LECTURE 4: NETWORK-

BASED IPS
Partially adapted from slides of Cisco CCNA Security and Fortinet Network Security Expert
Primary Kinds of IPS
Two primary kinds of IPS
◦ host-based
◦ network-based
Host-based IPS (HIPS)
◦ A combination of anti-virus software, anti-malware software, and firewall
installed on a single host to monitor and analyze suspicious activity
◦ monitor abnormal activity and prevent the host from executing commands
that do not match typical behavior, including
◦ unauthorized registry updates,
◦ changes to the system directory,
◦ executing installation programs,
◦ activities that cause buffer overflows.
◦ participating in a denial-of-service (DoS) attack
◦ being part of an illicit FTP session
◦ To be effective in a network, HIPS must be installed on every host and
support every operating system.
Disadvantage: operates only at a local level and does not have a
complete view of the network
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 2
Network-based IPS Sensors
A network-based IPS can be a dedicated or non-dedicated IPS device.
Host-based IDS/IPS must be integrated with a network-based IPS to ensure a robust
security architecture.
Deployed at designated network points in the following ways, sensors detect
malicious/unauthorized activity in real time and can take action when required:
◦ Deployed on a router
with IPS feature
◦ Deployed on a
firewall device with
IPS feature
◦ Deployed on a switch
with IPS feature
◦ Deployed as a
standalone device,
such as a Cisco IPS
4300 Series Sensor

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 3

Network-based IPS Sensors (2)
The hardware of the IPS sensor includes three components:
◦ NIC - The network-based IPS must be able to connect to any network,
such as Ethernet, Fast Ethernet, and Gigabit Ethernet.
◦ Processor - Intrusion prevention requires CPU power to perform
intrusion detection analysis and pattern matching.
◦ Memory - Intrusion detection analysis is memory-intensive. Memory
directly affects the ability of a network-based IPS to efficiently and
accurately detect an attack.

The operating system of the device is stripped of unnecessary

network services, and essential services are secured. This is
known as hardening.
Additional sensors are required when their rated traffic
capacity is exceeded in the network to protect.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 4

Choose an IPS Solution
There are several factors that affect the IPS sensor selection and
deployment:
◦ Amount of network traffic
◦ Network topology
◦ Security budget
◦ Available security staff to manage IPS

Small implementations such as branch offices might only require

a router with IPS feature. As traffic patterns increase, the router
can be configured to offload IPS functions to hardware add-ons.
Larger installations can be deployed using a firewall with IPS
feature.
Enterprises and service providers might require a dedicated IPS
appliance.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 5

IPS Solution from Cisco
Router with IPS feature
◦ The Cisco IOS IPS is part of the Cisco IOS
software. The installation requires
downloading signature files and
adequate memory to load the signatures.
◦ Cisco 1900, 2900, and 3900 ISR G2
support Cisco IOS IPS.

Hardware add-ons for router

◦ Cisco IPS Advanced Integration Module
(AIM) and Network Module
Enhanced (NME)
◦ IPS AIM occupies an internal AIM slot on
router and has own CPU and DRAM
◦ Monitors up to 45 Mb/s of traffic
◦ Full-featured intrusion protection
◦ Monitor traffic from all router interfaces,
including IPsec traffic that has been
decrypted at the router

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 6

IPS Solution from Cisco (2)
Firewall with IPS feature
◦ Cisco ASA 5500-X Series
◦ For small office and branch office
◦ ASA IPS throughput: 250 -2000
Mbps (extra hardware not
required)

Dedicated IPS appliance

◦ Cisco IPS 4300 and 4500 Series
Sensors
◦ Inspection throughput: 5 – 20 Gbps
◦ Combines inline IPS services with
improved accuracy in detecting,
classifying, and stopping threats
including worms, spyware, adware,
and network viruses.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 7

