View
216
Download
0
Category
Tags:
Preview:
Citation preview
Intrusion Prevention System
Intrusion Prevention System
Group 6
Mu-Hsin WeiRenaud Moussounda
Group 6
Mu-Hsin WeiRenaud Moussounda
What is IPSWhat is IPS
IPS (Intrusion prevention system)
Control access to a network
Similar to firewall, but different…
IPS (Intrusion prevention system)
Control access to a network
Similar to firewall, but different…
What’s the difference?What’s the difference?
Traditional firewall – examines header
IPS – examines payload as well
DPI (Deep Packet Inspection)
Traditional firewall – examines header
IPS – examines payload as well
DPI (Deep Packet Inspection)
DPI enables IPS to…DPI enables IPS to…
Gather more information
Detect certain attack signatures
Control network traffic intelligently- ftp root access (user root)- HTTP content
Gather more information
Detect certain attack signatures
Control network traffic intelligently- ftp root access (user root)- HTTP content
TradeoffTradeoff
Payload - no fixed fields- large in size
Requires high computing resource- CPU- memory
Hardware implementation
Payload - no fixed fields- large in size
Requires high computing resource- CPU- memory
Hardware implementation
IDS vs IPSIDS vs IPS
Intrusion Detection System (IDS):- DPI- detects- Snort
IPS:- DPI- take action- snort_inline + iptables
Intrusion Detection System (IDS):- DPI- detects- Snort
IPS:- DPI- take action- snort_inline + iptables
Proof of conceptProof of concept
Implement an IPS using:- snort_inline, and- iptables
Test IPS using:- Lab4 firewall configuration- Lab6 imapd buffer overflow
Implement an IPS using:- snort_inline, and- iptables
Test IPS using:- Lab4 firewall configuration- Lab6 imapd buffer overflow
Lab 4 setupLab 4 setup
Black - attackerProtected – victimFirewall - IPS
Black - attackerProtected – victimFirewall - IPS
How to capture attack?How to capture attack?
Attack using buffer overflow string
Long sequence of NOP
snort_inline checks for …90 90 90 90...
Attack using buffer overflow string
Long sequence of NOP
snort_inline checks for …90 90 90 90...
FlowFlow
Protected runs vulnerable serviceBlackHat attacks
snort_inline captures and tell iptable block traffic
Protected remains safe
Protected runs vulnerable serviceBlackHat attacks
snort_inline captures and tell iptable block traffic
Protected remains safe
IPS + Lab4 + Lab6IPS + Lab4 + Lab6
BlackHat, Protected, and IPSBlackHat, Protected, and IPS
ImplicationImplication
One for all
Less dependent on individual server
Vulnerable service made secure
Enhanced security
One for all
Less dependent on individual server
Vulnerable service made secure
Enhanced security
What you will do in the lab?
What you will do in the lab?
Setup machines & install software
Perform first attack without IPS
Perform second attack with IPS enabled
Appreciate IPS/DPI
Setup machines & install software
Perform first attack without IPS
Perform second attack with IPS enabled
Appreciate IPS/DPI
QuestionsQuestions
??
Recommended