Comprehensive network security

There are different types of intrusion protection systems, with different characteristics and features, just like it was possible to understand with intrusion detection systems. Just like IDSs, IPSs can also be classified as signature-based, anomaly-based and policy-based. Here, the signature-based intrusion protection systems use an approach based on known vulnerability and attack signatures, where the method is to match the activity to those signatures and raise or not an alarm and action if necessary. One drawback to this method is that it is only able to stop previously identified attacks and won’t be able to recognize new ones. This type of IPS do not take into consideration any unknown vulnerabilities and will not place any action to the network if a new attack occurs.

This IPS type uses a dictionary of uniquely identifiable patterns, or signatures, in the code of each exploit. As an exploit is discovered, its signatures are recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two sub-types:

·      Exploit-facing signatures – identify individual exploits by triggering on the unique patterns of a particular exploit attempt. The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream.

·      Vulnerability-facing signatures – using broader signatures that target the underlying vulnerability in the system that is being targeted. These signatures allow networks to be protected from variants of an exploit that may not have been directly observed in the wild but also raise the risk of false positives.

Contrasting with the previous one, the anomaly-based IPS implementation focuses the monitoring of abnormal behaviour by comparing random samples of network traffic and activity against a baseline standard. It doesn’t centre the analysis on signatures, instead it focuses on the behaviour of the entire network, identifying abnormal patterns and abnormal traffic sequences to raise alarms and apply the correspondent actions. When compared to the previous one, this type is more robust in the way that it doesn’t focus only on well-known vulnerabilities, but also on possible new ones. Though, it is more robust, it may also produce a higher false positive rate if not properly configured and adjusted to the security policy. Some newer and more advanced intrusion protection systems use artificial intelligence and machine learning technologies to support anomaly-based monitoring, though, it is necessary to use the considered normal behaviour datasets to properly train the machine, which in the specific case of critical systems is not always an easy task.

Anomaly-based IPSs take samples of random network traffic and compares them to a pre-calculated baseline performance level. When the sample of network traffic activity is outside the chosen parameters or thresholds of baseline performance, the IPS takes action to handle the situation.

The third type, policy-based intrusion protection system, is the less common among the three and employs security policies defined by the enterprise, blocking the activities that violate those policies. This type of IPS require a total configuration of the security policies, and, consequently, a strong planning and design, as well as a frequent update and administration.

Some scholars, just like it happens with IDSs, also classify IPS system into four more types, according to their nature: network intrusion prevention system (NIPS); host intrusion prevention system (HIPS); network behaviour analysis (NBA) and wireless intrusion prevention system (WIPS).

The first two types are once again similar to intrusion detection systems, where they are installed at network or host levels. NIPS are installed at the network level and only at strategic points to monitor the entire network, or sub-networks. It monitors network traffic proactively and scans for threats. HIPS is installed at the endpoint level, such as a computer or server, and focuses on the analysis of the inbound and outbound traffic of that specific machine. Here it is necessary to take into consideration that the higher the number of HIPS in the network, the higher the IPS traffic created, and, consequently, higher will be the load on the network. HIPS work better in combination with a NIPS, as it serves as a last line of defence for threats that have made it past the NIPS.

Regarding network behaviour analysis, or NBA, it works on the analysis of network traffic to detect unusual traffic flows, such as, for instance, a DDoS (Distributed Denial of Service) attacks.

The last IPS type, WIPS, is designed specifically to wireless networks, scanning them for unauthorised accesses and kicking unauthorised devices off the network.