IPS Solution from Cisco (3)
Snort
◦ Snort is an open-source network intrusion prevention system (NIPS) and network
intrusion detection system (NIDS) by Sourcefire. It is now acquired by Cisco.
◦ Snort is cross-platform, which runs on Linux, Windows, FreeBSD, Solaris, and Mac
OS X.
◦ Snort is in command line, but has two popular GUIs: SnortSnarf and IDScenter.
◦ For NIDS, Snort operates as a network sniffer and logs activity that matches
predefined signatures for a wide range of traffic, including IP, TCP, UDP, and ICMP.
◦ For NIPS, Snort operates in inline mode as a transparent bridge between two
network segments. To support this mode, the host must have two network
interfaces, each on a different network segment of the same logical subnet.
◦ These interfaces are configured in promiscuous mode without an IP address. Snort will listen for
traffic on each interface. When a packet arrives on an interface, Snort will inspect the packet based
on your rules, then either drop the packet, or send it out the other interface without any
modification.
◦ Snort can be integrated in a security information and event management (SIEM)
system such as OSSIM.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 8

IPS Solution from Fortinet
IPS is one of the key feature in Next
Generation Firewall (NGFWs).
◦ Other features include deep packet
scanning, network application identification
and control, and access enforcement based
on user identity verification.

IPS is integrated in all Fortigate

firewalls
◦ Up to over 200 Gbps of inline protection
◦ 10,000+ signatures consisting of 18,000
rules
◦ 1,000+ rules are updated or added per
week
◦ 300+ Zero-day vulnerabilities discovered
◦ DoS and DDoS Mitigation

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 9

Enabling IPS
IPS sensors are added as security profiles to firewall policies

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 10

Pros and Cons of Network-Based IPS
Advantages
◦ Easily see attacks across the
entire network. This provides a
clear indication of the extent to
which the network is being
attacked.
◦ It does not have to support every
type of operating system used
on the network.
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST
Disadvantages
◦ Cannot examine encrypted data
◦ Difficult to reconstruct fragmented
traffic for monitoring purposes
◦ Cannot decide whether an attack
was successful
◦ A single IPS sensor cannot capture
all traffic in a network (more
sensors needed)
11
Modes of Deployment
Inline mode
◦ IPS is put directly into the traffic
flow
◦ Packet-forwarding rate is slowed
down by added latency.
◦ Allow the sensor to stop attacks
by dropping malicious traffic
before it reaches the intended
target, thus providing a
protective service.
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST
Passive mode
◦ Packets do not flow through the sensor.
◦ A switched port analyzer (SPAN) is used
to mirror the traffic entering, going to,
and coming from the host.
◦ The sensor analyzes a copy of the
monitored traffic, not the actual
forwarded packet.
12
Packet Analyzer
A packet analyzer (also known as a packet sniffer or traffic
sniffer) is typically software that captures packets entering and
exiting the network interface card (NIC).
A packet analyzer can be a valuable tool to help monitor and
troubleshoot a network
It is not always possible or desirable to have the packet
analyzer on the device that is being monitored. Sometimes it is
better on a separate station (a hub or a switch) designated to
capture the packets.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 13

Packet Analyzer (Cont’d)
Traffic sniffing on a hub
◦ When a hub receives an
Ethernet frame, the bits received
on one port are sent out all
other ports except the port that
the frame came in on. The
packet analyzer is simply
connected to the hub and can
receive all traffic connected to
that hub.
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST
Traffic sniffing on a switch
◦ A Layer 2 switch forwards traffic
destined for a MAC address directly
to the corresponding port. This
prevents a packet analyzer to receive
it.
◦ Port mirroring is a feature of switch to
make a duplicate copy of an incoming
Ethernet frame, and then send it out
to a port with a packet analyzer.
14
Centralized IPS Implementation
Intrusion
monitoring, analysis,
detection, and
prevention are
moved from the
target system to a
separate system

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 15

Hierarchical IPS Implementation
Subnet IDS console
collects reports from
local sensors and then
sends reports to the
higher level IDS
console (e.g.,
enterprise-level IDS
console). This higher
level IDS console might
send all reported
information to another
higher level IDS
console that manages
the detection and
response among a set
of cooperating
networks.
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 16
Distributed IPS Implementation
Data is collected and analyzed
independently at a number of
locations/subnets.
Benefit
◦ Distribution of the computation cost,
◦ Reduction in the amount of information
sent over the network
◦ Fault tolerance and scalability

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 17

Next Generation IPS
◦ Internal Threats
◦ Advanced Threat Protection
◦ Anti-malware
◦ Anti-Botnet
◦ IP Reputation
◦ Emulation and Sandboxing
◦ Global Correlation

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 18

Internal Threats
IPS blocks malicious network activity and has been used as part
of edge-based protection as a firewall enhancement. However,
it is more effective to tie it into network segregation, enabling
protection against both internal and external attacks against
critical servers.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 19

Anti-Botnet
Responsible for detecting and reacting to Distributed Denial of
Service (DDoS) or other coordinated network attacks.
Organizations may
prevent, uncover, and
block botnet activities
using AntiBot traffic
pattern detection and
IP regulation services
supplied in real-time.
This capability is
important in detecting
and reacting to DDoS
or other coordinated
network attacks.
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 20
IP Reputation
Similar to human reputation, IP reputation is an opinion about a
device on the Internet. A network device with a reputation is most
likely either malicious or infected.
IP reputation can identify the IP address that is likely to send
unwanted requests. You can use the IP reputation list to
preemptively reject requests that are coming from the IP with the
bad reputation. It can prevent the following attacks.
◦ Bots (virus-infected personal computers) are the single biggest source of
spam on the internet. IP reputation can block large scale DDoS, DoS,
anomalous syn flood, or password stealing attacks from known infected
sources.
◦ Compromised web-server are used by hackers to send spam or viruses.
◦ Known mass email spammers.
◦ Phishing proxies that host phishing, ad click fraud, or gaming fraud sites.
◦ Anonymous proxies that provide proxy and anonymization services such as
TOR.
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 21
IP Reputation (Cont’d)
IP addresses, networks, mail servers, URLs, and other network
entities can all have a reputation.
Reputations can be tarnished when there is a reason that
causes others to become distrustful or suspicious.
Many of today’s network protection technologies and filtering
systems depend on lists to determine if the information is good
(whitelist) or bad (blacklist).
◦ For example, antispam technologies rely on these lists of bad email
server IP addresses to prevent the continued deluge of emails coming
from an identified spamming server.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 22

Botnet Traffic Filter
IPS sensors can use reputation filters to deny IP addresses that are blacklisted
before the sensor does further analysis on the traffic. Reputation filters offer the
first level of defense by denying traffic based on IP addresses in the blacklist.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 23

Code Emulation and Sandboxing
Code Emulation
◦ Allows testing of unknown or potentially malicious code by emulating
the actual environment where the code is intended to be executed.

Sandboxing
◦ Isolating unknown
or potentially
malicious codes to
fully execute all
functions before
allowing the traffic
into the network.
◦ Sandboxing can
detect zero-day
exploits that other
security solutions
cannot identify.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 24

Global Correlation
In addition to maintaining signature packs, IPS should receive
regular threat updates from a centralized threat database that
contains real-time, detailed information about known threats
populating on the Internet.
Participating IPS devices receive global correlation updates that
include information on network devices with a reputation for
malicious activity. This increases IPS effectiveness because
traffic is denied or allowed based on the reputation of the
source IP address.
Participating IPS devices also share telemetry data with the
centralized threat database to improve visibility of alerts and
sensor actions on a global scale

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 25

Global Correlation (Cont’d)
When participating in global correlation, the IPS sensor is provided with IP addresses and
their reputation. The sensor uses this information to determine which actions to perform
when potentially harmful traffic is received from a host with a known reputation. It is
possible to view reputation scores in events and see the reputation score of attackers.
Global correlation also collect nearly real-time data from sensors around the world.
Communication between sensors and the global correlation server involves an HTTPS
request and response over TCP/IP.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 26

What Consists of an IPS Sensor?
IPS signatures
IPS engine:
◦ Includes protocol decoders and IPS inspectors
◦ Decoders parse protocols
◦ IPS inspectors find parts of protocol that don’t conform based on
signatures, for example, too many HTTP headers, a buffer overflow
attempt.

Meets protocol
requirements and
signatures?

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 27

Signature Attributes
Malicious traffic displays distinct characteristics or “signatures”.
◦ A signature is a set of rules that an IPS use to detect typical intrusion activity,
such as DoS attacks. These signatures uniquely identify specific worms, viruses,
protocol anomalies. They are conceptually similar to the virus.dat file used by
virus scanners.

IPS sensors are tuned to look for matching signatures.

◦ As sensors scan network packets, they use signatures to detect known attacks
and respond with predefined actions.
◦ An IPS sensor examines the packet flow using many different signatures. A
sensor takes action when it matches a signature with a packet flow
◦ Typical actions include logging the event or sending an alarm to the IPS
management software.

Signatures have three distinctive attributes:

◦ Type
◦ Trigger (alarm)
◦ Action

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 28

Signature Types
Signature types are generally categorized as atomic or composite.
Atomic Signature
◦ A signature that is matched on a single packet, activity, or event.
◦ It does not require to maintain state information. If all signatures are atomic, the entire
inspection can be accomplished in an atomic operation without any knowledge of past or
future activities.
◦ Detecting atomic signatures consumes minimal resources, such as memory, on the IPS device.
• For example, a LAND attack has
an atomic signature because it
sends a spoofed TCP SYN packet
(connection initiation) with the
same source and destination IP
address of the target host and
the same source and
destination port as an open
port on the target, as shown in
the figure. Such attack causes
the machine to reply to itself
continuously.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 29

Signature Types (Cont’d)
Composite Signature
◦ A composite signature is also called a stateful signature. Such signature
identifies a sequence of operations distributed across multiple hosts
over an arbitrary period of time.
◦ The length of time that the signatures must maintain state is known as
the event horizon. An IPS cannot maintain state information indefinitely
without running out of resources. So it must be configured to determine
how long the IPS will look for a specific attack signature when an initial
signature component is detected.
◦ Configuring the length of the event horizon is a trade-off between
consuming system resources and being able to detect an attack that
occurs over an extended period of time.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 30

Signature File
As new threats are identified, new signatures must be created
and uploaded to an IPS. Usually all signatures are contained in
a signature file and uploaded to an IPS on a regular basis. It is
then used by the IPS to compare network traffic against data
patterns within it.
IPS devices must be configured to regularly update the
signature file.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 31

Signatures Updated through FortiGuard
System > Config > FortiGuard
◦ Regular (small database)
◦ Common attacks with fast, certain ID
◦ No false positive, so default action is block
◦ Extended (large database)
◦ Performance-intensive, impossible to block, and/or false positives
◦ Only available to mid and high-end Fortigates with larger RAM
List of Fortigate IPS Signatures

Default action
Signature Triggers
The signature trigger signals an intrusion or security policy violation.
◦ Analogy: In a burglar alarm system, the trigger could be a motion detector that
senses the movement of an individual entering a room.

A network-based IPS might trigger a signature action if it detects a

packet with a payload containing a specific string and going to a specific
port.
A host-based IPS might trigger a signature action when a specific
function call is invoked.
Most IPS/IDS sensors use four types of signature triggers
◦ Pattern-based trigger
◦ Anomaly-based trigger
◦ Policy-based trigger
◦ Honey pot-based trigger

IPS signatures use one or more of these basic triggers to trigger

signature actions.
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 34
Pattern-Based Trigger
Pattern-based trigger searches for a specific and pre-defined pattern. The trigger might
be textual, binary, or a series of function calls.
It can be detected in a single packet (atomic) or in a sequence of packets (composite).
The pattern is usually matched to the signature only if the suspect packet is associated
with a particular service or destined to or from particular ports. This helps decrease the
amount of inspection. However, it makes attacks that do not use well-defined ports
more difficult to detect. For example, Trojan horses’ traffic can propagate
indiscriminately.
At the initial stage of incorporating pattern-based triggers, there can be many false
positives. After the signatures are tuned and adjusted to the specific network
parameters, there will be fewer false positives.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 35

Anomaly-Based Trigger
Anomaly-based trigger is also known as profile-based trigger. It first defines a profile of what
is considered normal for the network or host. This profile can be learned by monitoring
activity on the network or the host over a period of time. Then the signature triggers an
action if excessive activity occurs beyond the normal profile.
Its advantage is that new and unpublished attacks can be detected. Instead of having to
define a large number of signatures for various attack scenarios, the administrator simply
defines a profile for normal activity. Any activity that deviates from this profile is considered
abnormal and triggers a signature action.
Several disadvantages:
◦ An alert from an anomaly signature does not necessarily indicate an attack. It only indicates a deviation from
the defined normal activity, which is sometimes caused by valid user traffic. As the network evolves, the
definition of normal must be redefined.
◦ The administrator must guarantee that the network is free of attack traffic during the learning phase.
◦ When a signature triggers an alert, it might be difficult to correlate that alert to a specific attack. More
analysis is required to determine whether the traffic represents an actual attack and what the attack actually
accomplished.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 36

Exploits and Anomalies
Exploit
◦ A known, confirmed attack
◦ Detected when a file or traffic
matches a signature pattern:
◦ Pattern-based signatures (for both
executable and web applications)
◦ Antivirus signatures
◦ Example:
◦ Exploit of known application
vulnerabilities
Anomaly
◦ Can be zero-day or denial of
service (DoS) attacks
◦ Detected by behavioral analysis:
◦ Anomaly (rate)-based IPS signatures
◦ DoS policies
◦ Protocol constrains inspection
◦ Example:
◦ Abnormally high rate of traffic
(DoS/flood)

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 37

Rate-Based Trigger
A special type of anomaly-based trigger
Triggered when one of the thresholds is exceeded during a time period
◦ Track the traffic based on source and/or destination IP address

Suitable for Detection of DoS

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 38

DoS Policies (Fortigate)
Multiple DoS policies can be
applied to any physical or
logical interface
Types
◦ Flood
◦ Detects large volume of the same type
of traffic
◦ Sweep/Scan
◦ Detects probing
◦ Source (SRC)
◦ Detects large volume of traffic from an
individual IP
◦ Destination (DST)
◦ Detect large volume of traffic destined
to an individual IP

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 39

Policy-Based Trigger
Policy-based trigger is also known as behavior-based trigger. It is similar to a
pattern-based trigger, but instead of trying to define specific patterns, the
administrator defines behaviors that are suspicious based on historical
analysis.
The use of behaviors enables a single signature to cover an entire class of
activities.
◦ For example, a signature that triggers an action when an email client invokes cmd.exe is
applicable to any application whose behavior mimics the basic characteristics of an email
client. The administrator will not have to apply the signature to each email client
application individually. Therefore, if a user installs a new email application, the signature
still applies.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 40

Honey Pot-based Trigger
Honey pot-based trigger uses a dummy server to attract attacks. The purpose
of the honey pot approach is to distract attacks away from real network
devices. By staging different types of vulnerabilities in the honey pot server,
administrators can analyze incoming types of attacks and malicious traffic
patterns. They can then use this analysis to tune their sensor signatures to
detect new types of malicious network traffic. Honey pot systems are only
used for research by antivirus and other security vendors.
Where to put a honey pot?
◦ It should be placed in DMZ and in front of the internal firewall

