGIPS) (2011).

Signature analysis – which consists of searching for strings in packets of data specific to the known network attacks. A key element is the signature database, built with the emergence of new attacks and frequently updated.

Typical elements of the IDS / IPS are: probe (called sensor) – a unit that analyzes network traffic and detect attacks; database – collects information about the attacks from a group of sensors; log analyzer – enabling visualization and analysis of logs from the group of sensors.

Depending on the location of the sensor and analyzed the scope of events the following types of IDS: hosts – HIDS (called Host-based IDS) – act as an application in a single, shielded operating system by analyzing events from syslog, and local interfaces. Network – NIDS (Network IDS) – examines network traffic for all systems on the network segment to which they are connected. NIDS is able to recognize attacks against systems that do not have HIDS installed. At the same time, however, has limited capacity to analyze traffic sent in the SSL channels or events taking place locally in the system (for example the lack of memory, the attacks from the local console), according to Intrusion Prevention Systems: the Next Step in the Evolution of IDS (2010).

Network IPS systems can operate in the following network topologies: passive probe – is a probe connected to a port to monitor the switch examines a copy of all packets in a network segment. The probe in this topology has a limited ability to respond to attacks. Two techniques are used to block attacks in passive topology – sending fake TCP RST packets to both sides of communication and disconnection, and dynamic reconfiguration of the firewall, to which the probe can work. In the first case may be blocking TCP traffic only, in the second reaction may be too late.

Inline – is a probe positioned between two network segments, devoid of IP addresses and operating in transparent bridge mode, analyze and directly involved in the transmission of all packets in the network. In this mode, the probe is able to block 100% of packets identified as dangerous (false RST TCP packets are still sent to avoid retransmission). Operation in this mode, the software requires the probe significantly higher demands for performance and stability.

With the extensive use of computers and networks continue to spread, from the danger of internal and external networks and crime are increasing. As a fact, 20 years ago, computer virus spread primarily via floppy disk. Later, the user opens the e-mail with virus attachments, can trigger the attachment carried by the virus. Previously, slow the spread of the virus, anti-virus software developers have enough time to calmly study the virus, development of anti-virus, kill virus software. Today, not only the increasing number of viruses, quality improvement, and quickly spread through the network, in just a few hours can be spread throughout the world. Some viruses will also change the form in the dissemination process, so that anti-virus software failure.

Popular programs and malicious code attacks such as DoS (Denial of Service), are distributed denial of service attacks, violence guess solution (Brut-Force-Attack), port scan (Portscan), sniffing, viruses, worms, spam e-mail, Trojans and so on. There are also gaps and shortcomings in software loophole, do bad things, people keep track of.

Internet address of the firewall can (IP-Addresses) or service ports (Ports) filtering packets. However, it is the port for the use of legal web sites and engaged in sabotage activities are powerless. Each attack code has only the characteristics of its own (signature), the virus through their different characteristics between the difference between each other, but also with the normal application code phase difference. In addition to virus software through the storage of all known virus signatures to identify the virus.

It should be notes that intrusion response system then came into being (IRS: Intrusion Response Systems) as a complement of intrusion detection systems can be found of the invasion, to respond quickly and automatically to stop the measures. The intrusion prevention system is a further development of the two, drawing on the strengths of both.

Intrusion prevention systems like intrusion detection systems, are specialized in-depth network data inside knowledge of the attack code to find it characteristics, filter harmful data stream, discarding unwanted data packets, and make records, for later analysis. In addition, more importantly, most of the intrusion prevention system, while taking into account the application or the network transport layer of the unusual situation, helps in identification invasion and attack. Application intrusion prevention system is aimed at timely identification procedures or harmful attacks and variants of the code and its clones, to take precautionary measures in advance to stop the invasion before they occur. Or at least substantially reduce their harm. Intrusion prevention system in general as a firewall and antivirus software to add to put into use. When necessary, it can be investigated for criminal liability for an attacker to provide legally valid evidence (forensic).

In the face of dynamic code (ActiveX, JavaApplet, a variety of command language script languages, etc.), the first they put sand table, the observed trends in their behavior, if there are suspicious circumstances, stop transmission, prohibiting execution. Some intrusion prevention system combines protocol anomaly, and characteristics of transmission anomaly detection, or firewall access through the gateway within the network to implement effectively prevent harmful code.

Intrusion prevention systems were put to use to further its purposes can be divided into host intrusion prevention system (HIPS: Hostbased Intrusion Prevension System) and network intrusion prevention system (NIPS: Network Intrusion Prevension System) of two types.

