Menu
homeGames

The IPS system is a modern tool for creating electronic archives, document management systems, PDM and PLM. Intrusion Prevention System

Intrusion Prevention System(eng. Intrusion Prevention System, IPS) - a software or hardware network and computer security system that detects intrusions or security violations and automatically protects against them.

IPS systems can be considered as an extension of Intrusion Detection Systems (IDS), since the task of monitoring attacks remains the same. However, they differ in that the IPS must monitor activity in real time and quickly implement actions to prevent attacks.

Encyclopedic YouTube

    1 / 5

    IPS Basics

    Network infrastructure security analysis

    Forpost attack detection system and solutions

    Application Control with FirePOWER Services

    Cisco NGFW, so modern and so different from other next generation firewalls

    Subtitles

Classification

    Network IPS (Network-based Intrusion Prevention, NIPS): monitor traffic on a computer network and block suspicious data flows.

  • IPS for wireless networks (Wireless Intrusion Prevention Systems, WIPS): checks activity on wireless networks. In particular, it detects misconfigured wireless network access points, man-in-the-middle attacks, and mac address spoofing.
  • Network Behavior Analyzer (Network Behavior Analysis, NBA): analyzes network traffic, identifies atypical flows, such as DoS and DDoS attacks.
  • IPS for individual computers (Host-based Intrusion Prevention, HIPS): resident programs that detect suspicious activity on a computer.

    • Development history

    The history of the development of modern IPS includes the history of the development of several independent solutions, proactive protection methods, which were developed at different times for various types of threats. The proactive protection methods offered by the market today mean the following:

  1. Behavioral process analyzer for analyzing the behavior of processes running in the system and detecting suspicious activities, that is, unknown malware.
  2. Eliminating the possibility of infection entering your computer, blocking ports that are used by already known viruses, and those that can be used by their new modifications.
  3. Preventing buffer overflow of the most common programs and services, which is most often used by cybercriminals to carry out attacks.
  4. Minimizing the damage caused by the infection, preventing its further reproduction, restricting access to files and directories; detection and blocking of the source of infection on the network.

Network packet analysis

The Morris worm, which infected Unix computers connected to the network in November 1988, is usually cited as the first threat that prompted counter-intrusion efforts.

According to another theory, the impetus for the creation of a new fortification was the actions of a group of hackers together with the intelligence services of the USSR and the GDR. In the period from 1986 to 1989, the group, whose ideological leader was Marcus Hess, transferred information obtained by invading computers to its national intelligence services. It all started with an unknown bill for only 75 cents at the National Laboratory. 

E. Lawrence in Berkeley. An analysis of his origins ultimately led to Hess, who worked as a programmer for a small West German company and at the same time belonged to the extremist group Chaos Computer Club, based in Hamburg. The invasion he organized began with a call from home through a simple modem, which provided him with communication with the European Datex-P network and then penetration into the computer of the library of the University of Bremen, where the hacker received the necessary privileges and with them made his way to the National Laboratory. E. Lawrence in Berkeley. The first log was registered on July 27, 1987, and out of 400 available computers, he was able to get into about 30 and after that quietly filibuster on the closed Milnet network, using, in particular, a trap in the form of a file called the Strategic Defense Initiative Network Project (he was interested in everything , which was associated with President Reagan's Strategic Defense Initiative). The immediate response to the emergence of external network threats was the creation of firewalls as the first threat detection and filtering systems.

Analysis of programs and files

Heuristic analyzers

Behavior blocker

The first generation of behavioral blockers appeared in the mid-90s. The principle of their operation is that when a potentially dangerous action is detected, the user is asked whether to allow or prohibit the action. Theoretically, a blocker can prevent the spread of any virus, both known and unknown. The main disadvantage of the first behavioral blockers was the excessive number of requests to the user. The reason for this is the inability of the behavioral blocker to judge the harmfulness of a particular action. However, in programs written in VBA, it is very likely that malicious actions can be distinguished from useful ones.

The second generation of behavioral blockers is different in that they analyze not individual actions, but a sequence of actions and, based on this, make a conclusion about the harmfulness of a particular software.

Testing by Current Analysis

In 2003, Current Analysis, under the leadership of Mike Fratto, invited the following vendors to test HIP products - Argus Systems Group, Armored Server, Computer Associates (CA), Entercept Security Technologies, Harris, Network-1, Okena, Tiny Software, Tivoli (part of IBM) and WatchGuard. As a result, the only products tested in Syracuse University's RealWorld Lab were Argus' PitBull LX and PitBull Protector, CA's eTrust Access Control, Entercept's Web Server Edition, Harris' STAT Neutralizer, Okena's StormWatch and StormFront, and Okena's ServerLock and AppLock/Web. WatchGuard.

The following requirements were formulated for the participants:

  1. The product should allow you to centrally manage host security policies that limit application access to only those system resources that they (the applications) require to operate.
  2. The product must be able to create its own access policy for any server application.
  3. The product must control access to the file system, network ports, input/output ports and other means of communication between the OS and external resources. In addition, an additional layer of protection should provide the ability to block stack and heap buffer overflows.
  4. The product must establish the dependence of access to resources on the name of the user (application) or his membership in a particular group.

After a month and a half of testing, the StormWatch product from Okena won (later acquired by Cisco Systems, the product was called Cisco Security Agent).

Further development

In 2003, a Gartner report was published, which proved the ineffectiveness of the IDS generation of that time and predicted their inevitable equipping with IPS. After this, IDS developers began to often combine their products with IPS.

Methods for responding to attacks

After the attack begins

The methods are implemented after the information attack has been detected. This means that even if successful, the protected system may be damaged.

Blocking a connection

If a TCP connection is used for the attack, then it is closed by sending each or one of the participants a TCP packet with the RST flag set. As a result, the attacker is unable to continue the attack using this network connection. This method is most often implemented using existing network sensors.

The method is characterized by two main disadvantages:

  1. Does not support protocols other than TCP that do not require prior connection establishment (such as UDP and ICMP).
  2. The method can only be used after the attacker has already received an unauthorized connection.

Blocking user records

If several user accounts were compromised as a result of an attack or turned out to be their sources, then they are blocked by the system’s host sensors. To block, sensors must be run under an account that has administrator rights.

Blocking can also occur for a specified period, which is determined by the settings of the Intrusion Prevention System.

Blocking a computer network host

For MEs that do not support OPSEC protocols, an adapter module can be used to interact with the Intrusion Prevention System:

  • which will receive commands to change the ME configuration.
  • which will edit ME configurations to modify its parameters.
    • Active source suppression

    The method can theoretically be used if other methods prove useless. IPS identifies and blocks the intruder's packets, and carries out an attack on his node, provided that his address is clearly identified and as a result of such actions no harm will be caused to other legitimate nodes.

