Computer systems are usually protected by firewalls, with any attacks that do get through being monitored by intrusion detection systems. However, nowadays it is not enough to detect an intruder - what use is detection if we cannot prevent the attack? Intrusion prevention systems (IPS's) provide the answer, and in this article we will go through building an IPS and maintaining it.

Computer systems are usually protected by firewalls, with any attacks that do get through being monitored by intrusion detection systems. However, nowadays it is not enough to detect an intruder - what use is detection if we cannot prevent the attack? Intrusion prevention systems (IPS’s) provide the answer, and in this article we will go through building an IPS and maintaining it.

The two most popular ways of protecting computer networks from cyberintruders are firewalls and intrusion detection systems (IDS’s). Firewalls work by monitoring the packets sent between network segments, while intrusion detection systems examine the information sent in the packets and sound the alarm if anomalies or behaviour patterns typical of known attacks are detected.

However, the security attained using these methods is not entirely satisfactory. Any firewall always has to let some traffic through - otherwise there would be little point in connecting the protected network to the outside world - and therefore leaves the network open to attacks that exploit permitted services. You can of course have an IDS detect attacks that get through the firewall, but IDS’s only provide notification of attacks and cannot prevent them.

In theory, you could also link up an IDS and firewall and configure them so as to block all detected penetration attempts or break off any suspicious connections. Unfortunately, there are a number of problems with this approach. First off, many attacks require only one or a handful of packets to get through. DoS attacks on an application or system that crashes upon receiving suitably crafted data or buffer overflow attacks with return connections to the attacker’s computer will all succeed, even if the IDS instructs the firewall to block incoming connections from a specific IP. Worse still, an attacker can use knowledge of such mechanisms to cause specific addresses to be blocked by spoofing attacks from these addresses.

Intrusion prevention systems (IPS’s) provide an effective solution to all these problems by combining the functionality of a firewall and IDS. IPS’s occupy the same place as firewalls in network infrastructure, i.e. should be located so that all network traffic passes though them. An IPS analyses traffic for behaviour characteristic of known attacks and either allows packets through or blocks them, depending on the result.

The security software market is full of various IPS solutions, with prices ranging from several thousand to tens of thousands of dollars. In this article, we will go through building a custom IPS using freely available software.

Toolkit

Our intrusion prevention system will run on a Linux box with the 2.6.12.6 kernel. I mention the kernel version because 2.6 series kernels have integrated support for network bridges, while 2.4 series kernels require patches to add this functionality. The actual Linux distribution is irrelevant, but the system should be installed in a pretty basic console configuration - no X-Window, multimedia applications and such like.

The IPS will be based on the open source Snort IDS version 2.4.0. Snort is a very advanced IDS, used in several commercial IDS/IPS solutions. We will be using version 2.4.0, as it is integrated with the snort_inline project to allow network packets to be captured not via the libpcap library (as is the case with the standard configuration), but via netfilter and iptables.

We will also need some additional libraries and utilities, most notably the libnet 1.0.x and LIBIPQ libraries and the bridge-utils utility. LIBIPQ is included with the iptables package and can either be found in development packages or installed from source by installing iptables using the make install-devel command. We will also use the Oinkmaster application to provide automatic signature updates.

The box we will run the IPS on has three network adapters, of which only one will have an IP assigned and will be used to control the system. The other two adapters will only be configured up to OSI layer 2 and all network traffic being analysed will be sent between them. The IPS will therefore act as a network bridge, transparent to other network devices and hosts. Figure 1 presents a diagram of a sample network after such an IPS is connected. Note that in this article we will not go into building the entire network, but rather we will focus on the IPS system itself.

Figure 1. IPS installation in a sample network configuration

sum:

0 €