Intrusion Detection and Prevention Systems

Picture of Hacking dashboard Introduction:
Consumer demands for new and innovative products and services continues to expand and many organizations are creatively looking to meet or exceed those demands. Rapid technological advancements have facilitated business growth and has been utilized for consumer satisfaction. Unfortunately, vulnerabilities in digital systems, recklessness and deficient policies and practices have contributed to a large number of successful breaches. In almost every instance, victims have incurred financial losses and massive inconvenience..

Picture of Shocked man using computer

    Here are the commonly used techniques for perpetrating malicious acts on digital assets

  •   Exploits:Taking advantage of hidden features or bugs such as buffer overflows, directory traversal and DNS cache poisoning to gain unauthorized access.
  •   Advanced persistent threats (APT): Specific people or networks are targeted with attack techniques that aredesigned to be successful against the intended victim. Stealth is an important aspect of this type of attack which is sustained until a breach is achieved. The sophistication of the attack can range from low cost and simple to expensive and highly complex. Advanced malware, bots and distributed denial of service (DDoS) are commonly used mechanisms in APT based attacks.
  •   Reconnaissance: This describes the actions typically employed before the malicious payload is delivered and activated. Host sweeps, TCP/UDPport scans, e-mail recons, brute force password guessing and indexing of public web servers are among the popular reconnaissance methods in use.
  •   SQL injections: A populartechnique that leverages user input via web content for the purpose of effecting damage to databases. Malicious code is unknowingly placed in an SQL statement and executed.
  •   Policy violations: All activity, whether malicious or not, that does not conform to known standards should be treated with the highest level of skepticism. Network protocol violations should be categorized as violations of policy.

It is sufficient to appreciate that the threat scene is aggressive
and miscreants have amassed lots of resources giving them
significant advantage in the security space.

Shifts in business models have resulted in greater consumption of cloud services with the current landscape reflecting a mixture of on-premise and cloud systems. Whether a business has migrated completely to the cloud, remained exclusively on-premise or adopted the hybrid paradigm, digital data will be at risk unless deliberate steps have been taken to invoke adequate security. It is sufficient to appreciate that the threat scene is aggressive and miscreants have amassed lots of resources giving them significant advantage in the security space. An approach that is highly recommended for inclusion into the digital security arsenal is intrusion detection and prevention (IDPS).

The necessity of IDPS

Lots of security device type exist in the marketplace and while each serves an important purpose, there are many reasons why it is critical to include IDPS to protect the digital assets of an organization.

Picture Black man using laptop

    Here are some of the reasons why numerous organizations continue to depend on IDPS to enhance security:

  •   Improved attack repulsion.
  •   Sustained high performance especially in 10 Gbps + network environments.
  •   Layer 2 functionality leading to easy deployment and higher security quality than a transparent NGFWespecially for internal network segmentation.
  •   High performance penalty in almost all scenarios where IDPS is a part of a NGFW.
  •   The best-of-breed next generation IDPS features are substantiallyabsent from firewalls.
  •   Advanced inspection required without routing and NAT is already established. Examples include public cloud and software defined networks.
  •   The inspection of traffic that has passed through firewalls, secure web gateways and secure email gateways.

Data Centers and the IDPS

In addition to the list presented here, organizations often deploy IDPS to secure the data center. The reason is that data center traffic is notably different from traffic that traverses the network perimeter. For any data center security device, colossal performance is key.

Picture of target

    Factors peculiar to data centers include:

  •   High traffic volume.
  •   High data rates.
  •   High number of concurrent connections.
  •   Stateless user datagram protocol (UDP) traffic.
  •   Venerable transmission control protocol (TCP) connections.

A rich profile mix is characteristic of data center activity due in large part to interactions between users and assorted servers (file, database, application, directory, etc.), network and backup application traffic. As connections are constantly being built and terminated, any security device such as a firewall will introduce unwanted latency. Therefore, an IDPS that is securing a data center must be of sufficient quality to deliver high performance without sacrificing the level of security inspection and blocking.

Picture of hand holding cell phone

Next Generation IDPS Ecosystem

A next generation IDPS is an ecosystem of integrated security systems designed to resist dynamic, advanced and evolving attacks from diverse sources. Through our strategic partnership with McAfee.