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 41

Summarize
Advantages Disadvantages

Pattern-based • Easy configuration • Cannot detect unknown signatures

• Fewer false positives • Signatures must be regularly
updated and tuned

Anomaly-based • Simple and reliable • Output is too generic

• Can detect unknown • Difficult to profile normal activity in
attacks large networks

Policy-based • Easy configuration • Cannot detect unknown signatures

• Customizable • Policy must be carefully created and
policies tuned

Honey pot- • Distract and confuse • Need dedicated honey pot server
based attackers • Server can be compromised and
• Collect real info should not be trusted
about attack

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 42

Alarm Types
Alarms generated by triggers can be false positives or false negatives, which
are undesired. They must be addressed when implementing an IPS sensor.
A false positive occurs when an intrusion system generates an alarm after
processing normal user traffic that should not have triggered an alarm.
◦ Consequence: Analyzing false positives wastes the time of a security analyst to examine
actual intrusive activity on a network.
◦ Action: The administrator must tune the IPS to change these alarm types to true
negatives.

A false negative is when an intrusion system fails to generate an alarm after

processing attack traffic that the intrusion system is configured to detect.
◦ Consequence: Known attacks are not being detected.
◦ Action: The administrator must tune the IPS to generate true positive alarms.

A true positive alarm is when an intrusion system generates an alarm in

response to known attack traffic.
A true negative is when normal network traffic does not generate an alarm.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 43

Signature Actions
When a signature detects the activity for which it is configured,
the signature triggers one or more actions. Several categories
of actions can be invoked:
◦ Generate an alert.
◦ Log the activity.
◦ Drop or prevent the activity.
◦ Reset a TCP connection.
◦ Block future activity.
◦ Allow the activity.

The available actions depend on the signature type and the

platform.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 44

Generate an Alert
Monitoring the alerts generated by IPS systems is vital to
understanding the attacks being launched against the network.
However, if an attacker causes a flood of bogus alerts, examining
these alerts can overwhelm the security analysts. So there are two
types of alerts to enable an administrator to efficiently monitor
the operation of the network: atomic alerts and summary alerts.
Atomic Alerts
◦ Atomic alerts are generated every time a signature triggers. In some
situations, this behavior is useful and indicates all occurrences of a specific
attack. However, an attacker might flood the monitor console with alerts by
generating thousands of bogus alerts against the IPS device.

Summary Alerts
◦ Some IPS solutions enable the administrator to generate summary alerts. A
summary alert is a single alert that indicates multiple occurrences of the
same signature from the same source address or port.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 45

Log Activities for Later Analysis
When an administrator does not have enough information to stop
an activity, it is important to log the actions or packets that are seen
so that they can be analyzed to be allowed or denied later.
This log information is usually stored on the IPS device in a specific
file. An IPS can log the attacker packets, pair packets, or just the
victim packets.
For example, an administrator can configure a signature to look for
the string /etc/password and to log the action with the attacker’s IP
address when the signature triggers. The IPS device begins logging
the traffic from the attacker’s IP address for a specified period of
time. Because the signature also generates an alert, the
administrator first observe the alert on the management console.
Then the log data can be retrieved from the IPS device, and the
activity that the attacker performed on the network after triggering
the initial alarm can be analyzed.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 46

Deny the Activity
One of the most powerful actions an IPS device can perform is to
drop packets or prevent an activity from occurring.
An IPS can deny the attacker packets, deny the connection, or
deny the specific packet.
Dropping packets enables the device to stop an attack before it
has the chance to perform malicious activity. Unlike a traditional
IDS device, the IPS device actively forwards packets across two of
its interfaces. The analysis engine determines which packets
should be forwarded and which packets should be dropped.
Besides dropping individual packets, the drop action can be
expanded to drop all packets for a specific connection or even all
packets from a specific host for a certain amount of time. By
dropping traffic for a connection or host, the IPS conserves
resources without having to analyze each packet separately.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 47

Reset or Block Traffic
Resetting a TCP Connection
◦ This action terminates TCP connections by generating a packet for the
connection with the TCP RST flag set. Many IPS devices use the TCP reset
action to abruptly end a TCP connection that is performing unwanted
operations. The reset TCP connection action can be used in conjunction
with deny packet and deny connection actions.

Blocking Future Activity

◦ Most IPS devices have the capability to block future traffic by updating
ACLs (access control list) on infrastructure devices. The ACL stops traffic
from an attacking system without requiring the IPS to consume
resources analyzing the traffic. After a configured period of time, the IPS
device removes the ACL. One advantage of the blocking action is that a
single IPS device can stop traffic at multiple locations throughout the
network, regardless of the location of the IPS device. For example, an IPS
device located deep within the network can apply ACLs at the perimeter
router or firewall.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 48

Allow Traffic
The allow action is needed to create exceptions for configured
signatures. Sometimes users need to be allowed exceptions to
the configured rule on an IPS. Configuring exceptions enables
administrators to take a more restrictive approach to security
because they can first deny everything and then allow only the
activities that are needed.
For example, the IT department routinely scans its network
using a common vulnerability scanner. This scanning causes the
IPS to trigger various alerts. These are the same alerts that the
IPS generates if an attacker scans the network. By allowing the
alerts from the approved IT scanning host, an administrator
can eliminate the false positives generated by the routine
scanning.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 49

Custom IPS Signatures
1. Packet capture – get samples of matches, mismatches
2. Write signature
3. When upgrading, re-test signature compatibility

Predefined Custom

Known / common 0-day or specialized

applications
attacks

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 50

Custom Signatures Syntax (Fortigate)

Header Keyword Value

F-SBID(--KEYWORD VALUE;)

All custom signatures Identifies a parameter Value (if any) of the

require the header parameter that will match
F-SBID the signature
Custom Signature Examples
(Fortigate)
F-SBID( --name "Ping.Death"; --protocol icmp; --data_size
>32000; )

F-SBID( --name "Block.HTTP.POST"; --protocol tcp; --service

HTTP; --flow from_client; --pattern "POST"; --context uri; --
within 5,context; )

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 52

Considerations of IPS Deployment
Individual/Central Management
◦ IPS sensors can be managed individually or centrally. Configuring each
IPS device individually is the easiest process if there are only a couple of
sensors. Larger network needs a centralized management system that
allows the administrator to configure and manage all IPS devices from a
single central system. This enables greater visibility to all events
occurring on a network.

Event Correlation
◦ It correlates attacks and other events that are happening simultaneously
at different points across a network. Having IPS devices derive their time
from a Network Time Protocol (NTP) server enables all alerts generated
by the IPS to be accurately timestamped. A correlation tool can then
correlate the alerts.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 53

Considerations of IPS Deployment (Cont’d)
Security Staff
◦ IPS devices tend to generate numerous alerts and other events. Large
enterprises require appropriate security staff to analyze this activity and
determine how well the IPS is protecting the network. Examining these
alerts also enables security operators to tune the IPS and optimize its
operation to the corporate’s network requirements.

Incident Response Plan

◦ If a system is compromised on a network, a response plan must be in
place. The compromised system should be restored to the state it was in
before the attack. It must be determined if the compromised system led
to a loss of intellectual property or the compromise of other systems on
the network.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 54

IPS Configuration Best Practices
Balance the need to upgrade sensors with the latest signature packs against the momentary
downtime during which the network becomes vulnerable to attack.
Update signature packs automatically when setting up a large deployment of sensors, rather than
manually upgrading each sensor.
Download new signature packs to a secure and dedicated SFTP server within the management
network. Use another IPS to protect this server from attack by an outside party.
◦ Configure the SFTP server to allow read-only access to the files within the directory on which the signature packs
are placed.the sensors to
◦ Configure
regularly check the SFTP server
for new signature packs. Stagger
the time of day for each sensor
to check the SFTP server for new
signature packs.

Keep the signature levels that

are supported on the
management console
synchronized with the
signature packs on the
sensors.

Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 55