Intrusion Prevention System

Intrusion Prevention System

Group 6

Mu-Hsin WeiRenaud Moussounda

Group 6

Mu-Hsin WeiRenaud Moussounda

What is IPSWhat is IPS

IPS (Intrusion prevention system)

Control access to a network

Similar to firewall, but different…

IPS (Intrusion prevention system)

Control access to a network

Similar to firewall, but different…

What’s the difference?What’s the difference?

Traditional firewall – examines header

IPS – examines payload as well

DPI (Deep Packet Inspection)

Traditional firewall – examines header

IPS – examines payload as well

DPI (Deep Packet Inspection)

DPI enables IPS to…DPI enables IPS to…

Gather more information

Detect certain attack signatures

Control network traffic intelligently- ftp root access (user root)- HTTP content

Gather more information

Detect certain attack signatures

Control network traffic intelligently- ftp root access (user root)- HTTP content

TradeoffTradeoff

Payload - no fixed fields- large in size

Requires high computing resource- CPU- memory

Hardware implementation

Payload - no fixed fields- large in size

Requires high computing resource- CPU- memory

Hardware implementation

IDS vs IPSIDS vs IPS

Intrusion Detection System (IDS):- DPI- detects- Snort

IPS:- DPI- take action- snort_inline + iptables

Intrusion Detection System (IDS):- DPI- detects- Snort

IPS:- DPI- take action- snort_inline + iptables

Proof of conceptProof of concept

Implement an IPS using:- snort_inline, and- iptables

Test IPS using:- Lab4 firewall configuration- Lab6 imapd buffer overflow

Implement an IPS using:- snort_inline, and- iptables

Test IPS using:- Lab4 firewall configuration- Lab6 imapd buffer overflow

Lab 4 setupLab 4 setup

Black - attackerProtected – victimFirewall - IPS

Black - attackerProtected – victimFirewall - IPS

How to capture attack?How to capture attack?

Attack using buffer overflow string

Long sequence of NOP

snort_inline checks for …90 90 90 90...

Attack using buffer overflow string

Long sequence of NOP

snort_inline checks for …90 90 90 90...

FlowFlow

Protected runs vulnerable serviceBlackHat attacks

snort_inline captures and tell iptable block traffic

Protected remains safe

Protected runs vulnerable serviceBlackHat attacks

snort_inline captures and tell iptable block traffic

Protected remains safe

IPS + Lab4 + Lab6IPS + Lab4 + Lab6

BlackHat, Protected, and IPSBlackHat, Protected, and IPS

ImplicationImplication

One for all

Less dependent on individual server

Vulnerable service made secure

Enhanced security

One for all

Less dependent on individual server

Vulnerable service made secure

Enhanced security

What you will do in the lab?

What you will do in the lab?

Setup machines & install software

Perform first attack without IPS

Perform second attack with IPS enabled

Appreciate IPS/DPI

Setup machines & install software

Perform first attack without IPS

Perform second attack with IPS enabled

Appreciate IPS/DPI

QuestionsQuestions

??