    This method is implemented in several non-commercial software:

    • NetBuster prevents Trojan Horses from entering your computer. It can also be used as a "fool-the-one-trying-to-NetBus-you" tool. In this case, it looks for the malicious program and determines who launched it computer, and then returns this program to the addressee.
    • Tambu UDP Scrambler works with UDP ports. The product not only acts as a dummy UDP port, it can be used to “paralyze” hackers’ equipment using a small program called UDP flooder.

    Since it is impossible to guarantee the fulfillment of all conditions, widespread use of the method in practice is not yet possible.

    At the beginning of the attack

    The methods implement measures that prevent detected attacks before they reach their target.

    Using network sensors

    Network sensors are installed in the communication channel gap so as to analyze all passing packets. To do this, they are equipped with two network adapters operating in “mixed mode”, for reception and transmission, recording all passing packets into buffer memory, from where they are read by the IPS attack detection module. If an attack is detected, these packages may be removed.

    Packet analysis is carried out based on signature or behavioral methods.

The article discusses popular IPS solutions in the context of the global and Russian markets. A definition of basic terminology, the history of the emergence and development of IPS solutions are given, and the general problems and scope of application of IPS solutions are also discussed. It also provides a summary of the functionality of the most popular IPS solutions from various manufacturers.

What is IPS?

First of all, let's give a definition. Intrusion detection system (IDS) or Intrusion prevention system (IPS) are software and hardware designed to detect and/or prevent intrusions. They are designed to detect and prevent unauthorized attempts to access, use, or disable computer systems, primarily over the Internet or local area network. Such attempts can take the form of attacks by hackers or insiders, or be the result of malware.

IDS/IPS systems are used to detect anomalous network activities that may compromise data security and confidentiality, for example: attempts to exploit software vulnerabilities; attempts to suspend privileges; unauthorized access to confidential data; malware activity, etc.

The use of IPS systems serves several purposes:

  • Detect and prevent an intrusion or network attack;
  • Predict possible future attacks and identify vulnerabilities to prevent their further development;
  • Document existing threats;
  • Ensure quality control of administration from a security perspective, especially in large and complex networks;
  • Obtain useful information about the penetrations that took place in order to restore and correct the factors that caused the penetration;
  • Determine the location of the source of the attack in relation to the local network (external or internal attacks), which is important when making decisions about the location of resources on the network.

In general, IPS are similar to IDS. The main difference is that they operate in real time and can automatically block network attacks. Each IPS includes an IDS module.

The IDS, in turn, usually consists of:

  • event collection systems;
  • systems for analyzing collected events;
  • storage in which collected events and the results of their analysis are accumulated;
  • databases of vulnerabilities (this parameter is key, since the larger the manufacturer’s database, the more threats the system can identify);
  • management console, which allows you to configure all systems, monitor the status of the protected network, view detected violations and suspicious actions.

Based on monitoring methods, IPS systems can be divided into two large groups: NIPS (Network Intrusion Prevention System) and HIPS (Host Intrusion Prevention System). The first group is focused on the network level and the corporate sector, while representatives of the second deal with information collected inside a single computer, and therefore can be used on personal computers. Today, HIPS are often included in antivirus products, therefore, in the context of this article, we will not consider these systems.

Among NIPS and HIPS there are also:

  • Protocol-based IPS, PIPS. It is a system (or agent) that monitors and analyzes communication protocols with related systems or users.
  • Application Protocol-based IPS, APIPS. It is a system (or agent) that monitors and analyzes data transmitted using application-specific protocols. For example, tracking the contents of SQL commands.

As for the form factor, IPS systems can be presented either as a separate hardware solution or as a virtual machine or software.

Technology development. IPS problems.

Intrusion prevention systems emerged at the intersection of two technologies: firewalls and intrusion detection systems (IDS). The first ones were able to pass traffic through themselves, but only analyzed the headers of IP packets. The latter, on the contrary, “could” do everything that firewalls were deprived of, that is, they analyzed traffic, but could not influence the situation in any way, since they were installed in parallel and did not allow traffic through themselves. Taking the best from each technology, IPS systems emerged.

The development of modern IPS systems went through four directions. So to speak, from the particular to the general.

The first direction is the development of IDS into inline-IDS. In other words, it was necessary to integrate the IDS system into the network not in parallel, but in series. The solution turned out to be simple and effective: IDS was placed between protected and unprotected resources. Software variants of IPS most likely evolved from this direction.

The second direction in the development of IPS is no less logical: the evolution of firewalls. As you understand, they lacked the depth of analysis of the traffic passing through them. Adding functionality for deep penetration into the data body and understanding of transmitted protocols allowed firewalls to become real IPS systems. Hardware IPS most likely evolved from this direction.

The third “source” was antiviruses. It was not far from fighting worms, Trojans and other malware to IPS systems. HIPS most likely evolved from this direction.

Finally, the fourth direction was the creation of IPS systems from scratch. Here, in fact, there is nothing to add.

As for the problems, IPS, like any other solutions, had them. There were three main problems:

  1. a large number of false positives;
  2. response automation;
  3. a large number of management tasks.

With the development of systems, these problems were successfully solved. So, for example, to reduce the percentage of false positives, they began to use event correlation systems that “set priorities” for events and helped the IPS system perform its tasks more efficiently.

All this led to the emergence of next generation IPS systems (Next Generation IPS - NGIPS). NGIPS must have the following minimum functionality:

  • Work in real time without impact (or with minimal impact) on the company’s network activity;
  • Act as a single platform that combines all the advantages of the previous generation of IPS, as well as new capabilities: control and monitoring of applications; use of information from third-party sources (vulnerability databases, geolocation data, etc.); file content analysis.

Figure 1. Functional diagramevolutionary stages of IPS systems

Global and Russian IPS market. Main players, differences.

Speaking about the global market for IPS systems, experts often refer to Gartner reports, and primarily to the “magic square” (Gartner Magic Quadrant for Intrusion Prevention Systems, July 2012). In 2012 the situation was as follows:

Figure 2. Distribution of the main market playersIPS systems in the world. InformationGartner, July 2012

There were clear leaders in McAfee, Sourcefire and HP, to whom the well-known Cisco was very keen. However, the summer of 2013 made its own adjustments. At the beginning of May, a wave of discussions swept across various thematic blogs and forums, raised by the announcement of a deal between McAfee and Stonesoft. The Americans were going to buy the Finnish “visionary”, who loudly announced himself several years ago by opening a new type of attack AET (Advanced Evasion Techniques).

However, the surprises did not end there and, literally a couple of months later, Cisco announced an agreement with Sourcefire and the purchase of this company for a record $2.7 billion. The reasons were more than compelling. Sourcefire is known for its support of two open source developments: the Snort intrusion detection and prevention engine and the ClamAV antivirus. At the same time, Snort technology has become the de facto standard for intrusion warning and detection systems. The point is that in the Russian market Cisco Systems is the main supplier of network security solutions. It was one of the first to enter the Russian market; its network equipment is installed in almost every organization; therefore, it is not unusual that network security solutions are also ordered from this company.

In addition, Cisco Systems is conducting very competent efforts to promote its security line on the Russian market. And at the moment, no company can compare with Cisco Systems in terms of the level of work with the market, both in marketing terms and in terms of working with partners, government organizations, regulators, etc. It is especially worth noting that this company pays very great attention to issues certification according to Russian requirements, spending much more on them than other Western manufacturers, which also helps maintain a leading position in the Russian market. As they say, draw your own conclusions.

And, if everything is more or less clear with the global market of IPS systems - there will soon be a “shuffling” of leaders - then with the Russian market not everything is so simple and transparent. As noted above, the domestic market has its own specifics. Firstly, certification plays a big role. Secondly, to quote Mikhail Romanov, who is one of the authors of the global study “Information Security Market of the Russian Federation”, then “There are virtually no competitive IPS solutions made in Russia. The author knows of only three Russian solutions of this type: “Argus”, “Forpost” and “RUCHEY-M” (not positioned as IPS). It is not possible to find “Argus” or “RUCHEY-M” on the Internet and buy them. The Forpost solution, produced by RNT, is positioned as a certified solution entirely based on the SNORT code (and the developers do not hide this). The developer does not provide his solution for testing, the product is not promoted on the market in any way, that is, it seems that RNT is promoting it only to its own projects. Accordingly, it is not possible to see the effectiveness of this solution.”

The mentioned three systems also include the RUBICON complex, which is positioned by the Eshelon company not only as a certified firewall, but also as an intrusion detection system. Unfortunately, there is not much information on it.

The latest solution from a Russian manufacturer that they managed to find is an IPS system (included in the ALTELL NEO UTM device), which is, in their words, a “modified” open Surricata technology that uses current signature databases from open sources (National Vulnerability Database and bugtrax). All this raises more questions than understanding.

However, based on the proposals of integrators, we can continue the list of IPS systems offered on the Russian market and give a brief description for each of the solutions:

Cisco IPS (certified by FSTEC)

As part of the Cisco Secure Borderless Network, Cisco IPS provides the following capabilities:

  • Preventing the intrusion of more than 30,000 known exploits;
  • Automatic signature updates from the Cisco Global Correlation website to dynamically recognize and prevent intrusion attacks from the Internet;
  • Advanced research and experience Cisco Security Intelligence Operations;
  • Interaction with other network components to prevent intrusions;
  • Supports a wide range of near real-time deployment options.

All this allows you to protect your network from attacks such as:

  • Direct attacks (directed attacks);
  • Worms, viruses (worms);
  • Botnet networks (botnets);
  • Malware;
  • Infected applications (application abuse).

Sourcefire IPS, Adaptive IPS and Enterprise Threat Management

Among the main advantages are:

  • Development of systems based on SNORT;
  • Flexible rules;
  • Integration with MSSP;
  • Passive wiretapping technology (zero impact on the network);
  • Work in real time;
  • Network Behavioral Anomaly Detection (NBA);
  • Event personalization.

McAfee Network Security Platform (formerly IntruShield Network Intrusion Prevention System) (FSTEC certified)

Advantages of the solution:

  • Intelligent Security Management

The solution reduces the staff and time required to monitor and investigate security events while simplifying the management of complex, large-scale deployments. Through guided, detailed analysis, sequential discovery delivers the information you need exactly when and where you need it, while hierarchical control enables scale.

  • High level of threat protection

Threat protection is provided by a vulnerability intelligence-based signature engine that has been transformed into a next-generation platform by integrating state-of-the-art behavioral analytics and multi-event correlation technology. Low-touch, signature-based protection keeps operational costs low and effectively protects against known threats, while advanced behavioral analytics and event correlation technology protects against next-generation and zero-day threats.

  • Using global anti-malware protection
  • Security Connected Infrastructure

The solution improves the level of network security, helps optimize the network security system, increasing its economic efficiency. In addition, the solution allows you to align network security with business programs to achieve strategic goals.

  • Performance and scalability
  • Information collection and control. Obtaining information about user actions and devices, which is directly integrated into the control and analysis process

Stonesoft StoneGate IPS (certified by FSTEC)

StoneGate IPS is based on intrusion detection and prevention functionality, which uses various intrusion detection methods: signature analysis, protocol decoding technology to detect intrusions that do not have signatures, protocol anomaly analysis, behavior analysis of specific hosts, detection of any type of network scanning, adaptive application signatures (virtual profiling).

A special feature of Stonesoft IPS is the presence of a built-in security event analysis system, which significantly reduces the traffic transmitted from the IPS to the management system and the number of false positives. The initial analysis of events is carried out by the Stonesoft IPS sensor, then information from several sensors is transmitted to the analyzer, which correlates events. Thus, multiple events may indicate a time-distributed attack or a network worm - where the decision about malicious activity is made based on several events from the "big picture", rather than on each individual occasion.

Key features of StoneGate IPS:

  • detection and prevention of unauthorized access attempts in real time in a mode transparent to network users;
  • use of proprietary AET technology (Advanced Evasion Techniques) - technology for protection against dynamic bypass techniques;
  • an extensive list of attack signatures (by content, context of network packets and other parameters);
  • ability to process fragmented network traffic;
  • the ability to monitor multiple networks at different speeds;
  • decoding protocols to accurately identify specific attacks, including within SSL connections;
  • the ability to update the database of attack signatures from various sources (signatures can be imported from Open Source databases);
  • blocking or terminating unwanted network connections;
  • analysis of “histories” of security events;
  • analysis of protocols for compliance with RFC;
  • built-in event analyzer, which allows you to effectively reduce the flow of false positives;
  • creating your own attack signatures, attack analysis templates, anomalies, etc.;
  • additional functionality of the transparent firewall Transparent Access Control, which allows in some cases to refuse to use firewall without any reduction in the effectiveness of protection;
  • analysis of GRE tunnels, any combinations of IP v6, IPv4 encapsulation;
  • centralized management and monitoring, easy-to-use and at the same time flexible to configure report generation system.

Attack detector APKSh "Continent" (Security Code) (certified by FSTEC and FSB)

The Continent attack detector is designed to automatically detect network attacks using dynamic traffic analysis of the TCP/IP protocol stack. The Continent attack detector implements the functions of an intrusion detection system (IDS) and provides analysis and analysis of traffic in order to identify computer attacks aimed at information resources and services.

Main features of the Continent attack detector:

  • Centralized management and control of operation using the Continent system control center.
  • A combination of signature and heuristic attack detection methods.
  • Prompt response to detected intrusions.
  • Notifying the central control center about its activity and about events that require prompt intervention in real time.
  • Detecting and recording information about attacks.
  • Analysis of collected information.

IBM Proventia Network Intrusion Prevention System (certified by FSTEC)

The Proventia Network IPS attack prevention system is designed to block network attacks and audit network operation. With patented protocol analysis technology, IBM Internet Security Systems provides proactive protection—timely protection of the corporate network from a wide range of threats. Preventative protection is based on round-the-clock threat monitoring in the GTOC security center (gtoc.iss.net) and the X-Force group's own research and search for vulnerabilities.

Main features of Proventia Network IPS:

  • Parses 218 different protocols including application layer protocols and data formats;
  • More than 3,000 algorithms are used in traffic analysis to protect against vulnerabilities;
  • Virtual Patch technology – protects computers until updates are installed;
  • Passive monitoring mode and two installation modes per channel;
  • Supports multiple security zones with one device, including VLAN zones;
  • Availability of built-in and external bypass modules for continuous data transmission through the device in the event of a system error or power outage;
  • Multiple ways to respond to events, including logging attack packets;
  • Control of information leaks in data and office documents transmitted over peer-to-peer networks, instant messaging services, web mail and other protocols;
  • Detailed policy settings;
  • Attack traffic recording;
  • Support for custom signatures;
  • The ability to block new threats based on recommendations from X-Force experts.

Check Point IPS (firewall and UTM certified)

The Check Point IPS Software Blade provides exceptional intrusion prevention capabilities at multi-gigabit speeds. To achieve a high level of network protection, the multi-level IPS Threat Detection Engine uses many different detection and analysis methods, including: using signatures of vulnerabilities and attempts to exploit them, identifying anomalies, and analyzing protocols. The IPS engine can quickly filter incoming traffic without the need for deep traffic analysis, ensuring that only relevant traffic segments are analyzed for attacks, resulting in lower costs and increased accuracy.

The IPS solution leverages Check Point's high-level dynamic management capabilities to enable you to graphically display only relevant information, easily and conveniently isolate data that requires further administrative action, and comply with regulatory requirements and reporting standards. Additionally, Check Point IPS solutions—both the IPS Software Blade and the Check Point IPS-1 Hardware Appliance—are managed through a single management console, SmartDashboard IPS, providing unified management of IPS assets.

Key benefits:

  • Full IPS protection tools – All IPS functionality built into the firewall used;
  • Industry-leading performance – Multi-Gigabit IPS and firewall performance;
  • Dynamic Management – ​​Full range of management tools, including real-time security event views and automated security process;
  • Protection between patch releases – Increased level of protection in cases of delayed patch releases.

Trend Micro Threat Management System (based on Smart Protection Network)

Trend Micro Threat Management System is a network analysis and monitoring solution that provides unique capabilities in the field of detecting subtle intrusions, as well as automating threat remediation. Powered by the Trend Micro Smart Protection Network (a suite of threat detection and analysis modules) and up-to-date information from Trend Micro threat researchers, this robust solution provides the most effective, up-to-date threat prevention capabilities.

Main advantages:

  • Faster response to potential data loss due to early detection of new and known malware;
  • Reduce threat containment and damage control costs and reduce downtime with a customized approach to automated remediation of new security threats;
  • Proactively plan and manage your security infrastructure through increased knowledge of network vulnerabilities and root causes of threats;
  • Save bandwidth and network resources by identifying applications and services that disrupt your network;
  • Simplified threat and security breach management with a convenient, centralized management portal;
  • Non-interference with existing services with flexible, out-of-bandwidth deployment.

Palo Alto Networks IPS

Palo Alto Networks™ is a market leader in network security and the creator of next-generation firewalls. Full visualization and control of all applications and content on the network by user, and not by IP address or port, at speeds up to 20Gbps without loss of performance, is the main advantage among competitive solutions.

Palo Alto Networks firewalls, based on patented App-ID™ technology, accurately identify and control applications—regardless of port, protocol, behavior or encryption—and scan content to prevent threats and data leaks.

The main idea of ​​new generation firewalls, compared to traditional approaches, including UTM solutions, is to simplify the network security infrastructure, eliminate the need for various stand-alone security devices, and also provide traffic acceleration due to single-pass scanning. The Palo Alto Networks platform addresses a wide range of network security requirements required by different types of customers: from the data center to the corporate perimeter with conditional logical boundaries, including branches and mobile devices.

Palo Alto Networks' next generation firewalls enable you to identify and control applications, users and content - not just ports, IP addresses and packets - using three unique identification technologies: App-ID, User-ID and Content-ID. These identity technologies allow you to create security policies that allow the specific applications your business needs, rather than following the common all-or-nothing approach of traditional port-blocking firewalls.

HP TippingPoint Intrusion Prevention System

TippingPoint is the industry's leading Intrusion Prevention System (IPS), unmatched in security, performance, availability and ease of use. TippingPoint is the only IPS system to receive an NSS Group Gold Award and Common Criteria certification, making it the de facto benchmark for network intrusion prevention.

The core technology in TippingPoint products is the Threat Suppression Engine (TSE), implemented on application-specific integrated circuits (ASICs). Through a combination of custom ASICs, a 20 Gbps backplane and high-performance network processors, the TSE engine provides complete packet flow analysis at layers 2-7; At the same time, the delay of the flow through the IPS system is less than 150 μs, regardless of the number of filters applied. This ensures continuous cleaning of intranet and Internet traffic and accurate detection of threats such as worms, viruses, Trojans, mixed threats, phishing, threats via VoIP, DoS and DDoS attacks, bypassing security systems, Walk-in worms. -Worms), illegally using up bandwidth before any real harm is done. In addition, the TSE architecture classifies traffic to give the highest priority to mission-critical applications.

TippingPoint also provides ongoing protection against threats from newly discovered vulnerabilities. While analyzing these vulnerabilities for the SANS Institute, TippingPoint, who are the main authors of the newsletter, which publishes the most up-to-date information on new and existing network security vulnerabilities, simultaneously develop protection filters against attacks targeting these vulnerabilities and include them in the next release of Digital Vaccine (“digital vaccine”). Vaccines are created to neutralize not only specific attacks, but also their possible variations, which provides protection against threats such as Zero-Day.

The “digital vaccine” is delivered to customers weekly, and if critical vulnerabilities are identified, immediately. It can be installed automatically without user intervention, making it easier for users to update their security system.

Today, the company's flagship product is the HP TippingPoin Next-Generation Intrusion Prevention System, which allows you to most effectively control all levels of a company's network activity due to:

  • Own Application DV and Reputation DV databases
  • Making decisions based on many factors combined by the HP TippingPoin Security Management System;
  • Easy integration with other HP DVLabs services

conclusions

The IPS systems market cannot be called calm. 2013 brought two important transactions that could make serious adjustments, both on a Russian and global scale. We are talking about a confrontation between two “tandems”: Cisco+Sourcefire versus McAfee+Stonesoft. On the one hand, Cisco maintains a stable first place in the market in terms of the number of certified solutions, and the acquisition of such a well-known company as Sourcefire should only strengthen its well-deserved first place. At the same time, the acquisition of Stonesoft, in fact, opens up excellent opportunities for McAfee to expand the Russian market, because It was Stonesoft that was the first foreign company that managed to obtain an FSB certificate for its solutions (this certificate provides much more opportunities than the FSTEC certificate).

Unfortunately, domestic manufacturers are not yet encouraging business, preferring to develop activity in the field of government orders. This state of affairs is unlikely to have a positive impact on the development of these solutions, since it has long been known that without competition, a product develops much less efficiently and, ultimately, degrades.

The purpose of this article is not just to talk about the capabilities of IPS, but to focus attention on the unique functionality of the system, which allows solving a number of complex problems that enterprises face in the process of design and technological preparation of production and which distinguish IPS from other PLM systems presented in Russian market.

Integration with computer-aided design systems

Since the nineties of the last century, the INTERMECH company began to focus on creating multi-frame solutions, without focusing on integration with any one design system. Today we can say with confidence that of all domestic PLM systems, IPS has the largest number of integrators with mechanical and electrical computer-aided design systems: AutoCAD, BricsCAD, KOMPASGraphic, KOMPAS 3D, Inventor, NX, Creo, SolidWorks, Solid Edge, CATIA, Altium Designer, Mentor Graphics, E3.series. We especially note that these are already ready-made working solutions, and not promises to establish integration during the implementation process at the enterprise.

The IPS package includes a universal module for integrating 3D design systems with PLM systems. The module is built into the CAD system interface and provides the designer with access to PLM functions directly from the design system. The module provides automatic reading of the composition of products from models of assembly units, generation of design specifications based on models, as well as an associative connection between the properties of models and attributes of documents and products in the PLM system. This module also allows you to organize the collective work of designers on modeling complex assemblies, providing a set of functions for synchronizing changes made by different designers in the models that are part of the main assembly (Fig. 1).

Own document and form editor based on XML format

The IPS developers did not rely on third-party office packages or report generation tools, but created their own structured text document editor that uses the XML format to store data. This solution made it possible to unify the creation, storage and processing of any text design and technological documentation and to implement in IPS a number of unique editors, which have no analogues in any other PLM system. For example, the IPS package includes a product composition editor in the form of a design specification, including group specifications of forms A, B and C. In this case, editing the specification can be done both in the usual tabular form and in the same form in which it will be displayed on seal. The designer also has access to many functions for designing specifications: automatic and manual sorting, skipping lines and inserting positions, designing acceptable substitutions and selected elements, inserting notes, parts, special characters and formulas, connecting with master data systems and much more (Fig. 2).

Let us emphasize once again that in IPS the specifications editor is precisely the editor of the composition of assembly units, and not the editor of documents generated on the basis of the composition of products. Changes in the product composition made in other modules of the system are immediately reflected in the IPS specification editor, and vice versa - any changes made in the specification are immediately reflected in the working copy of the product composition. Thus, the product composition is formed in parallel from several sources: a three-dimensional model or two-dimensional assembly drawing, electrical diagram, specification editor, etc. Moreover, each connection remembers its source, so updating the composition, for example, by model, will never delete items added to the product composition manually.

IPS (Intermech Professional Solutions)- a universal corporate-level system for managing information objects.

IPS allows you to combine and manage all product information: from conceptual design to production, from the production of individual copies and batches to the disposal of end-of-life products.

The IPS software package provides highly efficient data management at all stages of documentation development, production preparation, release and operation of products. The use of IPS family products allows you to organize production in accordance with quality standards (ISO 9000, etc.), reduce costs for the development and production of new products, improve quality, reduce time to market for a product, create a corporate-wide information system, and combine resources into a single information space , processes, products and other information.

The change notice editor in IPS is also not just a document editor (Fig. 3). In addition to the actual notification processing functions (inserting graphics, formulas, automatically filling out various columns, sorting changes, etc.), the editor helps manage the life cycle of changed documents and objects. For example, it automatically releases versions of documents included in the notification and moves them to the required life cycle step (LC) at the time the notification is updated. Notifications are also used to automate the selection of versions of objects when searching for their composition and applicability. The system also has many service functions that help organize the process of making changes: extinguish PI, accept proposals for PR, issue DI or DPI, create a set of notices, etc.

It should also be noted that changes to documentation in IPS can be made in a simplified form - through the change log in accordance with GOST 2.5032013, the editor of which is also included in the system delivery package.

Product configurator

In ESKD there is such a thing as product execution. Using one group design document, you can release several different versions of a product without issuing a separate set of documents for each design. This solution works well as long as the number of executions is small. However, now the market dictates its terms. The designed products must satisfy the requirements of as many customers as possible, which means that it is impossible to do without the ability to customize the product to the requirements of a specific customer. In such cases, the Product Configurator in IPS comes to the aid of designers and marketers. This module allows you to maintain the composition of complex products with many options and functional dependencies, without resorting to creating versions for each product variant.

The designer, when designing an assembly unit, can configure a set of options that control the composition of this unit. In this case, you can configure the rules for compatibility of the values ​​of various options, the conditions for their use, the acceptability of values ​​in a given assembly, etc. Marketing workers can create variants of product configurations by setting values ​​for the main options that are most often required by customers for a given product. When placing an order, the buyer selects a product configuration option, further defines the option values ​​not specified in the configuration, and the system generates the exact composition and set of documentation for a specific product that meets the customer’s requirements.

Distributed work of large holdings and branches of enterprises

Nowadays you won’t surprise anyone with the presence of a web interface for information systems. Most domestic PLMs have acquired their own means of accessing the database from web browsers. IPS also has such an interface. But what should you do if the Internet at your workplace is unavailable for security reasons? Or are external communication channels slow and unstable? How to ensure fast and stable work for hundreds of users, regardless of external factors and communication channels between enterprises?

IPS includes a unique solution - the IPS WebPortal service. The essence of this solution is that each enterprise or branch operates in its own local network with its own database, and IPS WebPortal ensures information exchange between these local databases (nodes of the information network) via external communication channels through the central database of the portal, and the data transfer itself can be done offline (Fig. 4). This way of working significantly reduces the requirements for stability and bandwidth of external communication channels, and also increases data security, since information nodes gain access only to the information published for them on the portal, and not to all databases of remote enterprises.

The functionality of IPS WebPortal allows you to organize distributed document flow, management of distributed projects, exchange of information objects in batch mode, as well as automatic replication of changes between different databases. The IPS WebPortal software interface is designed in the form of standardized web services. This approach greatly simplifies the connection of other information systems to the portal, allowing it to be used as a means of exchanging data between various enterprise information systems.

Transfer of documentation to the customer

Another problem, the solution to which I would like to consider in more detail, is the transfer of approved documentation to enterprises that either do not have a PLM system, or PLM does not support the electronic signature mechanism. You can download a set of electronic documents from any PLM. But how can you make sure that these documents are approved and signed by all interested parties? And how can I check whether the transferred files have been changed since they were signed?

For this purpose, IPS provides a function for automatically generating information certification sheets in accordance with GOST 2.0512013. When transferring hard copies, these sheets can be printed and, if necessary, certified with a “wet” signature. When transferring electronic documentation, the files of the certification sheets are automatically extracted to disk along with the document files. The sheets contain checksums of signed files, which allows you to verify the immutability of signed data (Fig. 5).

If documents were signed in IPS using qualified electronic signatures, then the system has the ability to upload signature files to disk in PKCS format. These signatures can be verified by the recipient of the documentation using any verification tool that understands the PKCS standard. You can also use a special electronic signature verification program that comes with IPS and can be transferred to third parties along with a set of signed documentation.

Protecting document files on workstations

All PLM systems store document files on secure servers and provide access to them only in accordance with their security rules. However, to edit a document in an external editor, the document file is extracted to the workstation's disk or to a network resource open for access to workstations. Thus, information is taken out of the control of the PLM system, creating a threat to data security. To solve this problem, IPS includes a file protection service for workstations. This service protects the user's working directory at the NTFS file system level, allowing access only to a specific user and only after authorization in IPS. Once a user unloads the IPS client by any means available to the user, access to the user's directory is automatically blocked.

Advanced information search tools

In addition to samples, classifiers and a desktop, which are found in one form or another in all domestic PLMs, IPS developers have proposed a number of technical solutions that significantly speed up the search for information in the system. For example, in the window Recent objects a list of objects with which the user has recently worked is automatically maintained - a kind of desktop that does not need to be replenished and cleaned manually. And with the help of contextual selections, you can search for information using the properties of an object selected in the system. The conditions of such selections may contain not constants, but references to the attributes of the object about which information is being searched. For example, you can quickly find all parts made from the same material without specifying the material itself in the search terms.

The next interesting mechanism is a general index for quickly searching information objects, taking into account word forms and correcting input errors. The index contains information from all attributes specified by the administrator for indexing, including the contents of document files. At the same time, searching for information for the end user is greatly simplified - he does not need to create or find selections, he just needs to enter the search string in the field above the list of objects. Nearby is a list of frequently used filters, with which you can further narrow the scope of your search for objects by adding additional filtering conditions. The general list of filters is configured by system administrators, and the user can create his own personal filters by analogy with personal selections (Fig. 6).

IPS also has a special tool for searching objects by connections - object search schemes. A search scheme is a named set of settings and conditions according to which the system searches for the composition or applicability of an object at one or many nesting levels. The system comes with a variety of ready-made search schemes: for collecting a complete set of documents for a product or order, for searching for applicability in head products, for searching for various technological information, etc. Administrators can expand the list of schemas, and each role can have its own set of search schemas, depending on the responsibilities that users perform when logging into the system in that role.

Another interesting topic is searching for an electronic document using its hard copy. This question may arise even if the company has a well-functioning DTD service and all outdated copies of documents are recalled in a timely manner. Often, it is generally impossible to find out exactly which version of the document a given hard copy was created from, if it has not yet been registered with the OTD and has not received the corresponding accession number. In this case, document barcoding technology implemented in IPS can help. The essence of the technology is that when a document is printed, a barcode is displayed in a certain area of ​​the stamp, which encodes the identifier of this version of the document in the PLM system. If you have a barcode scanner, the process of searching for such a document in the database takes a couple of seconds.

Requirements Management

Requirements management functionality has long become mandatory in foreign PLM systems, but domestic manufacturers are in no hurry to implement it, citing a lack of demand from users. Nevertheless, enterprise management understands that the most accurate implementation of technical specifications minimizes the number of problems that arise during the process of acceptance of the product by the customer. And requirements management in this context is part of the overall product quality control system at the enterprise. After all, mistakes made at the earliest design stage are the most costly. What is the point of making a product that does not meet customer requirements and regulatory documents?

Taking into account all of the above, INTERMECH has included a requirements management module in the IPS delivery package. This module allows you to create a tree of requirements that the designed product must meet, based on the technical specifications developed in MS Word (Fig. 7). The system administrator sets the criteria that technical requirements objects must meet in order to be transferred to a life cycle step Done(for example, the presence of signatures of responsible persons). The system monitors the implementation of all points of the technical specification and does not allow it to be moved to a step Done until all demands are satisfied. It is also possible, based on the requirements tree, to create an IMProject project for organizing and planning work on the execution of technical specifications.

Instead of an epilogue

Unfortunately, the space of one article does not allow for a detailed analysis of all the features of the system. Therefore, we will briefly list what other functionality distinguishes IPS from other domestic PLM systems:

  • subsystem for searching 3D models by geometric similarity;
  • built-in forum mechanism for organizing discussion of any project, notice or information object directly in the system;
  • built-in expert system for calculating attribute values, checking conditions and generating documents, statements and reports of arbitrary complexity;
  • connection visualizer for visual representation of relationships between information objects in the form of a directed graph;
  • advanced tools for annotating documents, including a subsystem for creating graphic notes for documents of arbitrary formats;
  • archives for orderly storage of documents and control of access rights to them;
  • an iteration mechanism that allows you to save the state (attributes, files and connections) of selected objects at any time with the ability to return objects to this state;
  • built-in organizer for easy access to tasks, emails and various notifications directly on the calendar;
  • system scheduler for automatically executing various procedures, scripts and tasks according to a schedule;
  • built-in means of scaling the protected storage of document files, as well as means of migrating rarely used data to slow storage media;
  • support for DBMS LINTER, including LINTER BASTION, certified by FSTEC of Russia and the Ministry of Defense of the Russian Federation;
  • automatic reconnection of clients to the server when connection is lost and restored;
  • means of automatic deployment and updating of clients on workstations.

Thus, IPS has a number of advantages that make the system as convenient as possible for use at domestic enterprises and can significantly save time and reduce costs in the process of design and technological preparation of production.

Modern information security systems consist of many components that provide comprehensive protection measures at all stages of information processing and storage. One of the most important elements of security systems is intrusion prevention systems (IPS).

IPS systems are designed to detect and block attacks on the network and conduct a full scan of traffic passing through controlled points of the network. When malicious traffic is detected, the flow is blocked, preventing further development of the attack. To search for attacks, systems use a variety of algorithms and signature databases, which can contain several thousand attack definitions, which makes it possible to block most known types of attacks and their combinations.

To increase the effectiveness of an IPS system, it is necessary to select traffic control points at which attacks will be blocked, which will prevent unwanted traffic from spreading to other parts of the network. As a rule, in each organization, control points are selected depending on both business objectives and many other factors.

Currently, equipment manufacturers implement two placement methods: the method of connecting a device to a network gap and the method of redirecting information flows. Both have their advantages and disadvantages that must be taken into account when designing a protection system.

Method of connecting to a network break provides complete control of all traffic passing through the controlled point, which does not allow it to “pass unnoticed.” But this creates a single point of failure, and redundancy must be maintained to eliminate it. Another disadvantage of this method is that this connection introduces delays into all traffic passing through the device, requiring devices capable of operating at data link speeds.

Redirect Method involves installing a sensor (or several sensors) to search for suspicious traffic in the data stream. The stream being checked is directed to the sensor from the mirror ports of the switch or duplicated by other available means. When suspicious traffic is detected, the route is changed and the traffic flow is redirected to a device that conducts a full scan, which ultimately decides whether to block or allow traffic. If a decision is made to pass, the traffic returns to the previous route. If a sensor or IPS device fails, data transmission over the network is not interrupted; in addition, no delays are introduced into “normal” traffic. However, with this method, attacks carried out by a single network packet can be successful even if that packet is detected. Another drawback is the strict requirements for the network equipment with which interaction will occur.

IPS devices are placed at appropriate points according to the selected model. As a rule, such points are located at the edge of networks or represent border access points to provider networks. Recently, as a result of the improvement of IPS systems and the increase in insider threats, there has been a tendency to place devices inside networks - for more complete control of traffic between departments, servers and subnets of companies. As a result, the requirements for reliability and correct operation, as well as for device performance, have significantly increased.

At the same time, traditional problems with eliminating a single point of failure are still solved in the same traditional way - by duplicating equipment and components, which, in principle, corresponds to general trends in the development of equipment for critical tasks. Let's take a closer look at the problems of operation reliability and device performance.

Let's start with performance. This problem is traditionally solved in two ways: either by increasing processor power and parallel processing, or by creating specialized chips that perform the required operations in hardware. The second method is quite expensive due to the use of complex and “branchy” packet verification procedures, which, in turn, greatly complicates the chips and increases their cost. Manufacturers of IPS systems use various combinations of these methods, as well as traditional methods of clustering devices with load distribution, which allows them to create devices with the necessary speed parameters.

Now let's talk about the most difficult problem that plagues IPS devices - the problem of false positives. The same problem is relevant for intrusion detection systems (Intrusion Detection System, IDS), but, unlike IPS, they do not require special care in their work, since these systems are responsible only for detection and information. With IPS systems, everything is much more complicated - in the event of a false positive (as in the case of a real threat), traffic is blocked, which can cause significant harm to the organization.

Almost all manufacturers of IPS systems have “proprietary” algorithms that minimize the number of false positives through careful testing of equipment and updates, which ensures fairly reliable network operation.

Among other things, algorithms from different manufacturers differ in specialization and have different effectiveness in detecting and blocking different types of attacks, which complicates the creation of security solutions.

If the task of integrating IPS and other security systems when creating complex security systems is still difficult to solve, then the tasks of centralized management of IPS systems from one manufacturer are solved by means provided by manufacturers, which allows reducing the cost of managing systems, as well as centrally applying security policies.

Thus, IPS systems act as an effective element of integrated security systems, but their implementation and support is a very difficult task, requiring highly qualified specialists, which practically excludes the independent creation of an effective solution based on them.

In this article, you will learn some of the commonly known and little known characteristics of attack prevention systems.

What is an attack prevention system

Attack prevention systems (Intrusion Prevention Systems, or IPS for short) are a development of attack detection systems (Intrusion Detection Systems, or IDS for short). IDS initially only detected threats by listening to traffic on the network and on hosts, and then sent alerts to the administrator in various ways. IPS now block attacks immediately at the moment they are detected, although they can also work in IDS mode - only by notifying about problems.

Sometimes IPS functionality is understood as the joint functioning of both IDS and firewall in one device. This is often caused by the fact that some IPS have built-in rules for blocking packets based on the source and destination addresses. However, this is not a firewall. In a firewall, blocking traffic entirely depends on your ability to configure rules, and in IPS, on the ability of the manufacturer’s programmers to write error-free algorithms for searching for attacks in traffic moving through the network. There is one more “similarity”: the firewall technology, known as statefull inspection, is very similar to one of the technologies used in IPS to identify whether different connections belong to the same network protocol, and here it is called port following. There are many more differences, for example, Firewall cannot detect tunneling of one protocol to another, but IPS can.

Another difference between the theory of building an IPS and a firewall is that when a device fails, the IPS must PASS traffic through, and the firewall must BLOCK traffic. To operate in the appropriate mode, a so-called bypass module is built into the IPS. Thanks to it, even if you accidentally turn off the IPS power, traffic will flow freely through the device. Sometimes IPS is also configured to block traffic when it fails - but these are special cases, most often used when two devices are used in High Avalability mode.
IPS is a much more complex device than a firewall. IPS is used for threats that the latter could not cope with. IPS contains the concentrated knowledge of a huge number of security specialists who have identified, found patterns and then programmed code that identifies problems in the form of rules for analyzing content moving across the network.

IPS in corporate networks are part of multi-layered defense because they are integrated with other security tools: firewalls, security scanners, incident management systems and even antiviruses. As a result, for each attack there are now opportunities not only to identify it and then notify the administrator or block it, but also to conduct a full analysis of the incident: collect packets coming from the attacker, initiate an investigation, and eliminate the vulnerability by modifying the package.

In combination with a proper security management system, it becomes possible to control the actions of the network administrator himself, who must not only eliminate the vulnerability, for example by installing a patch, but also report to the system about the work done. Which, in general, brought tangible meaning to the operation of such systems. What is the point of talking about problems on the network if no one reacts to these problems and is not responsible for it? Everyone knows this eternal problem: the one who suffers losses from disruption of the computer system and the one who protects this system are different people. Unless we consider an extreme case, for example, a home computer connected to the Internet.

Traffic delays

On the one hand, it’s good that it’s possible not only to receive information about an ongoing attack, but also to block it with the device itself. But on the other hand, the attack prevention system has to be installed not on the SPAN port of the switch, but through all network traffic directly through the security device itself, which inevitably introduces delays in the passage of packets through the network. And in the case of VoIP, this is critical, although if you are going to protect against attacks on VoIP, then there is no other way to protect against such attacks.

Thus, one of the characteristics by which you need to evaluate an attack prevention system when purchasing is the amount of network latency that such systems inevitably introduce. As a rule, this information can be obtained from the manufacturer itself, but you can read research from independent testing laboratories, such as NSS. Trusting the manufacturer is one thing, but checking it yourself is another.

Number of false positives

The second characteristic you need to look at is the number of false positives. Just as we get annoyed by spam, false positives have the same effect on security administrators. In the end, administrators, in order to protect their psyche, simply stop responding to all messages from the system and purchasing it becomes a waste of money. A typical example of a system with a huge number of false positives is SNORT. To configure this system more or less adequately to the threats in your network, you need to spend a lot of time.

Some attack detection and prevention systems have built-in correlation methods that rank detected attacks by severity using information from other sources, such as a security scanner. For example, if a security scanner saw that the computer is running SUN Solaris and Oracle, then we can say with one hundred percent certainty that the Slammer worm attack (which targets MS SQL) will not work on this server. Thus, such correlation systems mark some of the attacks as failed, which greatly facilitates the administrator’s work.

Modernity of protective technologies

The third characteristic is methods for detecting (and at the same time blocking) attacks and the ability to tune them to the requirements of your network. Initially, there are two different approaches: signature-based IPS look for attacks based on previously found exploits, and protocol-analysis IPS look for attacks based on knowledge of previously found vulnerabilities. If you write a new exploit for the same vulnerability, then IPS of the first class will not detect and block it, but IPS of the second class will detect and block it. Class II IPS is much more effective because it blocks entire classes of attacks. As a result, one manufacturer needs 100 signatures to detect all types of the same attack, while another only needs one rule that analyzes the vulnerability of the protocol or data format used by all these types of attacks. Recently the term preventive protection has appeared. It also includes the ability to protect against attacks that are not yet known and protection against attacks that are already known, but the manufacturer has not yet released a patch. In general, the word “preventive” is just another Americanism. There is a more Russian term: “timely” - the protection that works before we are hacked or infected, and not after. Such technologies already exist and they need to be used. Ask the manufacturer when purchasing: what preventive protection technologies they use and you will understand everything.

Unfortunately, there are no systems yet that simultaneously use two well-known attack analysis methods: protocol analysis (or signature analysis) and behavioral analysis. Therefore, for complete protection, you will have to install at least two devices on the network. One device will use algorithms to search for vulnerabilities using signatures and protocol analysis. Another will use statistical and analytical methods to analyze anomalies in the behavior of network flows. Signature-based methods are still used in many attack detection and prevention systems, but unfortunately they are not justified. They do not provide proactive protection because an exploit is required to release a signature. Why do you need a signature now if you have already been attacked and the grid has been broken? Signature antiviruses now cannot cope with new viruses for the same reason - the reactivity of the protection. Therefore, the most advanced attack analysis methods now are full protocol analysis. The idea of ​​this method is that it is not a specific attack that is analyzed, but a sign of exploitation of a vulnerability by the attacker that is looked for in the protocol itself. For example, the system can track whether, before the start of a TCP attack packet, there was a three-packet exchange to establish a TCP connection (packets with the SYN, SYN+ACK, ACK flags). If a connection needs to be established before carrying out an attack, the protocol analysis system will check whether there was one and if a packet with an attack without establishing a connection is sent, it will find that such an attack was unsuccessful because there was no connection. But the signature system will give a false positive, since it does not have such functionality.

Behavioral systems work completely differently. They analyze network traffic (for example, about a week) and remember which network flows usually occur. As soon as traffic appears that does not correspond to the remembered behavior, it is clear that something new is happening on the network: for example, the spread of a new worm. In addition, such systems are connected to an update center and once an hour or more often receive new rules for the behavior of worms and other updates, for example, lists of phishing sites, which allows them to immediately block them, or lists of botnet management hosts, which immediately allows them to detect infections some host as soon as it tries to connect to the bot network control center, etc.

Even the appearance of a new host on the network is an important event for the behavioral system: you need to find out what kind of host it is, what is installed on it, whether it has vulnerabilities, or maybe the new host itself will be an attacker. For providers, such behavioral systems are important because they allow them to track changes in “cargo flow”, because it is important for the provider to ensure the speed and reliability of packet delivery, and if suddenly in the morning it turns out that all the traffic goes through one channel and does not fit in it, and the rest several channels to the Internet through other providers are unused, this means that somewhere the settings have gone wrong and we need to start balancing and redistributing the load.
For the owner of a small network, it is important that there are no attackers inside, so that the network is not blacklisted by spammers, so that attackers do not clog the entire Internet channel with garbage. But you have to pay money to the provider for the Internet channel and traffic. Every company director would like to promptly detect and stop wasting money on traffic that is useless for business.

Analyzed protocols and data formats

If we are talking about technical specialists who are deciding on which attack prevention system to choose, then they should ask questions about the specific protocols that the system analyzes. Perhaps you are interested in something specific: for example, analyzing attacks in javascript, or repelling sql injection attempts, or DDoS attacks, or you generally have a SCADA (sensor control and management system) and need to analyze the protocols of your specialized system, or it is critical for you to protect VoIP protocols , which already have implementation vulnerabilities due to their complexity.
In addition, not everyone knows that IPS events are not only of the “attack” type, there are also “audit” and “status” types. For example, IPS can catch connections and all ICQ messages. If your security policy prohibits ICQ, its use is an attack. If not, then you can simply track all connections and who communicates with whom. Or just disable this signature if you think it's inaccurate.

Specialists

The question arises: where can we get such specialists who understand what needs to be bought, and who will then know how to react to each message from the attack prevention system and will even be able to configure it. It is clear that you can take courses to learn how to manage such a system, but in reality a person must first understand network protocols, then network attacks, and then response methods. But there are no such courses. This requires experience. There are companies that offer outsourcing for managing and analyzing messages received from security system consoles. They have been employing specialists for many years who understand and have a deep understanding of Internet security and they provide effective protection, and you, in turn, get rid of the headache of finding personnel who understand the whole variety of available protection tools, from VPN to antiviruses. In addition, outsourcing involves 24/7 monitoring, seven days a week, seven days a week, so protection becomes complete. And you can usually hire a specialist only to work from Monday to Friday from 9 to 18, and sometimes he gets sick, studies, goes to conferences, goes on business trips, and sometimes unexpectedly quits.

Product support

It is important to emphasize such a point in IPS as the support of its products by the manufacturer. Unfortunately, updates to algorithms, signatures and rules are still necessary, since technologies and attackers do not stand still and new classes of vulnerabilities in new technologies need to be constantly closed. Several thousand vulnerabilities are found every year. Surely, your software and hardware contain several of them. How did you find out about the vulnerabilities in them and how did you protect yourself later? But we need constant monitoring of the relevance of the protection. Therefore, an important component is the constant support of the security tools to which you have entrusted the security of your company: the presence of a professional team that constantly monitors new vulnerabilities and writes new checks in a timely manner, which itself looks for vulnerabilities in order to stay ahead of attackers. So when you buy a complex system like IPS, look at what support the manufacturer offers. It would be worthwhile to know how well and in a timely manner he dealt with attacks that had already happened in the past.

Protection against IPS bypass methods

The IPS itself is very difficult to attack because it does not have an IP address. (IPS is managed through a separate management port.) However, there are methods to bypass IPS that allow you to “deceive” it and attack the networks they protect. These methods are described in detail in the popular literature. For example, the NSS test lab actively uses bypass methods to test IPS. It is difficult for IPS manufacturers to counteract these methods. And how the manufacturer deals with bypass methods is another interesting characteristic of the attack prevention system.

The importance of using IPS in corporate networks has been long overdue; new preventive technologies that protect organizations from new attacks have already been developed, so all that remains is to install and operate them correctly. The article specifically did not mention the names of manufacturers in order to make the review of IPS properties as unbiased as possible.