The document discusses intrusion prevention and intrusion detection systems. It defines intrusion as unauthorized access aimed at compromising network security assets. Intrusion detection systems (IDS) monitor network traffic to detect intrusions, while intrusion prevention systems (IPS) can also block attacks in real-time. An IPS provides increased visibility beyond a firewall by using techniques like signature detection, anomaly detection, and protocol analysis to identify intrusions and threats. The document outlines challenges faced by IPS like evasion techniques, and discusses next-generation IPS features like intelligent correlation, anomaly detection, and using global threat intelligence.

1. Intrusion Prevention
Presenter : Sherif Sadek Ali
1

2. Introduction
2
• Network Security: consists of the provisions and
policies adopted by network administrators to prevent
and monitor unauthorized access, misuse, modification,
or denial of network resources.
• Intrusion: Actions aimed to compromise and gain
unauthorized access to the security assets.
• We need more than a
FIREWALL.

3. Need for Intrusion Detection
3
• What the firewall can’t see:
Signatures
Based on current exploits (worm, viruses)
Detect Malware, Spyware.
Malicious traffic detection, traffic normalization.

4. Need for Intrusion Detection
4
• What the firewall can’t see:
Zero day exploits (XSS, SQL Injection)
Not caught by signatures.
Not detected by normalization triggers.
Specific to custom applications.
Social engineering
Verbal communication.
Malicious access via legitimate
credentials.
Poor configuration management
Misconfigurations allow simple access
not detected.
Increases attack vectors.

5. Increased Visibility
5

6. Definition: IDS
6
Intrusion Detection System (IDS)
Is the ability to detect intruders in the Network.
A IDS has sensors that monitor the traffic entering and
leaving a firewall, and reports back to the central device
for analysis. “Promiscuous monitoring mode”

7. Definition: IPS
7
Intrusion Prevention System (IPS) A technology that
monitors network traffic to immediately react to block a
malicious attack, for a quick action to block an attack.
One of the major differences between a NIDS and a NIPS is
its location, as it would be located “in-line” on the firewall.

8. Difference
8

9. Key Performance Metrics
9
• False Positive
• True Positive
• False Negative
• True Negative

10. How it Works
Detection Mechanisms
• Protocol Detection
• Signature Detection (Statically Based)
• Profile Detection (Statistically Based)
10

11. Signature Detection
Intrusion
Patterns
activities
pattern
matching
intrusion
if (src_ip == dst_ip) then “Attack”
11

12. Host Based IPS (HIPS)
HIPS
Operating System
Events
Network Packets
Collected
12

13. Anomaly Detection (Adaptive)
activity
measurements
0
10
20
30
40
50
60
70
80
90
CPU Process
Size
normal profile
abnormal
probable intrusion
(AD) Analyzes TCP/IP parameters: Normalization,
Fragmentation/reassembly, Header & checksum problems
With Relatively high false positive rate, anomalies can just be new
normal activities.
13

14. Challenges
How Attackers Used to do:
• Overwhelm by Flooding.
• Disguise by Fragmenting.
• Hide by Encrypting.
• Confuse by Obfuscation.
14

15. New Approach
Behavior
Detect anomalies in configuration,
connections and data flow
Network
Know what’s there
what’s vulnerable,
and what’s under attack
Application
Identify change and enforce policy
on hundreds of applications
Identity
Know who is doing what,
with what,
and where
15

16. Next-Generation IPS
• New Hardware Design
• Intelligent Correlation to the Target
• Intelligent Anomaly Detection
• Intelligent Application Violation
• Global Network Threat Intelligence & Correlation
16

17. Intelligent Correlation to the Target
IPS SENSOR
IPS SENSOR
IPS SENSOR
Management
CENTER
IPS SENSOR
Blocked
Event
Logged
LINUX
SERVER
WINDOWS
SERVER
Linux
server not
vulnerableWindows
server
vulnerable
Attack
Blocked
Attack Is
Correlated
to Targets
Latest Windows attack targets
Microsoft Windows Server and
Linux Server.
Attacks are correlated to targets.
High-priority event generated for
Windows Server target. 17

18. Intelligent Anomaly Detection
IPS SENSOR
IPS SENSOR
IPS SENSOR
Management
CENTER
IPS SENSOR
Abnormal Behavior
Logged &
Alerts Triggered
IT
Remediates
Hosts
Hosts
Compromised
New rogue host connects
internally.
IPS Sensor detects new host
and abnormal server behavior.
Management Center triggers
alerts for IT to remediate.
New Asset
Detected
Abnormal
Behavior
Detected
18

19. Intelligent Application Violation
IPS SENSOR
IPS SENSOR
IPS SENSOR
Management
CENTER
IPS SENSOR
P2P App
Triggers
Whitelist
Violation
Compliance
Event Logged &
User Identified
Security team uses
compliance whitelists to
detect IT policy violations.
Host detected using Skype.
User identified and then
contacted by IT.
IT
Contacts User
19

20. Global Network Threat Intelligence
• Based on IP/Domain Reputation.
20

21. Real-Life IPS Environment
21

22. Conclusion
22
• Think, Evaluate, Review Logs, Implement Strategies.
• It is impossible to achieve 100% total Security.
• Security is not just a Network Appliance, It is a Concept.

23. Questions
23