TRUSTWORTHY Systems Inc. can assist you with the provisioning of an IDPS most suitable for your security needs. The following McAfee components integrate with the core McAfee IDPS:

Illustration of McAfee Network Security Platform

McAfee Global Threat Intelligence (GTI).

This is an intelligence gathering network that correlates digital hazard information from all threat areas. GTI consists of IP Reputation and File Reputation cloud-based services.

    IP reputation provides:

  •   Web reputationfor protection against web-based threats.
  •   Web categorizationfor policy-based action on user activity.
  •   Message Reputationfor protection against message-based threats such as spam.
  •   Network connection reputationwhich combines IP address, network port and communications protocol information for protection against network threats.

File reputation provides real-time protection against file level threats. GTI queries threat data from the McAfee Network Security Platform (NSP) and combines that data with data from other threat vectors to identify relationships. This includes identifying malware used in network intrusions, web protocols embedded in malware, websites hosting malware, callback activity, bot activity and other malicious agents. GTI constantly updates NSP with the latest reputation or categorization intelligence to augment its IDPS capabilities.

McAfee Threat Defense

Hundred of thousands of new malware variants proliferate daily within the digital space and this challenges security tools and personnel enormously. One of the countermeasures introduced by McAfee is Advanced Threat Defense (ATD). This is an on-premise appliance that analyses files for malicious content that might otherwise go undetected.

When the McAfee NSP encounters a somewhat suspicious file attempting to enter the network, it sends a copy of the file to ATD for analysis. A positive result from ATD signals the NSP to immediately block the file. For files delivered to ATD after it has been found within the network, a positive result can trigger NSP to quarantine the computers or other devices on which the malware was found.

Illustration of McAfee Threat Behavior Analyzer

McAfee Network Threat Behavior Analyzer.

The McAfee Network Threat Behavior Analysis (NTBA) appliance is a solution for monitoring network traffic in real time through analysis of flow information traversing the network. Graphical real-time views of network traffic consisting of a moving profile of applications, endpoint, zones and interface traffic is provided. Specifically, NTBA can detect and report on port scans, endpoint sweep attacks, endpoint name changes and network traffic volume. When integrated with the McAfee NSP, the NTBA can process layer 7 traffic, identify devices and users that generate to most IDS events and permit forensic analysis for IPS events.

A summary of NTBA capabilities follow:

  •   Network-wide visibility indicating how systems are used, who uses them, how they connect, depend on each other, as also the ports and protocols they connect over.
  •   Protection from threats such as insider attacks, unauthorized servers or services and zero-day attacks.
  •   Regulatory compliance reporting for Administrators is realizable since the occurrence network events can be determined unambiguously.
  •   Identification of internal misuse and potentially harmful practices.
Illustration of McAfee Core IDPS Product

The Core IDPS Product

The McAfee NSP consist of one or more McAfee network security sensors (sensor) and the McAfee network security manager (manager) which may be an appliance or software.

  •   1 Network Security Manager (Manager)
  •   2 Network Security Sensor (IPS Sensor)
  •   3 McAfee Update Server
  •   4 Web clients accessing the Manager server
  •   5 Manager Disaster Recovery (MDR) server
  •   6 Alert notification -email, pager, script generation

The sensor is a high-performance, scalable and flexible content processing appliance built for accurate detection and prevention of intrusions, misuse, malware, DoS and DDoS attacks. The sensor is specifically designed to handle traffic at wire-speed, efficiently inspect and detect intrusions with a high degree of accuracy. If an attack is detected, a sensor responds according to its configured policy. A sensor can perform many types of attack responses, including generating alerts and packets logs, resetting TCP connection, scrubbing malicious packets and blocking malicious packets before the target is compromised.

The manager is used to configure and manage the sensor(s). The administrator connects to the manager from a client system through a browser and can access alerts, status, configuration, reports and fault management functions. All the major features in NSP are policy based and with policies for firewall, IPS, recon, QoS and others being accessible through the manager.

Through partnership with McAfee, the team at TRUSTWORTHY Systems Inc. is ready to assist organizations with the design, provisioning and support for a robust next-generation IDPS solution.

Let TRUSTWORTHY Systems Inc. be the catalyst for risky behavior, change and development of a better digital experience within your organization.

Picture of TSI's Super Hero Character