By Winston Lalgee and Eddie Doyle
Not long after the Internet was established, attackers discovered a new way to compromise IT assets. This new exploit was accomplished by finding bugs in enterprise software or in protocols used for communication, such as HTTP, SMTP, FTP, among others. These bugs or vulnerabilities were leveraged to launch sophisticated cyber attacks. Attackers would write malicious code that would exploit these software vulnerabilities. When compiled, the malicious code was often obfuscated within trusted applications, files, or protocols and disseminated over the internet. These exploits would then breach perimeter defenses, as firewalls were incapable of detecting these types of attacks. Once inside the network, the exploits can result in data loss, account takeover, denial of service, and many other forms of attacks.
To counter application or protocol-based intrusions, security engineers developed the Intrusion Detection System (IDS). An IDS scans packets and compares them against a signature database of known exploits. Some IDS solutions additionally collect protocol samples to conduct heuristic analysis (also known as “rule of thumb”) to detect unknown exploits based on behavioral anomalies. Using these two methods, an IDS will detect the attack, log the event and create alerts that give administrators visibility into the suspicious event. Unfortunately, an IDS only detects and therefore allows the attack to succeed, while attempting to mitigate it after the event. This can result in extensive damage and data loss. Recovery will require time-consuming investigation and remediation at best, or catastrophic failure of the business at worse.
Instead of detection, the Intrusion Prevention System (IPS) was developed to prevent attacks. An IPS will detect and block intrusions before they impact IT environments; resulting in less time, effort, and cost to investigate, remediate, and restore business operations. An IPS also generates detailed logs for both detected and prevented attacks, provides alerts on network anomalies and provides useful context for investigation by security professionals.
Why do you need an IPS?
If all of your organization’s software were free of security vulnerabilities, you wouldn’t need an IPS. However, the tens of thousands of lines of code your organization relies on are sure to contain multiple security flaws (some known and others waiting to be discovered). Additionally, in the race to bring software products to market, developers are often more concerned about having their software work correctly than ensuring that the software is free of security flaws. Some organizations may continue to use legacy software that no longer receive software updates or they may choose to leverage homegrown applications, which are deployed into production with limited vulnerability awareness. In all scenarios, security may not be top of mind, leading to many exploitable avenues for attackers.
Cyber threat researchers find and report security vulnerabilities to software vendors who issue patches to fix the vulnerabilities. In the best cases, tier 1 vendors may take 6 months or longer to develop and distribute patches, which leaves customers wide open to intrusions. In worst cases, organizations may have legacy systems that are no longer supported by the vendor, providing limited options to the customer.
Check Point’s IPS application blade is enabled by a click of a mouse – no hardware, firmware, or drivers are required. Our IPS can be deployed in detection, prevention, or in a mixed mode, providing a customized security configuration for any organization. Check Point’s IPS engine provides a unique set of capabilities such as:
- Simple management interface fully integrated into the central management GUI
- Easy navigation from business-level overview to packet capture for a single attack
- Resource throttle so that high IPS activity will not impact other security feature functionality
- Automated optimization tool (TailoredSafe) which identifies misconfigurations, true/false-positives, hit-protections, and exposes vulnerable applications that are in use on the network
- Automatic IPS policy generation for IoT devices, customized to the IoT devices used in the organization
- #1 security coverage in the industry for Microsoft and Adobe vulnerabilities
Organizations can use an IPS as an additional layer of security on a network. Check Point’s IPS monitors packet flow so it can be used to control the network usage of certain applications. This is part of vulnerability management, such as preventing the usage of weak versions of SSL. An IPS is often used to enforce preventive measures against both known and unknown software exploits, even before vendor patches are deployed by IT administrators. This approach is often referred to as virtual patching and can be used to protect both clients and servers.
How Check Point IPS and Firewall Blades work together
The firewall software blade performs deep packet inspection on new or existing connections to determine which packets are allowed or denied. Additionally, the firewall performs protocol inspection (core protections) to identify protocol misuse by comparing the behavior against a known baseline (anomaly-based detection). This first layer, is known as network Access Control. Our IPS performs another layer of inspection to identify network-based attacks leveraging application exploits. The IPS engine compares packet flow against a database of thousands of signatures and behavioral and preemptive protections, to identify a match before invoking the actions – prevent or detect. Combining both technologies provides organizations with multiple defense layers, which allow for excellent detection and prevention capabilities for known threats and in some cases, future attacks.
As we become increasingly connected, the cyberattack landscape continues to evolve. In fact, one can clearly identify the generational phases of cyberattacks and our technological responses, relative to cyber security. Understanding how businesses and cyber criminals have advanced helps us clarify the need for a multi-layer threat prevention technology and more importantly, where IPS fits within the overall strategy.
An IPS is a must-have technology for all corporations and fits effectively into generation three attack protection, as described below:
- 1st Generation – malware attacks affecting stand-alone PCs, which affected all business; security response – Anti-Virus.
- 2nd Generation – targeted attacks emanating from anonymous sources over Internet; security response – Firewall.
- 3rd Generation – attacks exploiting application vulnerabilities; security response – IPS.
- 4th Generation – targeted, unknown, polymorphic and evasive attacks; security response – Anti-Bot and Sandboxing.
- 5th Generation – large scale, multi-vector, mega attacks using advance attacks tools; security response – Advanced Threat Prevention.
- 6th Generations – highly destructive attacks that leverage tools which can hack everything digital; security response – IOT and Nano Security.