Intrusion Detection and Prevention

  • Network IPS
  • Host IPS

Network IPS

Securing networks without sacrificing performance and usability


Traditionally business networks have been protected by implementing of perimeter-access controls. These access controls are primarily provided by firewall systems and standard networking equipment - routers and switches. As the communications requirements of modern companies have changed and the network perimeter has expanded, driven by business needs, perimeter security is becoming increasingly less watertight. With the mobility of employees and the prevalence of notebooks, PDAs, memory sticks and other modern portable data devices, we also face the situation that we cannot assume that internally generated network traffic is benign.

Guaranteeing clean network traffic


Network intrusion prevention systems (Network IPS or NIPS) are the solution to the porous network perimeter. NIPS systems transparently examine network traffic across all seven layers of the ISO/OSI networking model, providing comprehensive protection (amongst others):

  • Networking protocol based attacks
  • Worms
  • Network flooding
  • Spyware
  • P2P
  • DoS/DDoS
  • Cross-site scripting
  • SQL injection
  • Phishing
  • Buffer overflows
  • Web directory traversal

Management

State-of-the-art IPS management systems can and must support regulatory compliance efforts within your business, complete with reporting capabilities that demonstrate your due diligence. At the same time, we require the ability to perform rapid online analysis of IPS alerts and to efficiently react to threats.

The need for speed

IPS systems can assist companies to meet compliance requirements and protect valuable business data, but network administrators cannot tolerate the negative impact many traditional security appliances have on the network. An enterprise solution requires merging of network performance and availability with advanced threat protection, which is ensured by the S&T’s IPS manufacturing partners.

Host IPS

Securing servers and desktops from local and network-borne attacks


It is increasingly clear that host and client systems on corporate networks require far more protection than the traditional antivirus that has been the norm until recently. It is now common to see anti-spyware software and some form of firewall deployed on clients and, to a lesser extent, on servers.

Point security solutions, with their multitude of management interfaces and possible incompatibilities, are problematic. What is required is an enterprise-capable host protection software package. Such packages are becoming available with the evolution of point solutions (generally Host IPS and Antivirus products) into comprehensive client endpoint protection packages and server Host IPS systems.

The deployment of such solutions is a necessity on notebooks and on servers exposed to hostile environments (for example DMZ servers offering services to Internet clients). Host IPS systems are particularly recommended in situations where Network IPS systems are ineffective (encrypted network traffic) or economically impracticable (large numbers of servers with multi-gigabit network connectivity) and where attack protection via virtual patching is required (where production servers cannot be patched outside maintenance/testing cycles).

Guaranteeing host integrity

Host intrusion prevention systems (Host IPS or HIPS) use a variety of techniques to ensure integrity of the host system. A comprehensive approach includes the following techniques:

  • Firewall
  • Network intrusion protection system
  • Buffer overflow exploit protection
  • Application control
  • Virtual patching (blocking known exploit vectors)
  • Traditional signature-based antivirus
This is achieved (in part) by:
  • Analysing all network traffic
  • Analysing and controlling applications
  • Analysing OS audit logs
  • Analysing application logs
  • Maintaining file integrity
  • Maintaining configuration/registry integrity