Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 21, 2006

NIPS and HIPS

We’re not talking about plastic surgery
A Web Exclusive from Windows IT Pro
Shon Harris
Feature
InstantDoc #49230
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join | See More Security Articles Here | Reprints
Or sign up for our VIP Monthly Pass!

Besides letting you set a threshold for the appropriate level of traffic allowed into a particular system, Top Layer Networks' Attack Mitigator IPS 5500 provides an interesting functionality called connection proxying that other NIPS products don't appear to have. Connection proxying lets you limit the number of incomplete TCP connections. An incomplete TCP connection usually indicates malicious activity, such as a SYN flood attack. Once the threshold for the number of allowed incomplete TCP connections is reached, Attack Mitigator works as a proxy between the sender and receiver. The connection packets will still come to Attack Mitigator, but it allows the traffic to continue to the destined computer only if the TCP connect completes (SYN, SYN/ACK, ACK packet sequence).

Depending on how you configure dedicated NIPS appliances, once the threshold for the appropriate level of traffic has been exceeded, they can throttle the traffic, drop packets entirely, reroute traffic, or send an alert to an administrator. Thus, you have an effective countermeasure for Denial of Service (DoS) attacks. The trick is to know how to properly calibrate a rate-based IPS so that the right level of protection is being provided and still not drop or reroute legitimate traffic. For example, what would be the acceptable number of packets that should be going to your DNS server, Web servers, and mail servers? An administrator would have to learn the correct thresholds through on-the-job training and continually tweak the IPS appliance until just the right amount of traffic is allowed to the different destinations.

Customers who implement rate-based NIPS appliances often complain that it's hard to determine the correct thresholds for host-to-host traffic and even port-to-port traffic. A few vendors provide the methodologies and tools necessary to monitor traffic so that you can set the correct thresholds, but this is rare. More often, vendors provide overly complex steps or send an engineer to create the baselines, which later might have to be recalibrated as the environment changes or traffic loads change.

Content based. Content-based NIPS appliances look for anomalous behavior and protocol anomalies to detect malicious payloads. Traditional IDSs work the same way, so content-based NIPS appliances don't represent a tremendous leap in ingenuity.

Content-based NIPS appliances look for anomalous behavior, such as FTP traffic going toward port 53, binary code within a user password, or an excessive number of bytes coming from a Web browser. In addition, they use signatures to look for protocol anomalies to identify packets that aren't compliant to specific protocol Request for Comments (RFCs). This has caused many false positives because many vendors don't choose to follow the protocol RFCs completely. Content-based IPS appliances also look for specific malicious protocol anomalies. For example, here are some potentially malicious modifications to the network and transport headers of a packet:

  • incorrect length of header or field
  • corrupt checksums
  • incorrect TCP segmentation overlaps
  • inconsistent use of flags within header fields

Some content-based IPS appliances dig deeper into the packet to look for potentially malicious activity within the application-layer headers. Application-layer protocol anomalies that can be detected include

  • illegal protocol command usage
  • unusually long or short field lengths, which might indicate a buffer overflow
  • using a protocol for unusual purposes
  • mapping a protocol to an unusual port number
  • incorrect field values and combinations

Many content-based NIPS appliances are shipped with the same type of signature database you would find in IDSs. Because one of the biggest problems with IDSs is false positives, some IPS vendors have only about a fourth of their signature rules enabled out of the box. You can enable the other signatures as you see fit. As with rate-based NIPS appliances, content-based NIPS appliances can be configured to drop packets, reset connections, and even create a short-lived blacklist of IP addresses that are sending malicious traffic.

Some IPS products attempt to combine content-and rate-based features. However, it's difficult for one product to do both well at the same time because of the amount of resources required for these different types of packet inspections.

   Previous  1  [2]  3  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Windows Chief Leaving Microsoft

Kevin Johnson, the man most directly responsible for current and future versions of Windows, as well as Windows Live and Microsoft's online services, is leaving the company for a position at Juniper Networks. Johnson has been co-president or president ...

How can I limit Exchange mailbox size?

...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Security Whitepapers Anti-Virus Is Dead: The Advent of the Graylist Approach to Computer Protection

Getting the Job Done: Comparing Approaches for Desktop Software Lockdown

Instant Messaging, VoIP, P2P, and games in the workplace: How to take back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Shortcut Guide to SQL Server Infrastructure Optimization
With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Continuous Data Protection and Recovery for Exchange
Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Tips to Managing Messaging
Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST files.

Bandwidth Monitoring Tool from SolarWinds
Identify largest bandwidth users in seconds. Get the free download now.

Transform Your Data Center at Brocade Conference 2008
Storage networking industry’s premier event at the MGM Grand, Las Vegas, September 22 - 24, 2008

Are You Litigation Ready?
Collecting and processing electronic data for e-discovery can be time-consuming and expose a business to significant legal risks. Get prepared with this free white paper

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

KVM over IP Solutions
Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound
IT Library Technical Resources Directory Connected Home Windows Excavator SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing