© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
3.Network Intrusion Prevention System (IPS)
The ability to monitor network traffic is a key component of protecting
information systems. Even still, defending those systems from the many threats can
be a daunting task. A firewall is commonly used to provide a layer of security for its
respective local network. Firewalls by themselves have limitations though. Most can
only block based on IP addresses or ports. In contrast Network Intrusion Prevention
Systems (IPS) are able to use signatures designed to detect and defend from specific
types of attacks such as denial of service attacks among others. This is an
advantage, for instance, with sites hosting Web servers.
To permit Web service traffic, a firewall passes Hypertext Transfer Protocol
(port 80) to external systems if not the entire world.
This opens up risk because
many attacks and exploits are inherent to Web server applications (e.g., Apache,
Microsoft IIS). Even when the Web server is fully patched and well maintained,
insecure Web applications all too often exist on a target Web server. Web
applications themselves introduce additional risks (e.g., Cross-Site Scripting).
Coupling a firewall with an IPS creates the potential to reduce these risks. An IPS is
capable of monitoring the content deep inside the Web traffic.
When the IPS
discovers an event considered to be a true positive, the malicious connection is
dropped and all subsequent matching packets are destined for the same outcome.
In this ideal situation, the Web server never commits processing power to the
malicious attack as it continues providing Web content to legitimate clients it was
Nicholas Pappas
7
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies