IPS Technology White Paper

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Overview·· 1

Technical background· 1

Benefits· 1

IPS implementation· 2

Concepts· 2

IPS signatures· 2

IPS actions· 4

IPS policies· 5

IPS whitelist 5

Technical implementation· 5

IPS signature matching· 5

SQL semantic analysis· 7

Technology comparison· 8

Application scenarios· 8

Border deployment for preventing external attacks· 8

Internal deployment for preventing illegal connections· 9

 

Overview

Technical background

In early network security defense systems, firewalls serve as the first line of defense, monitoring and controlling data flows in and out of the network to block unauthorized access. However, as network attack methods evolve, firewalls alone cannot effectively identify and block complex intrusion techniques, such as worms, viruses, and more covert attacks. These attacks often bypass traditional firewall monitoring, posing serious threats to network systems.

To address these challenges, Intrusion Detection System (IDS) emerges. It monitors abnormal behavior in network traffic and provides attack detection. However, IDS can only provide detection and alert. It cannot implement real-time interventions and requires manual intervention for responses, which slows reaction in dynamic, fast-evolving network environments.

IPS emerges in this context. It not only detects intrusion behaviors but also automatically takes actions to block them. IPS significantly enhances proactive and timely network security, allowing networks to respond immediately to attacks, effectively reducing potential losses and impacts.

 

Benefits

IPS provides the following benefits:

·     In-depth protection—IPS analyzes and reassembles network traffic flows, conducts detailed analysis of the application layer content in packets to identify more attack characteristics and improve the accuracy of attack detection.

·     Real-time protection—IPS can detect network traffic through devices and intercept intrusion activities and malicious traffic in real time.

·     All-around protection—IPS can provide protection against various types of attacks, including worms, Trojans, botnets, spyware, adware, CGI attacks, cross-site scripting attacks, and injection attacks.

·     Bidirectional protection—IPS can detect the traffic passing through the device, preventing not only attacks originating from outside the organization, but also those initiated from within the organization.

·     Large and continuously updated signature library—IPS supports regular automatic updates to the signature library, addressing new attack threats for ongoing protection.

·     Flexible user-defined IPS signatures—IPS supports creating user-defined signatures to meet specific protection needs in user-defined network environments.

IPS implementation

Concepts

IPS signatures

IPS signatures describe a series of rules for network attack behavior. These signatures represent specific indicators or attributes of different attack types, including specific packet contents, protocol anomalies, malware or virus byte sequences, and MD5 values.

As network traffic flows through a device, it compares the packets in real time with these IPS signatures. If a packet matches one or more signatures, it likely indicates a malicious attack or abnormal behavior. Based on this matching, IPS can immediately identify the attack and take a series of preset response measures, such as alerting network administrators and blocking related traffic, effectively detecting and defending against attacks to protect network security.

The device supports predefined IPS signatures, user-defined IPS signatures, and Snort signatures.

Predefined IPS signatures

Predefined IPS signatures are automatically generated by importing the IPS signature library into the device. This library contains a large number of predefined signatures based on detailed analysis of specific attacks or malicious behavior, along with recommended response measures for matching signatures.

Predefined IPS signatures aim to identify and defend against known threats. After the signature library is imported or automatically updated, the device automatically parses the information from the library, generates the corresponding predefined signatures, and loads them into the inspection engine. This process immediately enhances the device's ability to monitor and defend against potential threats.

Figure 1 Predefined IPS signatures

 

User-defined IPS signatures

User-defined IPS signatures are manually created by the administrator on the device. They mainly consist of signature attributes and signature rules.

Signature attributes

Signature attributes include basic properties of signatures and actions performed on packets after they match signatures.

·     Basic properties include name, description, severity level (such as critical, high, medium, and low), and traffic direction (server or client).

·     Actions include blacklist, drop, permit, reset, logging, and packet capture.

Signature rules

Signature rules represent the matching conditions of signatures. A signature is considered matched only when the matching conditions are met.

·     Rule logic: The administrator can configure multiple rules for a user-defined signature, connecting them using AND or OR relationships. In an AND relationship, traffic must meet all rules to be considered a successful match. In an OR relationship, matching any single rule is considered a success.

·     Rule types: The system supports two types of rules, keyword type and integer type.

·     Filtering criteria and detection items: You can set filtering criteria and detection items. Filtering criteria include application layer protocol, transport layer protocol, source/destination IPv4 address, source/destination port, and request method. The system only checks the detection items only when traffic meets filtering criteria of the rules. Each rule supports multiple detection items, which have an AND relationship and are matched in the configured order. A packet matches a rule only when the packet matches all detection items in the rule.

·     Detection trigger conditions: For a rule of the keyword type, you must configure a detection trigger condition, which is the prerequisite for the system to match a packet with detection items in the rule. If a packet fails to match the detection trigger condition, the packet fails to match the rule and the system does not continue to match the packet with other detection items.

Snort signatures

Snort signatures are automatically generated by importing Snort files.

The basic syntax structure of Snort rules is as follows:

Rule action Protocol Source IP Source port > Destination IP Destination port (Rule options)

The basic components of a Snort rule include rule header and rule options.

Rule header

The rule header defines basic operations and application scenarios of a rule, including action, protocol type, source and destination IP addresses, and ports.

·     Rule action: Specifies the action to perform when a packet matches the rule, including alert and log.

·     Protocol: Specifies the applicable network protocols, such as TCP or UDP.

·     IP address and port: Source IP and destination IP fields define the source and destination addresses of packets. They can be specific IP addresses, network segments, or the any keyword. Source port and destination port fields define the corresponding port numbers. You can also use the any keyword or specify a port range to define source and destination port numbers.

Rule options

Rule options of a rule provide detailed conditions, including detection content (such as specific strings and byte sequences), conditions (such as detection thresholds, packet sizes), and alert messages. Options are separated by semicolons and can include multiple sub-options. For example:

·     msg: Defines the message displayed when the rule is triggered.

·     content: Specifies the packet content that the rule searches for.

·     sid: Assigns a unique identifier to the rule.

·     rev: Indicates the rule's revision version number.

Examples

The following is an example of a Snort rule that is used to detect SQL injection attempts targeting Web servers:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SQL Injection attempt"; flow:to_server,established; content:"select"; nocase; sid:1000001; rev:1;)

This rule indicates that when a TCP packet is sent from any external network address and port to the internal network's port 80, and the packet content (case insensitive) contains select, it will trigger an alert with the SQL Injection attempt message.

IPS signature library

An IPS signature library is an extensive and continuously updated set of signatures formed by professional network security researchers based on in-depth analysis of attack behaviors and malicious activities. Each signature in the IPS signature library represents an attack pattern, malware behavior, protocol anomaly, or any network traffic characteristic deemed harmful.

An IPS signature library serves as a continuously updated resource, playing a crucial role in network security defense. It identifies and defends against known threats while quickly adapting to emerging attack techniques through regular updates. This ensures that services and organizations maintain advanced and effective defenses in a constantly changing threat landscape.

IPS signature library update

The following methods are available for updating the IPS signature library on the device:

·     Automatic update.

The device automatically downloads the most up-to-date IPS signature file to update its local signature library periodically.

·     Triggered update.

The device downloads the most up-to-date IPS signature file to update its local signature library immediately after you trigger the operation.

·     Manual update.

Use this method when the device cannot obtain the IPS signature file automatically.

You must manually download the most up-to-date IPS signature file, and then use the file to update the signature library on the device.

IPS signature library rollback

If filtering false alarms or filtering exceptions occur frequently, you can roll back the IPS signature library to the factory default version.

IPS actions

When the device detects a matching packet for an IPS signature, it takes the actions specified for the signature on the packet.

The device supports the following signature actions:

·     Reset—Closes the TCP connections for matching packets by sending TCP reset messages.

·     Redirect—Redirects matching packets to a webpage.

·     Block-source—Drops matching packets and adds the source IP addresses of the packets to the IP blacklist.

·     Drop—Drops matching packets.

·     Permit—Permits matching packets to pass.

·     Capture—Captures matching packets.

·     Logging—Logs matching packets.

IPS policies

IPS policies define which signatures are used by the device to match packets and the actions to be performed on matching packets.

IPS whitelist

IPS whitelist provides a flexible and effective method to precisely control and manage which network traffic is considered safe and which requires inspection or blocking. By adding specific signature IDs, URLs, source IPs, and destination IP addresses to the whitelist, the administrator ensures that legitimate and safe network activities are not falsely reported as threats. In addition, the strict matching logic of the whitelist ensures that only traffic that fully meets the preset conditions can be automatically permitted, further improving the level of network security.

The functions of IPS whitelist include:

·     Reduce false alarms: Adding known safe traffic to the whitelist can effectively reduce instances where IPS misidentifies legitimate actions as potential threats.

·     Optimize performance: For traffic on the whitelist, IPS can skip the inspection process, alleviating device load and improving processing speed and efficiency.

·     Ensure service continuity: IPS whitelist guarantees that critical service traffic is not interrupted due to false alarms, maintaining continuity and stability in service processes.

In addition, manage the IPS whitelist as a dynamic tool, review and update it regularly to adapt to new service requirements and changes in security threats.

Technical implementation

IPS achieves precise identification and blocking of intrusion behaviors through the following functions, protecting enterprise information systems and networks from attacks:

·     IPS signature matching: Detects intrusion behaviors in real time by matching signatures with packets. This can effectively identify attacks, including cross-site scripting and crawler attacks.

·     SQL semantic analysis: Accurately identifies SQL injection attacks by analyzing the semantics of SQL statements in packets.

IPS signature matching

IPS functions use the DPI engine to perform real-time intrusion detection by matching packets with signatures, and processes packets based on IPS policies.

IPS policies define which signatures to match and specify actions to take on matching packets.

Figure 2 IPS signature library matching flow

 

Identify signatures and deploy identification results

To identify signatures and deploy identification results, the administrator must first load signatures onto the device, providing rich resources for signature matching by the DPI engine. The DPI engine processes packets through reassembly, decoding, segmentation, and protocol analysis, and then matches the packets with IPS signatures. When signatures are matched successfully, the DPI engine delivers the matching result to the IPS service module.

Figure 3 Identify signatures and deploy identification results

 

Detemine actions

IPS service module determines the actions to execute based on the signature matching results.

In an IPS policy, signatures may trigger the following types of actions:

·     Exception actions configured for an IPS signature in the IPS policy

·     Unified actions for all signatures in the IPS policy.

·     Predefined actions specified for certain signatures.

The actions in descending order of priority are exception actions, unified actions, and predefined actions.

Figure 4 Determine actions

 

Execute actions

The IPS service module executes the determined actions as follows:

·     If the packet matches only one IPS signature, the device takes the signature actions.

·     If the packet matches multiple IPS signatures, and the matching IPS signatures have two or more actions, including redirect, drop, permit, and reset, the device takes the action of the highest priority. The actions in descending order of priority are reset, redirect, drop, and permit.

The device will execute the block-source, capture, and logging actions if they are in the matching IPS signatures.

Figure 5 Execute actions

 

SQL semantic analysis

SQL semantic analysis detects SQL injection attacks by performing lexical, syntactic, and semantic analysis on SQL statements in request messages. It processes packets based on the detection results. Unlike signature matching, which only matches strings without understanding the program itself, SQL semantic analysis comprehends programming languages and detects suspicious traffic accordingly.

Figure 6 SQL semantic analysis detection

 

The actions executed by the device when an SQL injection attack is detected depend on the detection method as follows:

·     Signature matching: If the device detects an SQL injection only by signature matching, the device takes the actions specified by the matching signature.

·     Semantic analysis: If the device detects an SQL injection attack only by semantic analysis, the device permits the detected packet and generates an IPS log message.

·     Signature matching & semantic analysis: If the device detects an SQL injection attack by both signature matching and semantic analysis, the device takes the actions specified by the matching signature and generates an IPS log message.

Technology comparison

IPS and IDS are two technologies aimed at enhancing network security, but they differ in functionality and use cases. IDS acts as a monitoring tool that detects suspicious activities and security threats in the network, alerting administrators. It acts like an alarm system, notifying of potential issues without intervening. IPS takes a more proactive approach; it not only detects threats but also automatically takes actions to prevent or mitigate attacks, similar to a guard with automatic response capabilities.

Table 1 Comparison between IPS and IDS

Comparison item	IDS	IPS
Operating mechanism	IDS passively monitors network traffic. Once it detects abnormal behaviors, it records and alerts the administrator.	IPS proactively analyzes traffic and immediately blocks malicious packets when an attack or abnormal behavior is detected. This proactive defense mechanism can reduce potential damage before an attack occurs.
Application scenarios	IDS is suitable for scenarios requiring detailed auditing and monitoring of network activities.	IPS is suitable for scenarios with higher security requirements and requiring immediate response and protection.
Deployment method	Devices that support IDS are usually deployed at key points in the network to monitor traffic without directly interfering with the transmission of data packets.	Devices that support IPS can be deployed directly on the network traffic path to intercept and process malicious traffic in real time.

 

Application scenarios

Border deployment for preventing external attacks

The device is deployed at the network egress, and detects and blocks hacker attack traffic in real time. This ensures the safety of internal servers and users.

Typical attacks include SQL injection, XSS attacks, webshell uploads, WebLogic, Struts2, and Java deserialization.

Figure 7 Border deployment

 

Internal deployment for preventing illegal connections

The device is deployed in the internal network, and detects and blocks abnormal traffic in real time. It prevents illegal external connections from internal servers, stops internal malicious attacks, and blocks lateral propagation from compromised hosts. This ensures the safety of internal service systems and hosts. Typical attacks include MS17-010, mining viruses, and lateral attacks from internal penetration.

Figure 8 Internal deployment