To the general public, an article called "NIPS and HIPS" might sound like a discussion about intrusive plastic surgery. For security administrators, though, "NIPS and HIPS" should sound like a dream come true: preventive remedies for fending off a long laundry list of network attacks.
NIPS and HIPS are two types of Intrusion Prevention Systems (IPSs). Some security administrators believe IPS is just a marketing term that lets vendors promote Intrusion Detection Systems (IDSs) in a new way. Other people are less skeptical and see IPS as the next evolutionary step in network protection devices. These opinions are commonly based on the various definitions of IPS. Even the IPS vendors can't agree on a standardized definition or technology model. However, this technology is new. Only time will tell if the market will embrace it.
The most commonly agreed-on definition is that an IPS is an inline device that is a combination of an IDS and application-layer firewall. Most organizations don't use firewalls that work at the application layer of the network stack because of the performance hit that occurs with having to use so much processing power to dig through all of the components of each and every packet to try to identify something malicious. Today's firewalls mainly make their access decisions based on the network and transport layers of a packet, which misses many of the crucial portions that can be carrying malicious payloads.
As Figure 1 shows, firewalls use access criteria based mainly on IP addresses, port numbers, and a limited amount of information pertaining to the protocols the packets are using. IDSs evaluate the traffic but can't stop the traffic from entering the network. IPS evaluates traffic at a deeper level than most firewalls before it allows the traffic in through a port—the best of both worlds. However, current IPS products are constrained by a fundamental limitation: They can block only the traffic they see. Nowadays, more and more environments are switched—and if IPS is to monitor all the individual communication channels through the switching fabric, many IPS devices are needed, which is cost prohibitive. This means that an inline IPS can't cover the entire network until network infrastructure vendors are able to cost-effectively replace conventional switches with combination switch-IPS products. Some infrastructure companies are starting to build security intelligence into their network devices and protocols, which will provide a more holistic and integrated approach to security, but it'll take them a few years to get to that point. So, let's take a look at what you can do today with the various IPS products available.
Just as there are network IDS (NIDS) and host IDS (HIDS) solutions, there are network IPS (NIPS) and host IPS (HIPS) solutions. NIPS solutions evaluate traffic before it's allowed into a network or subnet. HIPS solutions evaluate packets before they're allowed to enter a computer.
Besides the NIPS and HIPS differentiation, IPSs can be differentiated by the type of product. IPS functionality can be
- packaged as a dedicated appliance. Dedicated IPS appliances are standalone products. They're usually inline NIPS devices, which means all traffic must pass through them to gain access to the network.
- integrated into other products. Some vendors have started integrating IPS functionality into their existing security products. For example, firewall vendors Check Point Software Technologies and Juniper Networks have integrated IPS functionality into their Fire-Wall-1 and NetScreen-5GT firewalls, respectively.
Because most organizations already have firewalls and are looking to supplement rather than replace them, let's concentrate on dedicated NIPS appliances and HIPS solutions.
Dedicated NIPS Appliances
Dedicated NIPS appliances have no MAC or IP address, so hackers can't attack them directly. The appliances use either rate-based functionality or content-based functionality.
Rate based. Rate-based IPS appliances use thresholds that detect when there are too many connections, errors, or packets coming into the network. The way in which NIPS appliance vendors address rate-based protection differs between products. However, all NIPS appliances let administrators define the computers, ports, and applications that need to be protected. Source and destination IP addresses and port numbers are used so that a certain baseline of traffic can be set for each computer and each service that the computer is providing. Administrators typically use wildcard values for the source IP addresses and port numbers because it's impossible to know about all the systems that are going to initiate contact.
Some NIPS appliances let administrators set the rate baselines by using quantitative bandwidth values. Other appliances use qualitative values, such as high, medium, or low. The Captus Networks' Captus IPS 4000 series can identify when a specific service is being overwhelmed and can start throttling the traffic. If the same amount of traffic continues, the product can disconnect access to the service from that client.