Network intrusion prevention system as part of networks or network hardware between the independent and cut off traffic, is with the deep inspection of parcels in the past, and determines the release. Network intrusion prevention systems with virus signatures and protocol anomaly prevent spread of harmful code. There are some network intrusion prevention system is also capable of tracking and marking of suspicious code, answer, and then use these to see who answered the request for connection information so that there can be better confirmed that the invasion occurred.

Under the malicious code there is usually hidden in the middle of the normal program code, the operational characteristics of opportunistic, stand-alone intrusion prevention systems monitor the normal procedures, such as Internet Explorer, Outlook, etc. At this time, it does not need to resort to a known virus signatures and pre-set safety rules. In general, stand-alone intrusion prevention system can make the most abused and lead to behavior can not be successful. We know that the invasion is the first destination of harmful code, and then do bad things. However, even if it is lucky enough to break through firewalls and other defenses to reach the destination, but thanks to intrusion prevention systems, malicious code can eventually play the role it wants to, can not achieve its intended purpose.

Although they are already in the business sense fully mature product, but it still has not first-class level player. Most important difference between them is that some conservative, only that it is important that the event before taking action; some are too sensitive, like celebrity bodyguards, as each piece of trivia is not the normal little things (events) are viewed as signs of the attack (false positive), to the security event management staff leave a lot of records.

HIPS (Host-based Intrusion Prevention System) – is a proactive protection technology, based on analysis of behavior. By virtue of the fact that HIPS is a means of proactive protection program of this class does not contain a virus signature database and does not exercise their detection. HIPS- are the products of exercise activity analysis software and all system modules and blocks potentially dangerous actions in the user’s system. Analysis of the activity is carried out by using the interceptor system functions or install so-called mini-filters. It should be noted that the effectiveness of HIPS can reach up to 100%, however, most programs of this class require the user to high-level skills for competent management of antivirus products.

Types of HIPS. Classic HIPS-products provide the user with information about the activity of a particular application, however, the decision of permission / prohibition of an operation should take the user, thus HIPS-classical products allow users to fine-tune these or other rules of control, but the establishment of rules requires highly skilled users.

Expert HIPS. Unlike classical HIPS-products, expert HIPS can decide independently on blocking this or that activity, based on rules and algorithms used by the developer of the product. To use expert HIPS-products users it is not necessarily to possess certain qualifications, but the expert HIPS-products in some cases, may block a legitimate activity of the custom software.

Policy-Based Detection:

In this type of detection, the IPS requires very specifically declared to security policies. For example, to determine which hosts can have communication with specific networks. IPS recognizes the out of profile traffic.

Based Detection Problem:

This type of detection tends to generate many false positives, since it is extremely difficult to determine and measure a condition ‘normal’. In this type of detection we have two options:

  1. Statistical detection of abnormalities: The IPS analyzes network traffic for a certain period of time and creates a baseline for comparison. When the traffic varies greatly with respect to the baseline of behavior, generates an alarm.
  2. No abnormalities Detection Statistics: This type of detection is the administrator that sets the standard ‘normal’ traffic. However, because this approach does not make a real and dynamic analysis of network usage, it is likely to generate many false positives.

Detecting Honey Pot (honey jar). Here we use a ‘distractor’. Honey Pot is assigned as a device that can look as attractive to attackers. The attackers are using their resources to try to gain access to the system and left intact the real systems. By this, you can monitor the methods used by the attacker or even identify, and thus implement consistent security policies in real use our systems.

The following characteristics are often highlighted as attributes of a Network-based IPS: the IPS is used in-line (in transmission) and may change in case of alarm interrupt the data stream or the IPS has modules that actively influence the rules of firewall systems. Thus indirectly the data stream can be interrupted or changed.

It differs according to how they work different types of IPS: The HIPS (Host-based IPS) running on the computer in which an intrusion is to be prevented. The NIPS (Network-based IPS), however, monitors network traffic to protect the connected computer from intruders, according to Intrusion Prevention Systems (2011).

Responsibility. Network IPS has the ability and, moreover, must block the transmission of traffic, constitutes an attack. However, network IPS should avoid blocking legitimate traffic. Accordingly, one of the critical indicators of IPS is the number of false positives.

The completeness of the traffic control. IPS capabilities to control traffic are limited to those protocols, analysis tools are built into the software system. However, the constantly emerging new popular among users of services and mechanisms for networking, have their own vulnerabilities.

Flexibility: ability to modify the list of threats. Even in the most perfect and effectively IPS can not be foreseen in advance all the possible vulnerability of a well-developed basic protocols. Moreover, some opportunities for interaction, which were not foreseen in the laboratory, which developed IPS, may be encountered in practice and not an attempt to devastating effect, according to Robert C. Newman (19 February 2009).

Completeness of vision / structure IPS: Level 1 – the network. When you work in a real network, situations often arise when the traffic is routed through multiple network IPS devices in parallel, does not meet the criteria for invasion, and in considering it as a whole, obviously, is an invasion. If the network IPS has the opportunity to interact, or if the infrastructure network IPS has a separate “center of decision making”, the invasion would be successfully detected, and the network will remain secure. If the exchange of information or centralized collection does not occur, and each network IPS device operates autonomously, the invasion will pass unnoticed. Thus, the question “Does the structure of the network IPS mechanism for centralized decision-making when multiple IPS” is important.

Completeness of vision / structure IPS: Level 2 – the existing infrastructure. If we assume that the network IPS has a mechanism of centralized decision-making, then, of course, information from the host IPS will not be redundant in the decision to invade. Ability to gather information not only on the network modules IPS, but also on host-modules IPS, allows you to define the relationship between traffic recorded network modules, and the state hosts recorded host-modules. Combining the data from network and host IPS module in the center of decision-making comes complete picture of the state of the network and the causal links between events in different parts of the network, thereby reducing the number of false positives.

Decision to invade – is a key moment in the IPS. All information is collected by the system, all the approaches to the collection of information, all the algorithms used in processing the information gathered, focused on one thing – to provide the greatest possible prudence and reasonableness of decisions. Among the issues associated with decision-making mechanisms, are the following:

First, the extent to which the original data, from which sources they are picked. Second, many approaches are used in making decisions and what they are. Third, how limited in resources (time, computing, storage, database), the host responsible for making the decision to invade. Fourth, it provides a possibility for operator intervention in the decision making process. And finally, if there are non-deterministic situations in which the system operator intervention is required.

When using multiple modules IPS in a large distributed network generated an enormous amount of recorded information being processed by hand is not possible. Accordingly, most producers tend IPS today to introduce additional means of converting the elementary events in the macro-events “that have meaning for the security administrator.

Expected development. Gradual replacement of intrusion detection systems to the market is not reflected in the total profits of manufacturers systems intrusion detection / prevention. So, according to Infonetics, producers’ profits detection systems / intrusion prevention for 2008 increased by 19%. This suggests a stable position systems IDS / IPS on the market and, consequently, the indispensability of these systems in a modern information infrastructure.

It can be said that intrusion prevention systems are firmly taken their place in the market of information security. They need virtually no doubt, their popularity is growing and spreading. However, the industry is based intrusion prevention systems is doomed to continuing development after the development of networking technologies, information technologies and approaches intruders to compromise security.

As the intrusion prevention systems will increase their ability to analyze the interaction of specific application protocols. At the same time, will increase flexibility, the term “invasion” that will provide great opportunities for setting up solutions for a specific environment.

Finally, the structure of the IPS will strive for a distributed system, with modules of different types (and, perhaps, is the development of different manufacturers) and a single center of decision-making, receiving information about events and reported to the management of information using standardized protocols for information exchange.

Intrusion Prevention System to hosts – is considered a relatively new technology of protection of terminals, which in no small measure builds on existing security systems. For example, antivirus HIPS inherited protection against viruses, the software anti-malware (anti-malware) borrowed a means of identifying malicious code, and from network intrusion prevention system – monitoring the network interface.

However, the HIPS – is more than a simple sum of the above components. The analysis have shown that at the moment, this segment of the market, seems to offer the most comprehensive solution for protecting desktop systems. No one is responsible for his words supplier of such solutions does not guarantee you a 100% reflection of zero-day attacks, but HIPS solutions are most similar to this index by the use of these technologies to protect the memory and execution environment that prevent the construction of malicious code in the data segment and its execution, as well as by tracking cases of unauthorized and generally unusual access to files.

Antivirus is essentially remains unchanged over the past 10-15 years. Of course, their suppliers are constantly updated in the database of signatures and scanning tools are improving, but nothing new they have not invented – antivirus software continues to perform virus scanning. Of course, some vendors have initiated a command such as transparent to the user – when writing the file to disk or forwarded by e-mail, but it’s still the same technology, and it is involved in another way.



Intrusion Prevention Systems: the Next Step in the Evolution of IDS (2010). Retrieved June 14, 2011 from
Intrusion Prevention Systems (2011). Retrieved June 14, 2011 from http://www.radware.com/Solutions/Enterprise/Security/IntrusionPrevention.aspx
Intrusion Prevention Systems Getting Better (2011). Retrieved June 14, 2011 from
Next-Generation Intrusion Prevention System (NGIPS) (2011). Retrieved June 14, 2011 from
Robert C. Newman (19 February 2009). Computer Security: Protecting Digital Resources. Jones & Bartlett Learning. pp. 273. http://books.google.com/books?id=RgSBGXKXuzsC&pg=PA273#v=onepage&q&f=false