Intrusion Prevention Systems Report

This report will explain the importance of the use of an Intrusion Prevention System for the
protection of your company from intrusions. The threat of network intrusion hangs over any
organisation that posesses a network open to the outside world. Because connectivity is the most
important aspect of the modern organisation, protection of this network is vital.
Firstly, I will describe the importance and role of an Intrusion Prevention System. Then I will give
examples of different types of Intrusion Protection Systems, and examples of some detection
methods. Finally, I will suggest the most appropriate methods of Intrusion Prevention System for
the company's particular needs.
Importance and Role of Intrusion Prevention Systems (IPS)
Often company's believe that because there is currently a Firewall in place, this is enough protection
from intrusion. However, a Firewall alone is insufficient for preventing intrusions.
In the 1990s, virtually all network-based attacks could be blocked with the combination of firewalls
and anti-virus software. That isnt the case today: most new attacks are targeted directly at web
applications. These attacks are impossible to defend with firewalls and anti-virus software alone.
Without an IPS, attacks have a significantly greater chance to succeed.
Intrusion prevention systems, or IPSs, are devices or programs that are used to detect signs of
intrusions into networks or systems and take action. That action consists of generating alarms
and/or actively blocking intrusions. IPSs usually take the form of purpose-built hardware devices,
software agents that run on servers, or software programs that run within virtualized environments.
Firewalls and IPSs are both essential tools for protecting an enterprise from intrusions. Both are
needed, primarily because theyre each designed to look at different things:

A firewall is designed to block all network traffic except that which is explicitly allowed.
An intrusion prevention system is designed to permit everything except that which is
explicitly disallowed.
A firewall is designed to permit (or block) network packets based on their source,
destination, and port number, regardless of the contents of each packets payload (the
contents of the message).
An intrusion prevention system is designed to permit (or block) network packets based on
the packets payload.

Examples of Intrusion Prevention Systems (IPS)

Network Intrusion Prevention Systems (NIPS)
These typically take the form of a rack-mounted appliance or system that is attached to a data
network. The network is configured to send a copy of all the network traffic in the network through
the IPS so that the IPS may examine it to identify possible intrusions. It monitors the network to
block attacks.

Wireless Intrusion Prevention Systems (WIPS)

A WIPS actively monitors the radio spectrum of the presence of unauthorised access points
(detection) and take counter measures automatically (prevention). WIPS monitors and prevents
unauthorised access to resources through the wireless network.
Host Intrusion Prevention System (HIPS)
Host-based IPS use agents that reside on individual hosts within a network. They analyze log files
that are created and stored on that host (kernel, system, server, network, firewall, and others) and
monitor running processes, file access and configuration changes. The agent then uses this analysis
to compare the captured data against the internal database of known common signatures for attacks
that are stored on the management server. These agents can operate in detection mode only or in
prevention and take action against the offending entity.
Examples of Detection Methods
Anomaly Detection
An Anomaly based detection is a system for detecting both network and computer intrusions and
misuse by monitoring systems activity and classifying it as either normal or anomalous. This
classification is based on rules rather than patterns or signatures and attempts to detect any type of
misuse that is out of normal system operation. This is opposed to signature-based systems, which
can detect attacks for which a signature has previously been created.
Stateful Protocol Analysis
This identifies deviations of protocol state similarly to the anomaly-based method but uses predetermined universal profiles based on 'accepted definitions of benign activity' developed by
vendors and industry leaders. e.g Every request should have a predictable response and those
responses that fall outside of expected results will be flagged and analysed further.
Recommendations for Solution
For this particular company I would recommend a Network Based IPS for the cabled equipment and
a Wireless Based IPS for the wireless equipment. These would both use Anomaly-detection because
the data sent to these devices will be regular and consistant. This is particularly relevant for the
fabrication machines which do a small number of regular tasks with little variation.
In relation to the Aministration and Finance Departments, as they are on a wired network, and most
likely connecting to the internet, a Stateful Protocol Analysis on the packets would be appropriate as
the universal profiles will account for commonly occurring intrusion methods. This is less timeconsuming to set up and used in conjunction with a Firewall will maximise the security of the
organisation's networks.

References
Intrusion prevention system (2016) in Wikipedia. Available at:
https://en.wikipedia.org/wiki/Intrusion_prevention_system (Accessed: 20 June 2016).
(No Date) Available at: https://www.sans.org/reading-room/whitepapers/intrusion/hostintrusion-prevention-systems-32824 (Accessed: 20 June 2016)
Arntz, P. (2016) What is host intrusion prevention system (HIPS) and how does it
work? Available at: https://blog.malwarebytes.com/101/2013/05/whatiships/ (Accessed: 20
June 2016).
Symantec (2002) Available at: http://www.symantec.com/connect/articles/networkintrusion-detection-signatures-part-five (Accessed: 20 June 2016)
Zaugg, B. (2010) An overview of intrusion detection systems technology and research.
Available at: http://www.bzaugg.com/2010/06/an-overview-of-intrusion-detection-systemstechnology-and-research/ (Accessed: 20 June 2016).
Intrusion detection system (2016) in Wikipedia. Available at:
https://en.wikipedia.org/wiki/Intrusion_detection_system (Accessed: 20 June 2016).
(No Date) Available at: http://www.bradreese.com/sourcefire-ips-for-dummies.pdf
(Accessed: 20 June 2016).
Wireless intrusion prevention system (2016) in Wikipedia. Available at:
https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system (Accessed: 20 June
2016).
AlienVault (2016) Intrusion detection system (IDS) software. Available at:
https://www.alienvault.com/solutions/intrusion-detection-system (Accessed: 20 June 2016).